Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1572098
MD5:b83484c3308f5ccee74b32fecbd5868c
SHA1:b3b557f3bf6019df3ab543760a027dfc3856c526
SHA256:9e11cbefdb3ba615161b19b9ec876063f892c32aeebc86cb7976a0317cb3326f
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6540 cmdline: "C:\Users\user\Desktop\file.exe" MD5: B83484C3308F5CCEE74B32FECBD5868C)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: file.exeReversingLabs: Detection: 44%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.2120790732.00000000049A0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmp

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051E0820_2_0051E082
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051E0890_2_0051E089
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051DEFC0_2_0051DEFC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051DF170_2_0051DF17
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051DF060_2_0051DF06
Source: file.exe, 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeReversingLabs: Detection: 44%
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this applicationFDS_WL_
Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exeString found in binary or memory: RtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNeQT
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 2817536 > 1048576
Source: file.exeStatic PE information: Raw size of iqfgoyby is bigger than: 0x100000 < 0x2a9e00
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.2120790732.00000000049A0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.390000.0.unpack :EW;.rsrc:W;.idata :W;iqfgoyby:EW;fltcogvq:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x2b72c9 should be: 0x2b7920
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name: iqfgoyby
Source: file.exeStatic PE information: section name: fltcogvq
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005204BA push edx; ret 0_2_00520519
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051D62F push 207ABF7Ch; mov dword ptr [esp], eax0_2_0051D6D3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051D62F push esi; mov dword ptr [esp], edx0_2_0051D7AF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A0BA7 push 40AAE1B7h; mov dword ptr [esp], edx0_2_003A0BBB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A0BA7 push eax; mov dword ptr [esp], 71F8ABF5h0_2_003A2EB2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A5018 push ebx; mov dword ptr [esp], edx0_2_003A501C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00526078 push eax; mov dword ptr [esp], 0A5C6B10h0_2_00526082
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A2064 push eax; mov dword ptr [esp], ebp0_2_003A3DC6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A405D push esi; mov dword ptr [esp], 3D79F9ACh0_2_003A407F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005BA020 push esi; mov dword ptr [esp], ebp0_2_005BA0B5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A20BE push edi; mov dword ptr [esp], ebx0_2_003A20C0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052A0D9 push 360F8580h; mov dword ptr [esp], ebx0_2_0052A0E4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0039F09D push ebx; mov dword ptr [esp], edi0_2_0039F0A9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0039F09D push edx; mov dword ptr [esp], ecx0_2_0039F9EA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057D0FD push ecx; mov dword ptr [esp], 73FFE702h0_2_0057D124
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057D0FD push eax; mov dword ptr [esp], 77B73C21h0_2_0057D13E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051E082 push 7A0B8301h; mov dword ptr [esp], edx0_2_0051E0A4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051E082 push ecx; mov dword ptr [esp], 5BEB5111h0_2_0051E0D0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051E082 push esi; mov dword ptr [esp], eax0_2_0051E12C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051E089 push 7A0B8301h; mov dword ptr [esp], edx0_2_0051E0A4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051E089 push ecx; mov dword ptr [esp], 5BEB5111h0_2_0051E0D0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051E089 push esi; mov dword ptr [esp], eax0_2_0051E12C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B10AD push 37B8BEFEh; mov dword ptr [esp], edi0_2_005B10E9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052A155 push esi; mov dword ptr [esp], 00000004h0_2_0052E22B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052A155 push ebp; mov dword ptr [esp], edx0_2_0052E248
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051A158 push 324665F6h; mov dword ptr [esp], eax0_2_0051A8FB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051F141 push eax; mov dword ptr [esp], edx0_2_0051F199
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A112D push edx; mov dword ptr [esp], 07FF449Bh0_2_003A4246
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051A17B push 4A5CBED6h; mov dword ptr [esp], esi0_2_0051A19F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0060311D push 1B869DEBh; mov dword ptr [esp], eax0_2_00603148
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0060311D push esi; mov dword ptr [esp], 00272CEAh0_2_0060314C
Source: file.exeStatic PE information: section name: entropy: 7.720931482911967

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39E514 second address: 39E518 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39DD69 second address: 39DD6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39DD6D second address: 39DD77 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FCFF4C7A646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51E349 second address: 51E34D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51E34D second address: 51E361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCFF4C7A64Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51D4CF second address: 51D4E1 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCFF4D9C226h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b jl 00007FCFF4D9C226h 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51D652 second address: 51D673 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FCFF4C7A659h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51DBCF second address: 51DBDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007FCFF4D9C226h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51DBDF second address: 51DBE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52030F second address: 520319 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCFF4D9C22Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 520319 second address: 52035B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push eax 0x0000000a call 00007FCFF4C7A648h 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 add dword ptr [esp+04h], 0000001Ah 0x0000001c inc eax 0x0000001d push eax 0x0000001e ret 0x0000001f pop eax 0x00000020 ret 0x00000021 push 00000000h 0x00000023 mov dword ptr [ebp+122D2D75h], ecx 0x00000029 mov ch, al 0x0000002b call 00007FCFF4C7A649h 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52035B second address: 52035F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52035F second address: 520365 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 520365 second address: 52036B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52036B second address: 520378 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 520378 second address: 520382 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 520382 second address: 520390 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 520390 second address: 52039D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52039D second address: 5203A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5204AE second address: 52053B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FCFF4D9C235h 0x0000000c pop eax 0x0000000d popad 0x0000000e nop 0x0000000f jmp 00007FCFF4D9C22Dh 0x00000014 push 00000000h 0x00000016 push C9A4E6D2h 0x0000001b jns 00007FCFF4D9C22Eh 0x00000021 add dword ptr [esp], 365B19AEh 0x00000028 adc si, D906h 0x0000002d push 00000003h 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push edx 0x00000034 call 00007FCFF4D9C228h 0x00000039 pop edx 0x0000003a mov dword ptr [esp+04h], edx 0x0000003e add dword ptr [esp+04h], 00000016h 0x00000046 inc edx 0x00000047 push edx 0x00000048 ret 0x00000049 pop edx 0x0000004a ret 0x0000004b mov dword ptr [ebp+122D2D75h], edx 0x00000051 push 00000003h 0x00000053 movzx esi, si 0x00000056 push 4C0E874Dh 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007FCFF4D9C22Ch 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52053B second address: 52058C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCFF4C7A64Eh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d add dword ptr [esp], 73F178B3h 0x00000014 adc cx, 2D2Fh 0x00000019 lea ebx, dword ptr [ebp+1245619Dh] 0x0000001f jg 00007FCFF4C7A64Bh 0x00000025 xchg eax, ebx 0x00000026 push edi 0x00000027 pushad 0x00000028 pushad 0x00000029 popad 0x0000002a jmp 00007FCFF4C7A64Ch 0x0000002f popad 0x00000030 pop edi 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 jl 00007FCFF4C7A648h 0x0000003a pushad 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52058C second address: 520596 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FCFF4D9C226h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52061C second address: 5206B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCFF4C7A64Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 733D4FC7h 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007FCFF4C7A648h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a push 00000003h 0x0000002c mov esi, dword ptr [ebp+122D3C1Eh] 0x00000032 jmp 00007FCFF4C7A653h 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push ecx 0x0000003c call 00007FCFF4C7A648h 0x00000041 pop ecx 0x00000042 mov dword ptr [esp+04h], ecx 0x00000046 add dword ptr [esp+04h], 0000001Ch 0x0000004e inc ecx 0x0000004f push ecx 0x00000050 ret 0x00000051 pop ecx 0x00000052 ret 0x00000053 mov si, cx 0x00000056 push 00000003h 0x00000058 mov edi, ebx 0x0000005a call 00007FCFF4C7A649h 0x0000005f push eax 0x00000060 push edx 0x00000061 pushad 0x00000062 jmp 00007FCFF4C7A64Dh 0x00000067 pushad 0x00000068 popad 0x00000069 popad 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5206B5 second address: 5206D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCFF4D9C230h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5206D5 second address: 5206D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5092C6 second address: 5092D8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FCFF4D9C22Dh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F6A8 second address: 53F6B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCFF4C7A64Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F6B6 second address: 53F6BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F6BA second address: 53F6C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007FCFF4C7A646h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F6C8 second address: 53F6EC instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FCFF4D9C226h 0x00000008 jng 00007FCFF4D9C226h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007FCFF4D9C231h 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F6EC second address: 53F718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 popad 0x0000000a pushad 0x0000000b jl 00007FCFF4C7A665h 0x00000011 jmp 00007FCFF4C7A659h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F718 second address: 53F724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jnl 00007FCFF4D9C226h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F724 second address: 53F769 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCFF4C7A646h 0x00000008 jmp 00007FCFF4C7A652h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push edi 0x00000011 pop edi 0x00000012 pushad 0x00000013 popad 0x00000014 jbe 00007FCFF4C7A646h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f jmp 00007FCFF4C7A659h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F8CB second address: 53F8CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53FD6A second address: 53FD70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53FEC8 second address: 53FEFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCFF4D9C22Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FCFF4D9C23Ah 0x0000000f jg 00007FCFF4D9C22Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 540A37 second address: 540A47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCFF4C7A64Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5436FE second address: 543702 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 544532 second address: 544536 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 544536 second address: 54453C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54453C second address: 54454B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54454B second address: 544571 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push edi 0x0000000f pushad 0x00000010 jmp 00007FCFF4D9C234h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5446E0 second address: 5446E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51832B second address: 518331 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 518331 second address: 518366 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007FCFF4C7A646h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f jmp 00007FCFF4C7A652h 0x00000014 pop edx 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 push ebx 0x00000019 jmp 00007FCFF4C7A64Ch 0x0000001e pushad 0x0000001f popad 0x00000020 pop ebx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54C705 second address: 54C722 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FCFF4D9C226h 0x0000000a jmp 00007FCFF4D9C231h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54BEAA second address: 54BEAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54BEAE second address: 54BECF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCFF4D9C232h 0x00000007 jmp 00007FCFF4D9C22Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54C551 second address: 54C578 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCFF4C7A657h 0x00000009 push edi 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pushad 0x0000000d popad 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50E2E9 second address: 50E2EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50E2EF second address: 50E2F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50E2F3 second address: 50E2F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54CE2A second address: 54CE48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCFF4C7A653h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54CE48 second address: 54CE4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54CE4C second address: 54CE52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54CE52 second address: 54CE6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCFF4D9C22Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54CE6C second address: 54CE70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54CE70 second address: 54CE7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54CE7A second address: 54CE7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54CE7E second address: 54CE82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54CE82 second address: 54CEB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007FCFF4C7A653h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jc 00007FCFF4C7A64Ch 0x0000001a jg 00007FCFF4C7A646h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54CEB0 second address: 54CEB5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54DD5C second address: 54DD76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCFF4C7A656h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54DD76 second address: 54DD7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54DE71 second address: 54DE75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E151 second address: 54E155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E155 second address: 54E178 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCFF4C7A652h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a movsx edi, bx 0x0000000d movsx esi, di 0x00000010 xchg eax, ebx 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E178 second address: 54E17C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54EEE6 second address: 54EEEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 550C37 second address: 550C3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55229F second address: 5522B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCFF4C7A64Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5522B4 second address: 5522B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5522B8 second address: 5522BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50AD84 second address: 50AD8A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50AD8A second address: 50AD98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCFF4C7A64Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 552047 second address: 552051 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCFF4D9C226h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50AD98 second address: 50AD9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5544B0 second address: 5544DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCFF4D9C236h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FCFF4D9C22Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5544DC second address: 5544F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCFF4C7A654h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 554FD0 second address: 554FE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007FCFF4D9C226h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 554FE1 second address: 554FE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 554FE5 second address: 554FEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 557D98 second address: 557D9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 557D9C second address: 557DA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 557DA2 second address: 557DAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FCFF4C7A646h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5592AB second address: 5592AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5592AF second address: 5592D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 jmp 00007FCFF4C7A650h 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5592D1 second address: 559345 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FCFF4D9C23Ah 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b movzx edi, di 0x0000000e pushad 0x0000000f mov edx, ecx 0x00000011 push ebx 0x00000012 mov dword ptr [ebp+124563C8h], edi 0x00000018 pop edi 0x00000019 popad 0x0000001a push 00000000h 0x0000001c mov edi, dword ptr [ebp+122D39CEh] 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push ebp 0x00000027 call 00007FCFF4D9C228h 0x0000002c pop ebp 0x0000002d mov dword ptr [esp+04h], ebp 0x00000031 add dword ptr [esp+04h], 00000017h 0x00000039 inc ebp 0x0000003a push ebp 0x0000003b ret 0x0000003c pop ebp 0x0000003d ret 0x0000003e mov di, C205h 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007FCFF4D9C234h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 559345 second address: 55934B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5558DF second address: 5558E5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55A4C6 second address: 55A4CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55946B second address: 559470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55A4CC second address: 55A507 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCFF4C7A64Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov dword ptr [ebp+122D352Fh], edi 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 and edi, dword ptr [ebp+122D3AA2h] 0x0000001b pop edi 0x0000001c push 00000000h 0x0000001e sub dword ptr [ebp+122D1DCAh], edi 0x00000024 adc bx, 3834h 0x00000029 push eax 0x0000002a push ecx 0x0000002b push eax 0x0000002c push edx 