Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
uw7vXaPNPF.exe

Overview

General Information

Sample name:uw7vXaPNPF.exe
renamed because original name is a hash value
Original sample name:0f57c7a8b420e451c9f4dfe710d0dcd3.exe
Analysis ID:1579678
MD5:0f57c7a8b420e451c9f4dfe710d0dcd3
SHA1:ce586063030b771b50e0527f02ab8c11e75901b5
SHA256:bc3b18240bfa7834a398945b207b76c4445be32e590ef8459b41e4423f737ad3
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • uw7vXaPNPF.exe (PID: 7544 cmdline: "C:\Users\user\Desktop\uw7vXaPNPF.exe" MD5: 0F57C7A8B420E451C9F4DFE710D0DCD3)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: uw7vXaPNPF.exeReversingLabs: Detection: 60%
Source: uw7vXaPNPF.exeVirustotal: Detection: 61%Perma Link
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: uw7vXaPNPF.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_00BB53AB CryptVerifySignatureA,0_2_00BB53AB
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: uw7vXaPNPF.exe, 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmp

System Summary

barindex
Source: uw7vXaPNPF.exeStatic PE information: section name:
Source: uw7vXaPNPF.exeStatic PE information: section name: .idata