0x0000002d jbe 00007FCFF4C7A646h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 559470 second address: 559475 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 559562 second address: 559566 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 559566 second address: 55956A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55C5D5 second address: 55C5EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jnp 00007FCFF4C7A646h 0x00000010 jne 00007FCFF4C7A646h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55D7CD second address: 55D7D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55D7D2 second address: 55D88F instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCFF4C7A64Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov ebx, dword ptr [ebp+122D1E7Ah] 0x00000011 push dword ptr fs:[00000000h] 0x00000018 pushad 0x00000019 sub dword ptr [ebp+122D348Fh], esi 0x0000001f xor ax, 9C88h 0x00000024 popad 0x00000025 mov ebx, ecx 0x00000027 mov dword ptr fs:[00000000h], esp 0x0000002e mov ebx, dword ptr [ebp+122D3A26h] 0x00000034 mov eax, dword ptr [ebp+122D12B5h] 0x0000003a push 00000000h 0x0000003c push ebx 0x0000003d call 00007FCFF4C7A648h 0x00000042 pop ebx 0x00000043 mov dword ptr [esp+04h], ebx 0x00000047 add dword ptr [esp+04h], 0000001Dh 0x0000004f inc ebx 0x00000050 push ebx 0x00000051 ret 0x00000052 pop ebx 0x00000053 ret 0x00000054 add dword ptr [ebp+122D1CDAh], eax 0x0000005a mov edi, dword ptr [ebp+122D30EDh] 0x00000060 push FFFFFFFFh 0x00000062 push 00000000h 0x00000064 push edi 0x00000065 call 00007FCFF4C7A648h 0x0000006a pop edi 0x0000006b mov dword ptr [esp+04h], edi 0x0000006f add dword ptr [esp+04h], 00000019h 0x00000077 inc edi 0x00000078 push edi 0x00000079 ret 0x0000007a pop edi 0x0000007b ret 0x0000007c jmp 00007FCFF4C7A659h 0x00000081 mov ebx, dword ptr [ebp+122D1C98h] 0x00000087 push eax 0x00000088 pushad 0x00000089 push eax 0x0000008a push edx 0x0000008b jnp 00007FCFF4C7A646h 0x00000091 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55D88F second address: 55D899 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55F756 second address: 55F76E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCFF4C7A654h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55D899 second address: 55D89D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56056B second address: 560575 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCFF4C7A646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55F76E second address: 55F772 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 560575 second address: 5605D6 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCFF4C7A648h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnc 00007FCFF4C7A650h 0x00000011 jmp 00007FCFF4C7A64Ah 0x00000016 nop 0x00000017 mov ebx, dword ptr [ebp+122D315Bh] 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push esi 0x00000022 call 00007FCFF4C7A648h 0x00000027 pop esi 0x00000028 mov dword ptr [esp+04h], esi 0x0000002c add dword ptr [esp+04h], 0000001Bh 0x00000034 inc esi 0x00000035 push esi 0x00000036 ret 0x00000037 pop esi 0x00000038 ret 0x00000039 sub dword ptr [ebp+122DB9F5h], esi 0x0000003f xor bx, EE46h 0x00000044 push 00000000h 0x00000046 mov edi, dword ptr [ebp+122D333Ah] 0x0000004c push eax 0x0000004d push ebx 0x0000004e pushad 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5605D6 second address: 5605DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 561545 second address: 56154A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56154A second address: 5615BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCFF4D9C236h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007FCFF4D9C228h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 00000015h 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edi 0x0000002f call 00007FCFF4D9C228h 0x00000034 pop edi 0x00000035 mov dword ptr [esp+04h], edi 0x00000039 add dword ptr [esp+04h], 0000001Ah 0x00000041 inc edi 0x00000042 push edi 0x00000043 ret 0x00000044 pop edi 0x00000045 ret 0x00000046 push 00000000h 0x00000048 mov di, dx 0x0000004b push eax 0x0000004c pushad 0x0000004d push eax 0x0000004e push edx 0x0000004f jp 00007FCFF4D9C226h 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5667F9 second address: 566827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCFF4C7A654h 0x00000009 popad 0x0000000a popad 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e ja 00007FCFF4C7A646h 0x00000014 jmp 00007FCFF4C7A64Bh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 513217 second address: 51321B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51321B second address: 51321F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 566DFB second address: 566DFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 567D80 second address: 567DBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FCFF4C7A655h 0x0000000d nop 0x0000000e mov di, bx 0x00000011 push 00000000h 0x00000013 mov edi, dword ptr [ebp+122D3C16h] 0x00000019 push 00000000h 0x0000001b push ebx 0x0000001c jbe 00007FCFF4C7A64Ch 0x00000022 mov dword ptr [ebp+122D29B9h], eax 0x00000028 pop ebx 0x00000029 xchg eax, esi 0x0000002a pushad 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 564A02 second address: 564A08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 564A08 second address: 564A0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 567DBE second address: 567DC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 566FEC second address: 56705B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCFF4C7A654h 0x00000009 popad 0x0000000a pop edx 0x0000000b nop 0x0000000c jmp 00007FCFF4C7A64Dh 0x00000011 push dword ptr fs:[00000000h] 0x00000018 push 00000000h 0x0000001a push ecx 0x0000001b call 00007FCFF4C7A648h 0x00000020 pop ecx 0x00000021 mov dword ptr [esp+04h], ecx 0x00000025 add dword ptr [esp+04h], 00000017h 0x0000002d inc ecx 0x0000002e push ecx 0x0000002f ret 0x00000030 pop ecx 0x00000031 ret 0x00000032 cld 0x00000033 mov dword ptr fs:[00000000h], esp 0x0000003a mov bl, 45h 0x0000003c mov eax, dword ptr [ebp+122D0D01h] 0x00000042 push edi 0x00000043 mov di, si 0x00000046 pop ebx 0x00000047 push FFFFFFFFh 0x00000049 movzx ebx, dx 0x0000004c nop 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 pushad 0x00000051 popad 0x00000052 pop eax 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56705B second address: 567079 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCFF4D9C239h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 568CD7 second address: 568D7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007FCFF4C7A648h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 adc bl, 00000044h 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push edi 0x0000002a call 00007FCFF4C7A648h 0x0000002f pop edi 0x00000030 mov dword ptr [esp+04h], edi 0x00000034 add dword ptr [esp+04h], 00000016h 0x0000003c inc edi 0x0000003d push edi 0x0000003e ret 0x0000003f pop edi 0x00000040 ret 0x00000041 jns 00007FCFF4C7A65Ch 0x00000047 push 00000000h 0x00000049 jmp 00007FCFF4C7A64Dh 0x0000004e xchg eax, esi 0x0000004f pushad 0x00000050 jmp 00007FCFF4C7A656h 0x00000055 jmp 00007FCFF4C7A64Bh 0x0000005a popad 0x0000005b push eax 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 popad 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 567F7E second address: 567F84 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 568D7C second address: 568D80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 567F84 second address: 567FAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FCFF4D9C239h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007FCFF4D9C226h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 568D80 second address: 568D86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 567FAF second address: 567FB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56ACF5 second address: 56AD0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FCFF4C7A64Fh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56AD0F second address: 56AD13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 568F2B second address: 568F34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 568F34 second address: 568F38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 568F38 second address: 568F3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57DB50 second address: 57DB5A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FCFF4D9C226h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57DB5A second address: 57DB69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007FCFF4C7A646h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57D221 second address: 57D23F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jg 00007FCFF4D9C226h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push ecx 0x0000000e jmp 00007FCFF4D9C22Ah 0x00000013 pop ecx 0x00000014 pushad 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57D36E second address: 57D372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57D372 second address: 57D39C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007FCFF4D9C22Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007FCFF4D9C234h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57D39C second address: 57D3A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57D3A0 second address: 57D3C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCFF4D9C238h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57D3C2 second address: 57D3F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCFF4C7A655h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e push edx 0x0000000f pop edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 jng 00007FCFF4C7A646h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jng 00007FCFF4C7A646h 0x00000021 push ecx 0x00000022 pop ecx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57D3F5 second address: 57D3F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57D3F9 second address: 57D416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FCFF4C7A655h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57D5C9 second address: 57D5ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007FCFF4D9C23Bh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57D74E second address: 57D762 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCFF4C7A650h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58415A second address: 584172 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FCFF4D9C226h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 jbe 00007FCFF4D9C22Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 584172 second address: 584191 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCFF4C7A64Dh 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f je 00007FCFF4C7A64Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 584191 second address: 5841D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov eax, dword ptr [eax] 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FCFF4D9C231h 0x00000010 popad 0x00000011 jo 00007FCFF4D9C22Ch 0x00000017 jnc 00007FCFF4D9C226h 0x0000001d popad 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FCFF4D9C233h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58A3F0 second address: 58A3FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FCFF4C7A646h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 589893 second address: 58989A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58989A second address: 5898BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jnp 00007FCFF4C7A646h 0x0000000b jmp 00007FCFF4C7A64Ah 0x00000010 jne 00007FCFF4C7A646h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 589A1F second address: 589A23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 589B73 second address: 589B7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FCFF4C7A646h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 589B7D second address: 589B96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCFF4D9C230h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 589D0C second address: 589D24 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCFF4C7A646h 0x00000008 jmp 00007FCFF4C7A64Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 589D24 second address: 589D29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 589E6B second address: 589E77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 589E77 second address: 589E83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007FCFF4D9C226h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58A126 second address: 58A13E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCFF4C7A64Fh 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58A13E second address: 58A154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCFF4D9C232h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58A154 second address: 58A184 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCFF4C7A650h 0x00000007 jbe 00007FCFF4C7A646h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FCFF4C7A650h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58A184 second address: 58A188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59169A second address: 5916AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCFF4C7A651h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 596AA4 second address: 596AC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jno 00007FCFF4D9C23Fh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5956C4 second address: 5956D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d je 00007FCFF4C7A646h 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 595822 second address: 595826 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 595826 second address: 595870 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FCFF4C7A657h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FCFF4C7A64Bh 0x00000016 pushad 0x00000017 popad 0x00000018 jns 00007FCFF4C7A646h 0x0000001e popad 0x0000001f jmp 00007FCFF4C7A653h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 595870 second address: 59588B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FCFF4D9C226h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FCFF4D9C22Bh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59588B second address: 59588F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59588F second address: 595893 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5959D6 second address: 5959DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 595E84 second address: 595E9F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCFF4D9C235h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 595E9F second address: 595EA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 595EA3 second address: 595EA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 596436 second address: 596445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 jng 00007FCFF4C7A646h 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 596445 second address: 596455 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FCFF4D9C226h 0x0000000a jl 00007FCFF4D9C226h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 596455 second address: 59647A instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCFF4C7A646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e jmp 00007FCFF4C7A657h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59647A second address: 59649A instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCFF4D9C226h 0x00000008 jmp 00007FCFF4D9C230h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59649A second address: 5964E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FCFF4C7A646h 0x0000000a pop ecx 0x0000000b pushad 0x0000000c jmp 00007FCFF4C7A653h 0x00000011 jmp 00007FCFF4C7A653h 0x00000016 popad 0x00000017 pushad 0x00000018 jmp 00007FCFF4C7A652h 0x0000001d push edx 0x0000001e pop edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 596791 second address: 5967BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCFF4D9C231h 0x00000008 jmp 00007FCFF4D9C22Eh 0x0000000d popad 0x0000000e jc 00007FCFF4D9C22Eh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BCCF second address: 59BCD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BCD3 second address: 59BCD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59C29D second address: 59C2DC instructions: 0x00000000 rdtsc 0x00000002 je 00007FCFF4C7A646h 0x00000008 jmp 00007FCFF4C7A64Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jns 00007FCFF4C7A651h 0x00000015 popad 0x00000016 js 00007FCFF4C7A65Ah 0x0000001c push eax 0x0000001d push edx 0x0000001e push esi 0x0000001f pop esi 0x00000020 jmp 00007FCFF4C7A64Ah 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A222B second address: 5A2231 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55618D second address: 537811 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FCFF4C7A657h 0x0000000d nop 0x0000000e mov edi, dword ptr [ebp+122D2167h] 0x00000014 push esi 0x00000015 mov dword ptr [ebp+1247C60Dh], edi 0x0000001b pop edi 0x0000001c call dword ptr [ebp+122D363Ah] 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 pop eax 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55680B second address: 556811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 556811 second address: 556829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007FCFF4C7A64Ch 0x0000000b popad 0x0000000c push eax 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 556829 second address: 556852 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCFF4D9C226h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 jmp 00007FCFF4D9C231h 0x00000015 push eax 0x00000016 push edx 0x00000017 jno 00007FCFF4D9C226h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 556852 second address: 556868 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCFF4C7A646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jg 00007FCFF4C7A646h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5569C8 second address: 5569D6 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FCFF4D9C226h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5569D6 second address: 5569DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 556A43 second address: 556A48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 556A48 second address: 556A74 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCFF4C7A655h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a movzx ecx, cx 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jno 00007FCFF4C7A64Ch 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 556A74 second address: 556A7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 556A7A second address: 556A7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 556C35 second address: 556C42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 556D74 second address: 556D7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5571BB second address: 5571BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5575C5 second address: 5575CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5575CA second address: 5575D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5575D0 second address: 557616 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCFF4C7A652h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jng 00007FCFF4C7A650h 0x00000012 nop 0x00000013 push ebx 0x00000014 mov edi, 127633AFh 0x00000019 pop edi 0x0000001a add cx, DB7Ah 0x0000001f lea eax, dword ptr [ebp+1248BF2Dh] 0x00000025 mov dx, bx 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 557616 second address: 55761A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55761A second address: 557620 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 557620 second address: 55762A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FCFF4D9C22Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A13BB second address: 5A13C9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCFF4C7A646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A13C9 second address: 5A13CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A13CD second address: 5A13FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 jnp 00007FCFF4C7A64Eh 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jns 00007FCFF4C7A646h 0x00000016 jng 00007FCFF4C7A65Fh 0x0000001c jmp 00007FCFF4C7A653h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A4B08 second address: 5A4B12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FCFF4D9C226h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A4B12 second address: 5A4B16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A740F second address: 5A7428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FCFF4D9C22Fh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A7428 second address: 5A7446 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FCFF4C7A655h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A7446 second address: 5A744A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A713C second address: 5A7149 instructions: 0x00000000 rdtsc 0x00000002 js 00007FCFF4C7A648h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AC2EB second address: 5AC30B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FCFF4D9C237h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B230A second address: 5B231D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FCFF4C7A646h 0x0000000a pushad 0x0000000b jl 00007FCFF4C7A646h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B231D second address: 5B2327 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B2327 second address: 5B2331 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B0CE9 second address: 5B0CFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007FCFF4D9C226h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B0CFC second address: 5B0D02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B0FAE second address: 5B0FCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jc 00007FCFF4D9C23Fh 0x0000000b jmp 00007FCFF4D9C233h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B13AB second address: 5B13B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B13B6 second address: 5B13BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B13BA second address: 5B13CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCFF4C7A64Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 556F9D second address: 556FA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 556FA1 second address: 556FF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007FCFF4C7A648h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 mov ecx, dword ptr [ebp+122D3A12h] 0x0000002a mov ebx, dword ptr [ebp+1248BF28h] 0x00000030 jnc 00007FCFF4C7A64Ch 0x00000036 add eax, ebx 0x00000038 adc di, 82B5h 0x0000003d clc 0x0000003e nop 0x0000003f jc 00007FCFF4C7A654h 0x00000045 pushad 0x00000046 jc 00007FCFF4C7A646h 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B152C second address: 5B1532 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B1532 second address: 5B1536 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B1698 second address: 5B169E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B497A second address: 5B497F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BBFF4 second address: 5BBFFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BA0DF second address: 5BA0E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BA0E5 second address: 5BA0E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BA0E9 second address: 5BA0ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BA6DE second address: 5BA6E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BA6E4 second address: 5BA6E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BA6E8 second address: 5BA6F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FCFF4D9C226h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BB1E6 second address: 5BB200 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCFF4C7A655h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BB4B5 second address: 5BB4BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BB4BB second address: 5BB4C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FCFF4C7A646h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BB4C5 second address: 5BB4C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BB4C9 second address: 5BB4DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jl 00007FCFF4C7A64Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BB789 second address: 5BB798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007FCFF4D9C226h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BB798 second address: 5BB79C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BBC9F second address: 5BBCF1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCFF4D9C239h 0x00000007 jnc 00007FCFF4D9C22Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jng 00007FCFF4D9C22Ah 0x00000017 jnp 00007FCFF4D9C23Dh 0x0000001d pushad 0x0000001e popad 0x0000001f jmp 00007FCFF4D9C235h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C094F second address: 5C095B instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCFF4C7A646h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BFD4C second address: 5BFD51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BFFA3 second address: 5BFFA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BFFA7 second address: 5BFFAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C00DD second address: 5C00EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007FCFF4C7A646h 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C00EF second address: 5C00FB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FCFF4D9C226h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C00FB second address: 5C0101 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C0249 second address: 5C0268 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCFF4D9C237h 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C0268 second address: 5C026C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C069B second address: 5C06A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C06A1 second address: 5C06A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CC298 second address: 5CC2B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FCFF4D9C226h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FCFF4D9C22Eh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CC2B4 second address: 5CC2E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCFF4C7A658h 0x00000007 jo 00007FCFF4C7A646h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pop esi 0x00000017 je 00007FCFF4C7A646h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CC2E4 second address: 5CC2EA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CC5BA second address: 5CC5C2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CCCF4 second address: 5CCCF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CCCF9 second address: 5CCD03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FCFF4C7A646h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D2EAD second address: 5D2EB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D2EB3 second address: 5D2ECE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FCFF4C7A64Bh 0x0000000f jl 00007FCFF4C7A646h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D2ECE second address: 5D2ED2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D443E second address: 5D4448 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FCFF4C7A646h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D4448 second address: 5D444C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D444C second address: 5D445B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FCFF4C7A646h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D8664 second address: 5D8668 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D8668 second address: 5D866E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D893A second address: 5D895C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCFF4D9C231h 0x00000007 jmp 00007FCFF4D9C22Dh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D895C second address: 5D899C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCFF4C7A652h 0x00000007 pushad 0x00000008 jmp 00007FCFF4C7A652h 0x0000000d je 00007FCFF4C7A646h 0x00000013 jmp 00007FCFF4C7A64Ch 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pushad 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D899C second address: 5D89A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E56F7 second address: 5E5735 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCFF4C7A655h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FCFF4C7A654h 0x00000011 pop ebx 0x00000012 pop ecx 0x00000013 jnc 00007FCFF4C7A67Bh 0x00000019 push eax 0x0000001a push edx 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E5735 second address: 5E5739 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E88CF second address: 5E88D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E8A71 second address: 5E8A77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E8A77 second address: 5E8A87 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007FCFF4C7A646h 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EDA6C second address: 5EDA8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jmp 00007FCFF4D9C239h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EDA8D second address: 5EDA98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FCFF4C7A646h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F4574 second address: 5F4578 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F4578 second address: 5F458E instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCFF4C7A646h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007FCFF4C7A64Eh 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 600C56 second address: 600C5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FF9A3 second address: 5FF9BF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FCFF4C7A657h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FFB0E second address: 5FFB14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FFC7B second address: 5FFC7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FFC7F second address: 5FFCC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCFF4D9C231h 0x00000007 jmp 00007FCFF4D9C22Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f jmp 00007FCFF4D9C231h 0x00000014 jmp 00007FCFF4D9C22Fh 0x00000019 pop edi 0x0000001a push eax 0x0000001b push edx 0x0000001c ja 00007FCFF4D9C226h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FFCC8 second address: 5FFCD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FFCD2 second address: 5FFCD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FFCD8 second address: 5FFCDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6030A0 second address: 6030A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6030A6 second address: 6030AC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6030AC second address: 6030B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FCFF4D9C226h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6030B8 second address: 6030BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6030BC second address: 6030E7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCFF4D9C22Dh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FCFF4D9C234h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6030E7 second address: 6030EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6030EC second address: 6030F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6030F2 second address: 603106 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCFF4C7A64Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6050F7 second address: 605108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ecx 0x00000006 ja 00007FCFF4D9C226h 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 605108 second address: 60510E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60510E second address: 605112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 605112 second address: 605116 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 605116 second address: 60511C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60511C second address: 605125 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6114FA second address: 611500 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 613859 second address: 61386A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCFF4C7A64Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 624C3F second address: 624C75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCFF4D9C238h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FCFF4D9C238h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 624C75 second address: 624C83 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCFF4C7A646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 624C83 second address: 624C87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 624C87 second address: 624C8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 624C8B second address: 624CD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCFF4D9C237h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d jl 00007FCFF4D9C241h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 624CD1 second address: 624CDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 624E14 second address: 624E34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCFF4D9C231h 0x00000009 jne 00007FCFF4D9C226h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 624E34 second address: 624E3A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62CDD5 second address: 62CDDA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62CDDA second address: 62CDF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FCFF4C7A646h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007FCFF4C7A646h 0x00000013 jne 00007FCFF4C7A646h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62CF5A second address: 62CF64 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCFF4D9C226h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62D1FF second address: 62D20C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FCFF4C7A646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62D20C second address: 62D22B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FCFF4D9C238h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62D22B second address: 62D238 instructions: 0x00000000 rdtsc 0x00000002 je 00007FCFF4C7A648h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62D238 second address: 62D25F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCFF4D9C233h 0x00000009 jbe 00007FCFF4D9C226h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62D25F second address: 62D263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62D6DD second address: 62D6E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62D6E1 second address: 62D6FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCFF4C7A656h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62D6FB second address: 62D719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007FCFF4D9C234h 0x0000000c push esi 0x0000000d pop esi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62D85B second address: 62D85F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62D85F second address: 62D869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62D869 second address: 62D889 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCFF4C7A646h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007FCFF4C7A646h 0x00000014 jmp 00007FCFF4C7A64Ch 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62D889 second address: 62D8C3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007FCFF4D9C22Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007FCFF4D9C23Eh 0x00000011 popad 0x00000012 jnl 00007FCFF4D9C254h 0x00000018 push ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62D8C3 second address: 62D8D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FCFF4C7A646h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62D8D4 second address: 62D8D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 630EC0 second address: 630EC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6308EF second address: 6308F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 635DA9 second address: 635DC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCFF4C7A651h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6391C4 second address: 6391CB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 638D50 second address: 638D54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 638D54 second address: 638D58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 630A7B second address: 630A96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FCFF4C7A654h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 630BEF second address: 630BF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 630BF8 second address: 630BFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 630BFE second address: 630C10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FCFF4D9C244h 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 630C10 second address: 630C1A instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCFF4C7A646h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54FB27 second address: 54FB2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54FB2C second address: 54FB33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54FD5C second address: 54FD63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 39DD07 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 39DDE0 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 542D78 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 5DE964 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4A50000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4CD0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 6CD0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00520451 rdtsc 0_2_00520451
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 2268Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00580136 GetSystemInfo,VirtualAlloc,0_2_00580136
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00520451 rdtsc 0_2_00520451
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0039B7E2 LdrInitializeThunk,0_2_0039B7E2
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: SProgram Manager
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057791A GetSystemTime,GetFileTime,0_2_0057791A

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		41
Disable or Modify Tools		LSASS Memory641
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Bypass User Account Control		261
Virtualization/Sandbox Evasion		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS261
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA Secrets24
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
Software Packing		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
Bypass User Account Control		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe45%ReversingLabsWin32.Infostealer.Tinba
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1572098
Start date and time:2024-12-10 05:47:05 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 3m 58s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.evad.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
  • Excluded IPs from analysis (whitelisted): 13.107.246.63
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, ctldl.windowsupdate.com
  • Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File
Process:C:\Users\user\Desktop\file.exe
File Type:CSV text
Category:dropped
Size (bytes):226
Entropy (8bit):5.360398796477698
Encrypted:false
SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:3A8957C6382192B71471BD14359D0B12
SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:true
Reputation:high, very likely benign file
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.445551470249268
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:2'817'536 bytes
MD5:b83484c3308f5ccee74b32fecbd5868c
SHA1:b3b557f3bf6019df3ab543760a027dfc3856c526
SHA256:9e11cbefdb3ba615161b19b9ec876063f892c32aeebc86cb7976a0317cb3326f
SHA512:83ab51f4a555e1c2aac2ec5a35f201cf4c43991f4a1af6e179e4a22a27f0b9be38653f0d1a95169c2d6fb157f0806dc1a357c52f0fec2d36812d66d74401645b
SSDEEP:49152:IGLp0cqE93AVtv2nNOY2S46Frgb4RCn9gYh:Ikp0cqE93AVtv2sS40gGC
TLSH:9BD53A91B90971CBE48E2774852BCD8659AD03BA0B214DC7EC6DB4BE7D73DC211BAC24
File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$...........`+.. ...`....@.. ........................+......r+...`................................

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x6b6000
Entrypoint Section:.taggant
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FCFF4BD966Ah
paddusb mm5, qword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [ecx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+00000000h], cl
add byte ptr [eax], al
add byte ptr [edx], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], cl
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x500.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x20000x40000x1200547bb36fe4a381038821d30bc5398a06False0.9286024305555556data7.720931482911967IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x5000x6003f0822cb5bc594d18b0318d6ab15c5aeFalse0.3951822916666667data4.442048717005577IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
iqfgoyby0xa0000x2aa0000x2a9e00361b3db89b485afb38c1927ebeeaa688unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
fltcogvq0x2b40000x20000x400877dcc2abb7d89e677dc88e67435205cFalse0.76953125zlib compressed data6.018806703422708IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant0x2b60000x40000x2200ed6b92621296fcc86fcf93422da92060False0.06158088235294118DOS executable (COM)0.7910797145271923IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x60a00x30cdata0.42948717948717946
RT_MANIFEST0x63ac0x152ASCII text, with CRLF line terminators0.6479289940828402

Imports

DLLImport
kernel32.dlllstrcpy

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:23:47:55
Start date:09/12/2024
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\file.exe"
Imagebase:0x390000
File size:2'817'536 bytes
MD5 hash:B83484C3308F5CCEE74B32FECBD5868C
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:5.8%
    Dynamic/Decrypted Code Coverage:4.2%
    Signature Coverage:6.5%
    Total number of Nodes:309
    Total number of Limit Nodes:20
    execution_graph 8529 520451 8530 520476 CreateFileA 8529->8530 8531 520486 8530->8531 8532 5810d0 8534 5810dc 8532->8534 8535 5810ee 8534->8535 8538 580cf7 8535->8538 8540 580d8b 8538->8540 8542 580d08 8538->8542 8541 580b62 VirtualProtect 8541->8542 8542->8540 8542->8541 8543 5809a1 8542->8543 8546 5809a8 8543->8546 8545 5809f2 8545->8542 8546->8545 8548 5808af 8546->8548 8552 580b62 8546->8552 8550 5808c4 8548->8550 8549 58094e GetModuleFileNameA 8549->8550 8550->8549 8551 580984 8550->8551 8551->8546 8555 580b76 8552->8555 8553 580b8e 8553->8546 8554 580cb1 VirtualProtect 8554->8555 8555->8553 8555->8554 8556 5811d2 8558 5811de 8556->8558 8559 5811fb 8558->8559 8562 5750fa 8559->8562 8564 575103 8562->8564 8565 575112 8564->8565 8566 57511a 8565->8566 8574 5737cd GetCurrentThreadId 8565->8574 8567 575147 GetProcAddress 8566->8567 8573 57513d 8567->8573 8569 575124 8570 575134 8569->8570 8571 575142 8569->8571 8578 574b5b 8570->8578 8571->8567 8575 5737e5 8574->8575 8576 57382c 8575->8576 8577 57381b Sleep 8575->8577 8576->8569 8577->8575 8579 574b7a 8578->8579 8583 574c47 8578->8583 8580 574bb7 lstrcmpiA 8579->8580 8581 574be1 8579->8581 8579->8583 8580->8579 8580->8581 8581->8583 8584 574aa4 8581->8584 8583->8573 8586 574ab5 8584->8586 8585 574b40 8585->8583 8586->8585 8587 574ae5 lstrcpyn 8586->8587 8587->8585 8588 574b01 8587->8588 8588->8585 8592 573fe9 8588->8592 8591 5750fa 17 API calls 8591->8585 8600 574e2c 8592->8600 8594 573ffc 8595 57404e 8594->8595 8597 574025 8594->8597 8599 574042 8594->8599 8596 57501d 3 API calls 8595->8596 8596->8599 8597->8599 8603 57501d 8597->8603 8599->8585 8599->8591 8605 574e93 8600->8605 8602 574e41 8602->8594 8654 575029 8603->8654 8607 574ea0 8605->8607 8608 574eb6 8607->8608 8609 574edb 8608->8609 8620 574ebe 8608->8620 8628 5813a9 8608->8628 8613 5737cd 2 API calls 8609->8613 8610 574f9e 8615 574fbc LoadLibraryExA 8610->8615 8616 574fa8 LoadLibraryExW 8610->8616 8611 574f8b 8650 574ccb 8611->8650 8617 574ee0 8613->8617 8619 574f62 8615->8619 8616->8619 8624 573edf 8617->8624 8620->8610 8620->8611 8622 574f1f 8630 57480b 8622->8630 8625 573f2d 8624->8625 8627 573ef0 8624->8627 8625->8620 8625->8622 8626 573d80 lstrcmpiA PathAddExtensionA 8626->8627 8627->8625 8627->8626 8629 5813b8 GetCurrentThreadId Sleep lstrcmpiA PathAddExtensionA 8628->8629 8631 574827 8630->8631 8632 574831 8630->8632 8631->8619 8633 57405e VirtualAlloc 8632->8633 8634 574851 8633->8634 8634->8631 8635 574104 VirtualAlloc 8634->8635 8636 574871 8635->8636 8637 57492b 8636->8637 8639 574181 VirtualAlloc 8636->8639 8637->8631 8638 57501d GetCurrentThreadId Sleep FreeLibrary 8637->8638 8638->8631 8640 574881 8639->8640 8640->8637 8641 5748ae 8640->8641 8642 57423c lstrcmpiA 8640->8642 8643 5744d7 18 API calls 8641->8643 8642->8641 8644 5748b9 8643->8644 8644->8637 8645 57444e VirtualProtect 8644->8645 8646 5748e6 8645->8646 8646->8637 8647 57490e 8646->8647 8648 580ffe VirtualProtect 8646->8648 8647->8637 8649 580cf7 GetModuleFileNameA VirtualProtect 8647->8649 8648->8647 8649->8637 8651 574cd6 8650->8651 8652 574cf7 LoadLibraryExA 8651->8652 8653 574ce6 8651->8653 8652->8653 8653->8619 8655 575038 8654->8655 8656 575040 8655->8656 8658 5737cd 2 API calls 8655->8658 8657 57508e FreeLibrary 8656->8657 8662 575075 8657->8662 8659 57504a 8658->8659 8659->8656 8660 57505a 8659->8660 8663 574a0b 8660->8663 8664 574a6e 8663->8664 8665 574a2e 8663->8665 8664->8662 8665->8664 8667 5735c7 8665->8667 8668 5735d0 8667->8668 8669 5735e8 8668->8669 8670 5735ae GetCurrentThreadId Sleep FreeLibrary 8668->8670 8669->8664 8670->8668 8671 577d9d 8673 577da9 8671->8673 8674 5737cd 2 API calls 8673->8674 8675 577db5 8674->8675 8677 577dd5 8675->8677 8678 577cf4 8675->8678 8680 577d00 8678->8680 8681 577d14 8680->8681 8682 5737cd 2 API calls 8681->8682 8683 577d2c 8682->8683 8691 573f31 8683->8691 8686 573edf 2 API calls 8687 577d4f 8686->8687 8688 577d84 GetFileAttributesA 8687->8688 8689 577d73 GetFileAttributesW 8687->8689 8690 577d57 8687->8690 8688->8690 8689->8690 8692 573fe5 8691->8692 8693 573f45 8691->8693 8692->8686 8692->8690 8693->8692 8695 573d80 8693->8695 8697 573dad 8695->8697 8696 573eb3 8696->8693 8697->8696 8698 573df6 8697->8698 8699 573ddb PathAddExtensionA 8697->8699 8704 573e18 8698->8704 8707 573a21 8698->8707 8699->8698 8701 573e61 8701->8696 8702 573e8a 8701->8702 8703 573a21 lstrcmpiA 8701->8703 8702->8696 8706 573a21 lstrcmpiA 8702->8706 8703->8702 8704->8696 8704->8701 8705 573a21 lstrcmpiA 8704->8705 8705->8701 8706->8696 8708 573a3f 8707->8708 8709 573a56 8708->8709 8711 57399e 8708->8711 8709->8704 8713 5739c9 8711->8713 8712 573a11 8712->8709 8713->8712 8714 5739fb lstrcmpiA 8713->8714 8714->8712 8715 575d5c 8717 575d7a 8715->8717 8716 575ee4 8717->8716 8723 575723 8717->8723 8719 575ed9 8720 576518 4 API calls 8719->8720 8720->8716 8722 575db7 8722->8719 8729 576518 8722->8729 8726 575730 8723->8726 8724 57582b 8724->8722 8725 575769 CreateFileA 8727 5757b5 8725->8727 8726->8724 8726->8725 8727->8724 8731 5755e6 CloseHandle 8727->8731 8733 576521 8729->8733 8732 5755fa 8731->8732 8732->8724 8734 5737cd 2 API calls 8733->8734 8735 57652d 8734->8735 8736 576556 8735->8736 8737 576546 8735->8737 8739 57655b CloseHandle 8736->8739 8741 57560d 8737->8741 8740 57654c 8739->8740 8744 573678 8741->8744 8745 57368e 8744->8745 8747 5736a8 8745->8747 8748 57365c 8745->8748 8747->8740 8749 5755e6 CloseHandle 8748->8749 8750 57366c 8749->8750 8750->8747 8751 575f07 8752 575f1e 8751->8752 8753 57601b 8752->8753 8754 575f87 CreateFileA 8752->8754 8755 575fcc 8754->8755 8755->8753 8756 5755e6 CloseHandle 8755->8756 8756->8753 8757 4a510f0 8758 4a51131 8757->8758 8760 576521 4 API calls 8758->8760 8759 4a51151 8760->8759 8761 57548f 8762 5737cd 2 API calls 8761->8762 8763 57549b 8762->8763 8764 5754b9 8763->8764 8765 573edf 2 API calls 8763->8765 8766 5754ea GetModuleHandleExA 8764->8766 8767 5754c1 8764->8767 8765->8764 8766->8767 8768 39b7e2 8769 39b7e7 8768->8769 8770 39b952 LdrInitializeThunk 8769->8770 8771 529389 8772 52d175 LoadLibraryA 8771->8772 8774 3a0ba7 8776 3a0ea2 8774->8776 8775 3a10ff 8776->8775 8778 5802d7 8776->8778 8779 5802e5 8778->8779 8780 580305 8779->8780 8782 5805a7 8779->8782 8780->8775 8783 5805b7 8782->8783 8785 5805da 8782->8785 8784 5809a1 2 API calls 8783->8784 8783->8785 8784->8785 8785->8779 8786 581186 8788 581192 8786->8788 8789 5811a4 8788->8789 8794 574e45 8789->8794 8791 5811b3 8792 5811cc 8791->8792 8793 580cf7 GetModuleFileNameA VirtualProtect 8791->8793 8793->8792 8796 574e51 8794->8796 8797 574e66 8796->8797 8798 574e84 8797->8798 8799 574e93 18 API calls 8797->8799 8799->8798 8800 529acd 8801 52d9cf 8800->8801 8802 52da01 RegOpenKeyA 8801->8802 8803 52da28 RegOpenKeyA 8801->8803 8802->8803 8804 52da1e 8802->8804 8805 52da45 8803->8805 8804->8803 8806 52da89 GetNativeSystemInfo 8805->8806 8807 52da94 8805->8807 8806->8807 8808 577888 8809 5737cd 2 API calls 8808->8809 8810 577894 GetCurrentProcess 8809->8810 8811 5778e0 8810->8811 8813 5778a4 8810->8813 8812 5778e5 DuplicateHandle 8811->8812 8816 5778db 8812->8816 8813->8811 8814 5778cf 8813->8814 8817 575625 8814->8817 8820 57564f 8817->8820 8818 5756e2 8818->8816 8819 57560d CloseHandle 8819->8818 8820->8818 8820->8819 8821 58113a 8823 581146 8821->8823 8824 581158 8823->8824 8825 574e2c 18 API calls 8824->8825 8826 581167 8825->8826 8827 581180 8826->8827 8828 580cf7 2 API calls 8826->8828 8828->8827 8833 57533c 8835 575348 8833->8835 8836 57535c 8835->8836 8838 575384 8836->8838 8839 57539d 8836->8839 8841 5753a6 8839->8841 8842 5753b5 8841->8842 8843 5737cd 2 API calls 8842->8843 8850 5753bd 8842->8850 8846 5753c7 8843->8846 8844 575460 GetModuleHandleW 8847 5753f5 8844->8847 8845 57546e GetModuleHandleA 8845->8847 8848 573edf 2 API calls 8846->8848 8849 5753e2 8846->8849 8848->8849 8849->8847 8849->8850 8850->8844 8850->8845 8851 4a51308 8852 4a51349 ImpersonateLoggedOnUser 8851->8852 8853 4a51376 8852->8853 8854 4a50d48 8855 4a50d93 OpenSCManagerW 8854->8855 8857 4a50ddc 8855->8857 8858 580136 GetSystemInfo 8859 580194 VirtualAlloc 8858->8859 8860 580156 8858->8860 8873 580482 8859->8873 8860->8859 8862 5801db 8863 580482 VirtualAlloc GetModuleFileNameA VirtualProtect 8862->8863 8871 5802b0 8862->8871 8865 580205 8863->8865 8864 5802cc GetModuleFileNameA VirtualProtect 8872 580274 8864->8872 8866 580482 VirtualAlloc GetModuleFileNameA VirtualProtect 8865->8866 8865->8871 8867 58022f 8866->8867 8868 580482 VirtualAlloc GetModuleFileNameA VirtualProtect 8867->8868 8867->8871 8869 580259 8868->8869 8870 580482 VirtualAlloc GetModuleFileNameA VirtualProtect 8869->8870 8869->8871 8869->8872 8870->8871 8871->8864 8871->8872 8875 58048a 8873->8875 8876 58049e 8875->8876 8877 5804b6 8875->8877 8883 58034e 8876->8883 8879 58034e 2 API calls 8877->8879 8880 5804c7 8879->8880 8885 5804d9 8880->8885 8888 580356 8883->8888 8886 5804ea VirtualAlloc 8885->8886 8887 5804d5 8885->8887 8886->8887 8889 580369 8888->8889 8890 5809a1 2 API calls 8889->8890 8891 5803ac 8889->8891 8890->8891 8892 51d4bf LoadLibraryA 8893 51d4cf 8892->8893 8894 574fe4 8895 574e2c 18 API calls 8894->8895 8896 574ff7 8895->8896 8897 4a51510 8898 4a51558 ControlService 8897->8898 8899 4a5158f 8898->8899 8900 39ea01 8901 39f783 VirtualAlloc 8900->8901 8902 39f7a3 8901->8902

    Executed Functions

    Function 00580136 Relevance: 3.1, APIs: 2, Instructions: 107memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 194 580136-580150 GetSystemInfo 195 580194-5801dd VirtualAlloc call 580482 194->195 196 580156-58018e 194->196 200 5802c3-5802c8 call 5802cc 195->200 201 5801e3-580207 call 580482 195->201 196->195 208 5802ca-5802cb 200->208 201->200 207 58020d-580231 call 580482 201->207 207->200 211 580237-58025b call 580482 207->211 211->200 214 580261-58026e 211->214 215 580294-5802ab call 580482 214->215 216 580274-58028f 214->216 219 5802b0-5802b2 215->219 220 5802be 216->220 219->200 221 5802b8 219->221 220->208 221->220
    APIs
    • GetSystemInfo.KERNELBASE(?,-11F35FEC), ref: 00580142
    • VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 005801A3
    Memory Dump Source
    • Source File: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: AllocInfoSystemVirtual
    • String ID:
    • API String ID: 3440192736-0
    • Opcode ID: db33d2254c0a59594cd520824d91837a255752afe3334bc2f0c1a7cbacade204
    • Instruction ID: 7e45d5abe2ef31262e662488a71cb50e4ef64061de6bf7a96fb32ece93afe9b5
    • Opcode Fuzzy Hash: db33d2254c0a59594cd520824d91837a255752afe3334bc2f0c1a7cbacade204
    • Instruction Fuzzy Hash: 09411571E44206ABD769EF60D949F96FBACFB4C750F140852A603ED8C2E67095D88BE0
    Function 00520451 Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 38d337907c3cefff7cefaab778be7f21e0004a80bcd3ba8b4eec1b938a35799b
    • Instruction ID: f1a68df0cf945c41568d419579209e5fc6864bc80d3a41aeed016ed86361ee4f
    • Opcode Fuzzy Hash: 38d337907c3cefff7cefaab778be7f21e0004a80bcd3ba8b4eec1b938a35799b
    • Instruction Fuzzy Hash: 7401F2A328E27139FA1066117D51BBA2A4DEBD3B70F30A82AF645A64C3C0842C0A1160
    Function 0039B7E2 Relevance: 1.3, Strings: 1, Instructions: 18COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID:
    • String ID: !!iH
    • API String ID: 0-3430752988
    • Opcode ID: 7fead42b80cd2aba6d2178385f93834119d55f82c28dcf4fc51c0024ee941071
    • Instruction ID: 0c3addb66d2a189341e9b77e481fe3b2efc6b886a822686caa87f110b70840e6
    • Opcode Fuzzy Hash: 7fead42b80cd2aba6d2178385f93834119d55f82c28dcf4fc51c0024ee941071
    • Instruction Fuzzy Hash: F0E0C2B111C4C59ACF279F64AA417A9BB6EDF54700F500124FB419FE49CB2D0C118755
    Function 00574EA0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • LoadLibraryExW.KERNEL32(?,?,?), ref: 00574FB1
    • LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 00574FC5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: .dll$.exe$1002
    • API String ID: 1029625771-847511843
    • Opcode ID: 38d35195ba123ac16a5d6df5747b6aac608f97093066900222fba14d4d582622
    • Instruction ID: 9850de06f48d2c45425e26f442daff3dee81800b5445472c20f639ec5b0c50ee
    • Opcode Fuzzy Hash: 38d35195ba123ac16a5d6df5747b6aac608f97093066900222fba14d4d582622
    • Instruction Fuzzy Hash: 4F315A7140421AEFDF25AF50E908AAE7F79FF44350F10C515F90AAA261C7319AA0FF92
    Function 00580B62 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 580b62-580b70 39 580b93-580b9d call 5809f7 38->39 40 580b76-580b88 38->40 44 580ba8-580bb1 39->44 45 580ba3 39->45 40->39 46 580b8e 40->46 48 580bc9-580bd0 44->48 49 580bb7-580bbe 44->49 47 580cf2-580cf4 45->47 46->47 51 580bdb-580beb 48->51 52 580bd6 48->52 49->48 50 580bc4 49->50 50->47 51->47 53 580bf1-580bfd call 580acc 51->53 52->47 56 580c00-580c04 53->56 56->47 57 580c0a-580c14 56->57 58 580c1a-580c2d 57->58 59 580c3b-580c3e 57->59 58->59 64 580c33-580c35 58->64 60 580c41-580c44 59->60 61 580cea-580ced 60->61 62 580c4a-580c51 60->62 61->56 65 580c7f-580c98 62->65 66 580c57-580c5d 62->66 64->59 64->61 72 580c9e-580cac 65->72 73 580cb1-580cb9 VirtualProtect 65->73 67 580c7a 66->67 68 580c63-580c68 66->68 70 580ce2-580ce5 67->70 68->67 69 580c6e-580c74 68->69 69->65 69->67 70->60 74 580cbf-580cc2 72->74 73->74 74->70 75 580cc8-580ce1 74->75 75->70
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID:
    • String ID: .exe$.exe
    • API String ID: 0-1392631246
    • Opcode ID: 38a19db3ecfc94071daca9b59e1f99353e326422103ce266cf8a0c93d66b8d61
    • Instruction ID: ffde9cdf7433cc70c850d9cc2aaf7a551230d6e1af69e88160862333ce21c92a
    • Opcode Fuzzy Hash: 38a19db3ecfc94071daca9b59e1f99353e326422103ce266cf8a0c93d66b8d61
    • Instruction Fuzzy Hash: DD415B7190020AEFEB64EF54D944BAEBFA0FF00314F249555ED42BA5D2C371AC98DB51
    Function 005753A6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 78 5753a6-5753b7 call 574d0a 81 5753c2-5753cb call 5737cd 78->81 82 5753bd 78->82 89 5753d1-5753dd call 573edf 81->89 90 5753ff-575406 81->90 83 575456-57545a 82->83 85 575460-575469 GetModuleHandleW 83->85 86 57546e-575471 GetModuleHandleA 83->86 88 575477 85->88 86->88 92 575481-575483 88->92 96 5753e2-5753e4 89->96 93 575451 call 573878 90->93 94 57540c-575413 90->94 93->83 94->93 97 575419-575420 94->97 96->93 98 5753ea-5753ef 96->98 97->93 99 575426-57542d 97->99 98->93 100 5753f5-57547c call 573878 98->100 99->93 101 575433-575447 99->101 100->92 101->93
    APIs
    • GetModuleHandleW.KERNEL32(?,?,?,?,00575338,?,00000000,00000000), ref: 00575463
    • GetModuleHandleA.KERNEL32(00000000,?,?,?,00575338,?,00000000,00000000), ref: 00575471
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: HandleModule
    • String ID: .dll
    • API String ID: 4139908857-2738580789
    • Opcode ID: eec1c2426be021eabe5dd0f6cfa5af4a335479de042fd75372526dc6be449502
    • Instruction ID: 0d22915f11f8eb666376fba2945f44058fd51817b53d89f776a8a6cdde3c1196
    • Opcode Fuzzy Hash: eec1c2426be021eabe5dd0f6cfa5af4a335479de042fd75372526dc6be449502
    • Instruction Fuzzy Hash: A1110A30205A06AFEF20AF10E80DB697EB6FB00342F10D625B44A544A0E7F1D9E5FA92
    Function 00577D00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 105 577d00-577d0e 106 577d14-577d1b 105->106 107 577d20 105->107 108 577d27-577d3d call 5737cd call 573f31 106->108 107->108 113 577d43-577d51 call 573edf 108->113 114 577d5c 108->114 119 577d57 113->119 120 577d68-577d6d 113->120 116 577d60-577d63 114->116 118 577d93-577d9a call 573878 116->118 119->116 122 577d84-577d87 GetFileAttributesA 120->122 123 577d73-577d7f GetFileAttributesW 120->123 125 577d8d-577d8e 122->125 123->125 125->118
    APIs
    • GetFileAttributesW.KERNELBASE(00B80184,-11F35FEC), ref: 00577D79
    • GetFileAttributesA.KERNEL32(00000000,-11F35FEC), ref: 00577D87
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: 36b3ff91f611355f991e0dda25da54879023944c2040486bdfe78d5aa160d41b
    • Instruction ID: 20d7ab0cc5cdd9c3a78a99962d99439b7bc69242bcf0888a958b008d900be88d
    • Opcode Fuzzy Hash: 36b3ff91f611355f991e0dda25da54879023944c2040486bdfe78d5aa160d41b
    • Instruction Fuzzy Hash: 8B01467050824AFAEB319F54F80DBACBE71FF48344F20C624E50B665A1C7B08A91FA40
    Function 00529ACD Relevance: 4.6, APIs: 3, Instructions: 91registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 126 529acd-52d9ff 129 52da01-52da1c RegOpenKeyA 126->129 130 52da28-52da43 RegOpenKeyA 126->130 129->130 131 52da1e 129->131 132 52da45-52da4f 130->132 133 52da5b-52da87 130->133 131->130 132->133 136 52da94-52da9e 133->136 137 52da89-52da92 GetNativeSystemInfo 133->137 138 52daa0 136->138 139 52daaa-52dab8 136->139 137->136 138->139 141 52dac4-52dacb 139->141 142 52daba 139->142 143 52dad1-52dad8 141->143 144 52dade 141->144 142->141 143->144 145 52db96-52db9d 143->145 144->145 146 52dba3-52dbc5 145->146 147 52e426-52e447 145->147 146->147
    APIs
    • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0052DA14
    • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 0052DA3B
    • GetNativeSystemInfo.KERNELBASE(?), ref: 0052DA92
    Memory Dump Source
    • Source File: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: Open$InfoNativeSystem
    • String ID:
    • API String ID: 1247124224-0
    • Opcode ID: 2ba3c0af180a1bedab0da4c891feec490f2f3db5b286b1d9fca72e1d0e595b67
    • Instruction ID: 23711d6be1159cd8aa768e81fed91beb0286bbbfb2a031a9dd393dd68db1cadf
    • Opcode Fuzzy Hash: 2ba3c0af180a1bedab0da4c891feec490f2f3db5b286b1d9fca72e1d0e595b67
    • Instruction Fuzzy Hash: E741087210851E9FDF21DF64D848AEF3BB4FF05305F404426E98686A90E7764CA4CF5A
    Function 00573D80 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 148 573d80-573db0 150 573db6-573dcb 148->150 151 573edb-573edc 148->151 150->151 153 573dd1-573dd5 150->153 154 573df7-573dfe 153->154 155 573ddb-573ded PathAddExtensionA 153->155 156 573e04-573e13 call 573a21 154->156 157 573e20-573e27 154->157 158 573df6 155->158 162 573e18-573e1a 156->162 160 573e2d-573e34 157->160 161 573e69-573e70 157->161 158->154 163 573e4d-573e5c call 573a21 160->163 164 573e3a-573e43 160->164 165 573e76-573e8c call 573a21 161->165 166 573e92-573e99 161->166 162->151 162->157 175 573e61-573e63 163->175 164->163 170 573e49 164->170 165->151 165->166 168 573e9f-573eb5 call 573a21 166->168 169 573ebb-573ec2 166->169 168->151 168->169 169->151 174 573ec8-573ed5 call 573a5a 169->174 170->163 174->151 175->151 175->161
    APIs
    • PathAddExtensionA.KERNELBASE(?,00000000), ref: 00573DE2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: ExtensionPath
    • String ID: \\?\
    • API String ID: 158807944-4282027825
    • Opcode ID: 546b3271ee9fa9419e151c6c920d8338d33bab71a641fddf26b67abe9a7507b1
    • Instruction ID: 9c155872288dfc2a2f89eefd73fa078096732e8230e0555c191940b522ade1b2
    • Opcode Fuzzy Hash: 546b3271ee9fa9419e151c6c920d8338d33bab71a641fddf26b67abe9a7507b1
    • Instruction Fuzzy Hash: 1931287561120ABEEF22CF94DC09F9EBB79FF44364F008055F905A51A0E3729AA1FB50
    Function 0057548F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 179 57548f-5754a2 call 5737cd 182 5754e5-5754f9 call 573878 GetModuleHandleExA 179->182 183 5754a8-5754b4 call 573edf 179->183 189 575503-575505 182->189 186 5754b9-5754bb 183->186 186->182 188 5754c1-5754c8 186->188 190 5754d1-5754fe call 573878 188->190 191 5754ce 188->191 190->189 191->190
    APIs
      • Part of subcall function 005737CD: GetCurrentThreadId.KERNEL32 ref: 005737DC
      • Part of subcall function 005737CD: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 0057381F
    • GetModuleHandleExA.KERNELBASE(?,?,?), ref: 005754F3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: CurrentHandleModuleSleepThread
    • String ID: .dll
    • API String ID: 683542999-2738580789
    • Opcode ID: 674432d036e68805b555954d2c41cc7b1a995ac59b9391cb0a7f4a5de76657c0
    • Instruction ID: f72bdc7fa0df776e63fd5ee2110fd50f5800cae74f193dbfefc917313ee132b7
    • Opcode Fuzzy Hash: 674432d036e68805b555954d2c41cc7b1a995ac59b9391cb0a7f4a5de76657c0
    • Instruction Fuzzy Hash: 32F01DB1200605AFDF109F64E949AA93FA6FF54311F10C121FD0949161E771CAA1FA52
    Function 00577888 Relevance: 3.0, APIs: 2, Instructions: 41COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 222 577888-57789e call 5737cd GetCurrentProcess 225 5778a4-5778a7 222->225 226 5778e0-577902 call 573878 DuplicateHandle 222->226 225->226 228 5778ad-5778b0 225->228 231 57790c-57790e 226->231 228->226 230 5778b6-5778c9 call 573627 228->230 230->226 234 5778cf-577907 call 575625 call 573878 230->234 234->231
    APIs
      • Part of subcall function 005737CD: GetCurrentThreadId.KERNEL32 ref: 005737DC
      • Part of subcall function 005737CD: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 0057381F
    • GetCurrentProcess.KERNEL32(-11F35FEC), ref: 00577895
    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 005778FB
    Memory Dump Source
    • Source File: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: Current$DuplicateHandleProcessSleepThread
    • String ID:
    • API String ID: 2846201637-0
    • Opcode ID: 6406bdf6953a012b69737fa9a0c22b0e58f8fca88e175f8a2b286ed05716ec05
    • Instruction ID: 41c674fa3530b0fbfb484069c3b51e123550a857934b08c0305360b6f78f107f
    • Opcode Fuzzy Hash: 6406bdf6953a012b69737fa9a0c22b0e58f8fca88e175f8a2b286ed05716ec05
    • Instruction Fuzzy Hash: 0D01E87210414EBB8F226FA4FC49CAE3F65FF987A4B108525F91A94020C731D561FB22
    Function 005737CD Relevance: 3.0, APIs: 2, Instructions: 33sleepthreadCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 239 5737cd-5737e3 GetCurrentThreadId 240 5737e5-5737f1 239->240 241 5737f7-5737f9 240->241 242 57382c-573839 240->242 241->242 243 5737ff-573806 241->243 244 57380c-573813 243->244 245 57381b-573827 Sleep 243->245 244->245 247 573819 244->247 245->240 247->245
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 005737DC
    • Sleep.KERNELBASE(00000005,00050000,00000000), ref: 0057381F
    Memory Dump Source
    • Source File: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: CurrentSleepThread
    • String ID:
    • API String ID: 1164918020-0
    • Opcode ID: d8686214ed8ac0d8b1cb3d2db9278fc77203ae8cf213f459d2068303cfc6560e
    • Instruction ID: af5bc64dc7c7b1687e0d0283b8f2b7adb150ab9c4044ab0a17968667cbca0aaf
    • Opcode Fuzzy Hash: d8686214ed8ac0d8b1cb3d2db9278fc77203ae8cf213f459d2068303cfc6560e
    • Instruction Fuzzy Hash: 22F0247150210AEFD7228F60E44876E7AB4FF40329F20813DE10652190C7B46E85FA83
    Function 00576521 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 25COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 248 576521-576540 call 5737cd call 573627 253 576556-576566 call 573878 CloseHandle 248->253 254 576546-576547 call 57560d 248->254 259 576570-576572 253->259 258 57654c-57656b call 573878 254->258 258->259
    APIs
      • Part of subcall function 005737CD: GetCurrentThreadId.KERNEL32 ref: 005737DC
      • Part of subcall function 005737CD: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 0057381F
    • CloseHandle.KERNELBASE(?,-11F35FEC,?,?,00575EE4,?), ref: 0057655F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: CloseCurrentHandleSleepThread
    • String ID: ^W
    • API String ID: 4003616898-889593873
    • Opcode ID: a9203963e286d9dde9df408728c68651ea8c3bd18d6de74b227554e2bfbadc35
    • Instruction ID: e72bd38b9512d4ac4f512e99d272375fdc72e47a2d30c0d20d4d6ced451f0239
    • Opcode Fuzzy Hash: a9203963e286d9dde9df408728c68651ea8c3bd18d6de74b227554e2bfbadc35
    • Instruction Fuzzy Hash: A6E048B360084679DB107E78F80DC5D1E69FFD0750740C231F10A95015D631C291F661
    Function 0051D62F Relevance: 1.6, APIs: 1, Instructions: 145libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 262 51d62f-51d635 LoadLibraryA 263 51d63b-51d7eb 262->263 268 51d7ec 263->268 268->268
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 2850f46db4c08a86ee41b7e55da75b61f84f9c6157c56af88981e121f9a2e709
    • Instruction ID: a5489c11f46f1e6184b473f2db759c330752481fcc313ff67216adb66a0efa99
    • Opcode Fuzzy Hash: 2850f46db4c08a86ee41b7e55da75b61f84f9c6157c56af88981e121f9a2e709
    • Instruction Fuzzy Hash: 474198F350C210AFE3416E59DD84ABABBF9FB95370F25492EF5C4C2600E775884486A2
    Function 005204BA Relevance: 1.6, APIs: 1, Instructions: 121fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 269 5204ba-5204c3 270 5204c5-5204c9 269->270 271 52050f-520519 269->271 272 520523-520563 270->272 273 5204cb-5204e1 270->273 279 520569 272->279 280 52056e-520584 272->280 277 5204e7 273->277 278 5204ef-520507 call 52050a 273->278 277->278 281 5204ed-5204ee 277->281 285 5207bf-5207c9 call 5207cc 278->285 279->280 288 52058a-52058b 280->288 289 52058c-5205b0 CreateFileA 280->289 281->278 288->289 289->285 293 5205b6-5205cd 289->293 295 5205d3-5205dc 293->295 296 5205dd-52063b call 5205f7 call 52063e 293->296 295->296
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 477f62b9c4feb29f02553706b397d43093f531c292667d981bd241583c108607
    • Instruction ID: c60cecf55b4e22e08cfafd7ca554b6fa9b75c1084b7743a38bd4bf8ab6012fa3
    • Opcode Fuzzy Hash: 477f62b9c4feb29f02553706b397d43093f531c292667d981bd241583c108607
    • Instruction Fuzzy Hash: 422108B728B2367DE6216A543E54BBB6E5DFFD3730F30A419F545A60C3D2900A045934
    Function 005204D2 Relevance: 1.6, APIs: 1, Instructions: 108fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 304 5204d2-5204d3 305 520530-520539 304->305 306 5204d5-5204e1 304->306 308 520571-520584 305->308 309 52053b-520563 305->309 311 5204e7 306->311 312 5204ef-520507 call 52050a 306->312 318 52058a-52058b 308->318 319 52058c-5205b0 CreateFileA 308->319 314 520569 309->314 315 52056e-520570 309->315 311->312 316 5204ed-5204ee 311->316 322 5207bf-5207c9 call 5207cc 312->322 314->315 315->308 316->312 318->319 319->322 325 5205b6-5205cd 319->325 328 5205d3-5205dc 325->328 329 5205dd-52063b call 5205f7 call 52063e 325->329 328->329
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: e9b13ab7160be3feac71476e94d26bc9f6433c6bd112b78288881a442f9db10c
    • Instruction ID: c876cd26c67da310812a0662a75a06a5e319efac1e9f55977e113419ba1d1774
    • Opcode Fuzzy Hash: e9b13ab7160be3feac71476e94d26bc9f6433c6bd112b78288881a442f9db10c
    • Instruction Fuzzy Hash: 492129B668A2366EE6229A503E54BFB6E59FF93730F306425F045D60C3D1800A455934
    Function 00575F07 Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 337 575f07-575f18 338 575f47-575f50 call 5738ab 337->338 339 575f1e-575f32 call 5738ab 337->339 344 575f56-575f67 call 5756e9 338->344 345 57602d-576030 call 5738d0 338->345 349 576035 339->349 350 575f38-575f46 339->350 353 575f87-575fc6 CreateFileA 344->353 354 575f6d-575f71 344->354 345->349 352 57603c-576040 349->352 350->338 355 575fcc-575fe9 353->355 356 575fea-575fed 353->356 358 575f77-575f83 354->358 359 575f84 354->359 355->356 360 575ff3-57600a call 5735ed 356->360 361 576020-576028 call 575578 356->361 358->359 359->353 360->352 368 576010-57601b call 5755e6 360->368 361->349 368->349
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 00575FBC
    Memory Dump Source
    • Source File: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: a5243b8b40e6ad5fd5ee25c2a98009e1605266e4390a1bc67f84af373e9c94d4
    • Instruction ID: bfbbbc2097b00ef6a22da987007f43769baf2702cdbba36be28c906264907735
    • Opcode Fuzzy Hash: a5243b8b40e6ad5fd5ee25c2a98009e1605266e4390a1bc67f84af373e9c94d4
    • Instruction Fuzzy Hash: A031B0B1900605BEEB219F61EC49F9EBFB8FF44324F20C229F509AA191D7719A51EB10
    Function 0052065F Relevance: 1.6, APIs: 1, Instructions: 101fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(D783C2B8), ref: 0052075A
    Memory Dump Source
    • Source File: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 0d760fb1611b62c4880f899ae698bfb8773daf2652152a5f21ff3cf4aeac3a7c
    • Instruction ID: 8e5d5cd505f75458583a9e29ab095742d38ee4098b94b6a1821ba0a904966a25
    • Opcode Fuzzy Hash: 0d760fb1611b62c4880f899ae698bfb8773daf2652152a5f21ff3cf4aeac3a7c
    • Instruction Fuzzy Hash: 761190B328A2613DF201C6557EA9FBA6FACEFC3730F34942AF801D64C3D69068095534
    Function 00520544 Relevance: 1.6, APIs: 1, Instructions: 94fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: ff2b01f333ece8b3ca00d306f53c54c6c12d3a4639092e5a519d7162eee9c4b4
    • Instruction ID: fb39751e3ca711745314637f9d3dce70d2855bdb13193c18282c74f0ec7835e4
    • Opcode Fuzzy Hash: ff2b01f333ece8b3ca00d306f53c54c6c12d3a4639092e5a519d7162eee9c4b4
    • Instruction Fuzzy Hash: 812137B728A2366EE622AB502A14BBA7F68FFC3770F305429F445970C3D1900A098A34
    Function 00575723 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 005757A5
    Memory Dump Source
    • Source File: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: b6aa6eb19ec9e141f35df6c538e314fd416918e23fa92821e3e7e152966ba193
    • Instruction ID: 057d2b82017d08f633a632472b529cef32becdcdc12bb509abe1498c564694a3
    • Opcode Fuzzy Hash: b6aa6eb19ec9e141f35df6c538e314fd416918e23fa92821e3e7e152966ba193
    • Instruction Fuzzy Hash: C931C371A00605BEEB309F64EC45F99BBB8FB00764F20C265F615AA0D1E7B1A642DB54
    Function 0052051A Relevance: 1.6, APIs: 1, Instructions: 89fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 71170c688da9ca7789748bca051190c102e95ea0cc9bca862b9914f95ae59ca8
    • Instruction ID: bb7a7ef337cf4e00841e10cfa7ddd5fc1ef4270079e3db194d74ba408b6c08cf
    • Opcode Fuzzy Hash: 71170c688da9ca7789748bca051190c102e95ea0cc9bca862b9914f95ae59ca8
    • Instruction Fuzzy Hash: 8E112CB728A1367DE6119E547A04AFB7E2DFEC3370F305425F446D61C3D2900A459D34
    Function 005206A2 Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(D783C2B8), ref: 0052075A
    Memory Dump Source
    • Source File: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: a8267c5728833bedc748719313a4fdd8ea09d47025a4d8e739a4d1ab948b4440
    • Instruction ID: faec3d0f65e809a305b296c01d82699a8f0ddd181df8b619eec777c58d1ce743
    • Opcode Fuzzy Hash: a8267c5728833bedc748719313a4fdd8ea09d47025a4d8e739a4d1ab948b4440
    • Instruction Fuzzy Hash: FA016DF728A2213DB102C6857E54EFB6B6CF9C3770734982AF806E24C3D6902D492534
    Function 005206AC Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(D783C2B8), ref: 0052075A
    Memory Dump Source
    • Source File: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 30958841c1a95dfaea2cc2e025b0917a0b1eb32e91a337623a82abca1bb44b12
    • Instruction ID: 3fb6de3a12f5bb5b6369fb3921306dfe50c7b206624ea35691bbe52383897daa
    • Opcode Fuzzy Hash: 30958841c1a95dfaea2cc2e025b0917a0b1eb32e91a337623a82abca1bb44b12
    • Instruction Fuzzy Hash: 82015BF728A1213DB102C685BE68EFB6B6CF9C3770734982AF406E24C3D6942E092534
    Function 00520534 Relevance: 1.6, APIs: 1, Instructions: 85fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: d72db9dc10e2592330f1b49f1f6a571d2a0c2580a8d1f8f266f91959117c9664
    • Instruction ID: 134776c45222fc42938fa465a7d11dfeca6324ea80fa65f78e01030d7e1f9c1f
    • Opcode Fuzzy Hash: d72db9dc10e2592330f1b49f1f6a571d2a0c2580a8d1f8f266f91959117c9664
    • Instruction Fuzzy Hash: 6E1126BB28A1366DE6129E402A04AFB7F29FEC3330B306425F446D71C3E2900A499D74
    Function 00520578 Relevance: 1.6, APIs: 1, Instructions: 66fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 4eb1ce3fdc32a3290a95d2936a70b8e0785ba28b877fb133377f2fe1bd47969b
    • Instruction ID: 96ac01aa838516c835e12535ceda1658a858a07b978d8369fee0385b0c49611b
    • Opcode Fuzzy Hash: 4eb1ce3fdc32a3290a95d2936a70b8e0785ba28b877fb133377f2fe1bd47969b
    • Instruction Fuzzy Hash: 6A0128B724A1366EE621AA542A14BFB6F5DEEC3730F306415F845D61C3C5510E059D74
    Function 005808AF Relevance: 1.6, APIs: 1, Instructions: 65COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,?), ref: 0058095C
    Memory Dump Source
    • Source File: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: FileModuleName
    • String ID:
    • API String ID: 514040917-0
    • Opcode ID: 01f199afde613667e71099f9c9b5b1b9f2471599cd22e307d984fc6f4c8ce251
    • Instruction ID: e399b2b62119ff1f468b58bb16ad545e519e39ad0e07df8ec281dfcbabd36ea7
    • Opcode Fuzzy Hash: 01f199afde613667e71099f9c9b5b1b9f2471599cd22e307d984fc6f4c8ce251
    • Instruction Fuzzy Hash: F5119371A012299BFBB06A058C49BEBBB7CBF05750F1460A5EC45B71C2D7749DC88BE1
    Function 04A50D42 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04A50DCD
    Memory Dump Source
    • Source File: 00000000.00000002.2256104432.0000000004A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A50000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4a50000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 4f8924e4a64a3e7a6b0634de31ae2763f13ea3b514d76f699941342773b19aac
    • Instruction ID: d3e0fc2ed1eb8bd977c7fb72522c5700a7531c0990d0e06bf6c1aaa2a6e5873c
    • Opcode Fuzzy Hash: 4f8924e4a64a3e7a6b0634de31ae2763f13ea3b514d76f699941342773b19aac
    • Instruction Fuzzy Hash: 812152B6C002089FCB10CFA9D984ADEFBF0EB88310F14811AE908AB215D734A500CBA4
    Function 04A50D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04A50DCD
    Memory Dump Source
    • Source File: 00000000.00000002.2256104432.0000000004A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A50000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4a50000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 7d59ed17ed93a52eed86eb8d79e67183782cd0e743782a313c84b0bb50a453b3
    • Instruction ID: 174b6bc1aa3847494d07375be3bdc8b476ee5ad54ec87ea1db55566647f6b26e
    • Opcode Fuzzy Hash: 7d59ed17ed93a52eed86eb8d79e67183782cd0e743782a313c84b0bb50a453b3
    • Instruction Fuzzy Hash: 502133B6C00208DFCB50CF99D984ADEFBF4FB88710F14851AE808AB214D734A544CBA4
    Function 04A51509 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 04A51580
    Memory Dump Source
    • Source File: 00000000.00000002.2256104432.0000000004A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A50000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4a50000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 412b6258b2c3e7ba852145fdcc4d2e7aa6f32777c89039ca3e0f2f939f849dad
    • Instruction ID: d6912a034f5702991b0322ae86800c8ba901cca51f4c00e2d11617f057500a11
    • Opcode Fuzzy Hash: 412b6258b2c3e7ba852145fdcc4d2e7aa6f32777c89039ca3e0f2f939f849dad
    • Instruction Fuzzy Hash: D52114B5D00249DFDB10CF9AC584BEEFBF4EB48324F14842AE958A7250D378A644CFA5
    Function 04A51510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 04A51580
    Memory Dump Source
    • Source File: 00000000.00000002.2256104432.0000000004A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A50000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4a50000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: df0ff2e4be8dab3fcc738f47ed60bd7080d84f8979cdb98f96571611df401113
    • Instruction ID: 5b62051337d2c139bd3120dd395088335d51eaa695054f9501d3ff38cfb315b2
    • Opcode Fuzzy Hash: df0ff2e4be8dab3fcc738f47ed60bd7080d84f8979cdb98f96571611df401113
    • Instruction Fuzzy Hash: D111C2B19006499FDB10CF9AC584BEEBBF4AB48324F108429E959A7250D778A644CFA5
    Function 00520713 Relevance: 1.5, APIs: 1, Instructions: 48fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(D783C2B8), ref: 0052075A
    Memory Dump Source
    • Source File: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 51f886c0309b0476f7d80405e22219cd67b35cc2f28a2aed40d11ae346773c8d
    • Instruction ID: 45c5fe86fb8fa65c60f9ebb590f9c1d7da5c048f95424d18b4c4e79a5b9ab3c8
    • Opcode Fuzzy Hash: 51f886c0309b0476f7d80405e22219cd67b35cc2f28a2aed40d11ae346773c8d
    • Instruction Fuzzy Hash: 4BF0E0737491653DB601C514BD94EFF2B6CEEC2760B34942FF446C60C3C5506C491934
    Function 04A51301 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 04A51367
    Memory Dump Source
    • Source File: 00000000.00000002.2256104432.0000000004A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A50000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4a50000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: e87e8adbc7c81615b33dcd5375211b48a206cf2dc49e413243b046332c5bc497
    • Instruction ID: cbaf15ff48f724738095a6f8d072f62032dae0afdb6707ca5debc55356a36d01
    • Opcode Fuzzy Hash: e87e8adbc7c81615b33dcd5375211b48a206cf2dc49e413243b046332c5bc497
    • Instruction Fuzzy Hash: AC1122B1800649CFDB10CF9AC545BEEFBF4EF48324F20846AD958A7650D778A984CFA5
    Function 04A51308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 04A51367
    Memory Dump Source
    • Source File: 00000000.00000002.2256104432.0000000004A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A50000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4a50000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 2b760b72481b198db8c4006d395a08608a3ce617a965ef072428b8a0609156d8
    • Instruction ID: ceedb33576cc32b7cbf972aeb605769451fa34f65986a6ed61a4713cdc76af2b
    • Opcode Fuzzy Hash: 2b760b72481b198db8c4006d395a08608a3ce617a965ef072428b8a0609156d8
    • Instruction Fuzzy Hash: 3F1133B1800349CFDB10CF9AC945BEEFBF8EB48324F20846AD558A3650D778A944CFA5
    Function 0052070D Relevance: 1.5, APIs: 1, Instructions: 33fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(D783C2B8), ref: 0052075A
    Memory Dump Source
    • Source File: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 7ab3f43292da304e7356eaa094e5e90fbb3627df2ca9fcbfb5cc103a2b0d3662
    • Instruction ID: 863855c09584b0cdb1d7c2df4690d467dd51abbbc445e1c522b584b323e20598
    • Opcode Fuzzy Hash: 7ab3f43292da304e7356eaa094e5e90fbb3627df2ca9fcbfb5cc103a2b0d3662
    • Instruction Fuzzy Hash: C1E04FA364D2B13CF20282743D64BFE1F6DDAC2660B2D985FF842C70D3C949190D5671
    Function 00575103 Relevance: 1.5, APIs: 1, Instructions: 27libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetProcAddress.KERNEL32(005748B9,005748B9), ref: 0057514E
    Memory Dump Source
    • Source File: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: AddressProc
    • String ID:
    • API String ID: 190572456-0
    • Opcode ID: 74d6bf273357eefce3849706f214fc116598bd00d1e51c52614e83bb8a092dc0
    • Instruction ID: 47419390a78c2620730e86cd3d3b16f9d49702c981745d836dc945cdab83b9a5
    • Opcode Fuzzy Hash: 74d6bf273357eefce3849706f214fc116598bd00d1e51c52614e83bb8a092dc0
    • Instruction Fuzzy Hash: 65E09236104446BA9F123F71FC0EA6D7E2ABFD0352B40C531B95E54022EBB1CA52FA21
    Function 0051D4BF Relevance: 1.5, APIs: 1, Instructions: 11libraryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 8305563abe1ad67eb064cfc64768d2e93c0d04d0eecb60c5e44e62b31ad45fe6
    • Instruction ID: 5e1f7af7c91da0258e97a3b27f1aa8d377bcc7db04b517b1b85fbe7af82bdd37
    • Opcode Fuzzy Hash: 8305563abe1ad67eb064cfc64768d2e93c0d04d0eecb60c5e44e62b31ad45fe6
    • Instruction Fuzzy Hash: F9B001DA2095A57C3D0188916E10EBB0A3CE0E1B20375DC1ABE26C4401D6E8AE852034
    Function 00520752 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(D783C2B8), ref: 0052075A
    Memory Dump Source
    • Source File: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 51725317110c333ef2d47d871c9077578a9bd5788f5b4b393b39cf2f15ee0c88
    • Instruction ID: f975329d345a6252ba2e3241a37ff1cea6d63a3b3cc65175bfa9c254e8d81f28
    • Opcode Fuzzy Hash: 51725317110c333ef2d47d871c9077578a9bd5788f5b4b393b39cf2f15ee0c88
    • Instruction Fuzzy Hash: 02C08C226892A23DC61562742CA472C2D056F82604F4C205CA496AB1C3CC8424090208
    Function 00529389 Relevance: 1.5, APIs: 1, Instructions: 10libraryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a06455c6a480c327994ac3e919edfa4702b7970f4a15eac05461e218e6ceacc6
    • Instruction ID: 3c5b39d1a3c849bdecbb1416b1c2716b406046976eef27ef373c8ee4329a7d52
    • Opcode Fuzzy Hash: a06455c6a480c327994ac3e919edfa4702b7970f4a15eac05461e218e6ceacc6
    • Instruction Fuzzy Hash: B6C002B5009616DFD7402F65944406DFEE5BE96791F264C2D908287A60E67044519B1A
    Function 0057399E Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: lstrcmpi
    • String ID:
    • API String ID: 1586166983-0
    • Opcode ID: bf6fcda133cc076ca7e706ea20a2b76cccec507757d42514a85f33084f074d72
    • Instruction ID: b5c80a11a4e015b80a2fd50cf0a3afe0323138234b7486a2437c30cb8d3deab5
    • Opcode Fuzzy Hash: bf6fcda133cc076ca7e706ea20a2b76cccec507757d42514a85f33084f074d72
    • Instruction Fuzzy Hash: 3A01D272A0110EBEDF119FA4DC09DEEBF7AFF44350F808161B905A5061D7328A61EF60
    Function 005804D9 Relevance: 1.3, APIs: 1, Instructions: 37memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,?,005804D5,?,?,005801DB,?,?,005801DB,?,?,005801DB), ref: 005804F9
    Memory Dump Source
    • Source File: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 9e6509c1dcab3aeebb94a0c93508079a01d508160f65926173a8afbea0f6d620
    • Instruction ID: 9cdc6ad72efda9c722f212fe6c5a9f3116ec73a711bdc83f5cfcacdfee289901
    • Opcode Fuzzy Hash: 9e6509c1dcab3aeebb94a0c93508079a01d508160f65926173a8afbea0f6d620
    • Instruction Fuzzy Hash: F4F0D1B1900205EFD7A49F49D905B98BFE0FF49351F108025F84AAB991D3B088C0CBA4
    Function 0039EA01 Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 0039F791
    Memory Dump Source
    • Source File: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: bdef541d76a310accf907eca7eed405bee8e0c865ab7e871df16b217e1159177
    • Instruction ID: de81641d9b62508a1db5c1aa966327b001f2ef02bf70a4c1138c16809c818e1b
    • Opcode Fuzzy Hash: bdef541d76a310accf907eca7eed405bee8e0c865ab7e871df16b217e1159177
    • Instruction Fuzzy Hash: 83E0B63450C2098FDB41EF78C08959EBBA4EF18311F104A28D9A282A90DB321C60DB17
    Function 005755E6 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNELBASE(?,?,0057366C,?,?), ref: 005755EC
    Memory Dump Source
    • Source File: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: 4db790b861311e860cd258d0bfa2a2c5e0e1aa60b4a5c6d7a3310091f03d8ce4
    • Instruction ID: e8f3240822e76389b398750e66d77f195a9162b37a57ee62a422896850a0213b
    • Opcode Fuzzy Hash: 4db790b861311e860cd258d0bfa2a2c5e0e1aa60b4a5c6d7a3310091f03d8ce4
    • Instruction Fuzzy Hash: 52B09232400509BBDB01BF61EC0A88DBF6AFF51398B00C520B90A44421DBB2E961EBD0

    Non-executed Functions

    Function 0057791A Relevance: 3.0, APIs: 2, Instructions: 43timeCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 005737CD: GetCurrentThreadId.KERNEL32 ref: 005737DC
      • Part of subcall function 005737CD: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 0057381F
    • GetSystemTime.KERNEL32(?,-11F35FEC), ref: 0057794F
    • GetFileTime.KERNEL32(?,?,?,?,-11F35FEC), ref: 00577992
    Memory Dump Source
    • Source File: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: Time$CurrentFileSleepSystemThread
    • String ID:
    • API String ID: 3818558864-0
    • Opcode ID: 650e64d3c6f064b43c561bd3addff4db76e92f8644400380685d0554018804d9
    • Instruction ID: f6831abd9d7ec8c8b071806f12552bfbd1dc43d643f3fd74bb29968310a6e407
    • Opcode Fuzzy Hash: 650e64d3c6f064b43c561bd3addff4db76e92f8644400380685d0554018804d9
    • Instruction Fuzzy Hash: 8401043220504ABBDB215F69F80CE8E7F66FFC8721B008121F50A59120C732C9A1EB61
    Function 0051DEFC Relevance: .1, Instructions: 110COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 57b31629f3ae09b03a4f0ae757c7ad39a7fd63eb3b6a4164e5c8a968734687b5
    • Instruction ID: 0a577c725f46345babb0d5b85ce08a346ba42bf7ad8a20e93e53907a8c9a0b57
    • Opcode Fuzzy Hash: 57b31629f3ae09b03a4f0ae757c7ad39a7fd63eb3b6a4164e5c8a968734687b5
    • Instruction Fuzzy Hash: E74104B251C210AFE346AF18D851ABEFBE4FF58360F260C2DE5C682210D6359590DB97
    Function 0051DF06 Relevance: .1, Instructions: 110COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 323f5369c2e5d7b8c3275972a6a36551ad1114d9b9fd96bff415dda6391de27a
    • Instruction ID: 499282621cfaac165f465344edaf2387a9c6972e111656a5d3f847a5f4f9ddc7
    • Opcode Fuzzy Hash: 323f5369c2e5d7b8c3275972a6a36551ad1114d9b9fd96bff415dda6391de27a
    • Instruction Fuzzy Hash: 884107B251C210AFE346AF18D8519BEFBE4FF14360F260C2DE5C682210D7359591DB97
    Function 0051E082 Relevance: .1, Instructions: 106COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 7c6c9c9b17ff73b47574129ed79014b2411d9ee8cb8345ac62ca56ec955406ba
    • Instruction ID: a0a1d08aefc3f0819cb9371b7ee66ade69637696f342dca4cd1f682de2861998
    • Opcode Fuzzy Hash: 7c6c9c9b17ff73b47574129ed79014b2411d9ee8cb8345ac62ca56ec955406ba
    • Instruction Fuzzy Hash: 473127B291C210AFE315BF29D8856BEFBE4EF58360F060D2DEAC593610D67558808B97
    Function 0051E089 Relevance: .1, Instructions: 106COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 39472d71933c89021a6a118b93cafdd2d754afd2092dadbbf83494562cba260a
    • Instruction ID: 4a5bc6f9618972041ba57a8f3d400dbc423071a674b42395c8127ad480820a4c
    • Opcode Fuzzy Hash: 39472d71933c89021a6a118b93cafdd2d754afd2092dadbbf83494562cba260a
    • Instruction Fuzzy Hash: AD3135B291C210AFE315BF29D8856BEFBE4EF48320F160C2DEAC493610D63558808B97
    Function 0051DF17 Relevance: .1, Instructions: 103COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e0166ccff7e236547a8f3cdb94f8f7bba071b8092f6bdff4341bb2c22f8b4cd2
    • Instruction ID: 47cc7023c6ce69042ffc3061aee98def8d9a92669f23158175650328f622d872
    • Opcode Fuzzy Hash: e0166ccff7e236547a8f3cdb94f8f7bba071b8092f6bdff4341bb2c22f8b4cd2
    • Instruction Fuzzy Hash: 6541D3B251C210EFE346AF28D8519BEFBE4FF58760F16082DE6C682610D7359490DB97
    Function 00576E50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 005737CD: GetCurrentThreadId.KERNEL32 ref: 005737DC
      • Part of subcall function 005737CD: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 0057381F
      • Part of subcall function 00577ECE: IsBadWritePtr.KERNEL32(?,00000004), ref: 00577EDC
    • wsprintfA.USER32 ref: 00576E96
    • LoadImageA.USER32(?,?,?,?,?,?), ref: 00576F5A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: CurrentImageLoadSleepThreadWritewsprintf
    • String ID: %8x$%8x
    • API String ID: 2375920415-2046107164
    • Opcode ID: cb88148b06f9dfa07443787f443464cc01b3a6d5dfa850049a5c6b3f5502f701
    • Instruction ID: dc532b8798ab4b32a0022e9b8c3dad9fb6a4339a6a1267f068148e59a8f3ad81
    • Opcode Fuzzy Hash: cb88148b06f9dfa07443787f443464cc01b3a6d5dfa850049a5c6b3f5502f701
    • Instruction Fuzzy Hash: 1C31067190010ABFDF119FA4EC49EEEBF79FF88310F108125F915A61A0C7319A61EB61
    Function 00577A21 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesExW.KERNEL32(00B80184,00004020,00000000,-11F35FEC), ref: 00577B0E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2254154345.000000000056C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00390000, based on PE: true
    • Associated: 00000000.00000002.2253794973.0000000000390000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253810328.0000000000392000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253824855.0000000000396000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253839103.000000000039A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253854223.00000000003A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253945096.0000000000506000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253960408.0000000000508000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.000000000051A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2253977041.0000000000524000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254006973.000000000052F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254020272.0000000000530000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254035669.0000000000541000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254048517.0000000000542000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254060544.0000000000543000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254072410.0000000000544000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254086257.000000000054F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254098503.0000000000550000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254112901.0000000000556000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254129416.000000000056A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254141405.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254167812.0000000000578000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254180555.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254192709.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254205105.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254217815.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254230699.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254245180.000000000058C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254259685.0000000000592000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254272341.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254285748.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254299812.00000000005A5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254313287.00000000005A8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254326856.00000000005AF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254339676.00000000005B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254355922.00000000005B3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254368711.00000000005B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254382418.00000000005B6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254396614.00000000005BD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254412742.00000000005C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254426071.00000000005C7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254439048.00000000005C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254453564.00000000005CF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254466905.00000000005D9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254484745.00000000005DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254512956.0000000000625000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254526320.0000000000626000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.000000000062F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254542202.0000000000635000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254572676.0000000000644000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2254585962.0000000000646000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_390000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: 9dc1d5f9513ba0ea2e0a6b3658d9626b797b0d2e6090715ecdd9ea55e9112857
    • Instruction ID: eacb9e9b0da9ce1b9247f640fcf21d4f7f11352cd8220b486c6c09403e78b1bc
    • Opcode Fuzzy Hash: 9dc1d5f9513ba0ea2e0a6b3658d9626b797b0d2e6090715ecdd9ea55e9112857
    • Instruction Fuzzy Hash: 693171B550870AEFDB158F54E848B9EBFB5FF08310F108529F45A67650C375A6A4EF80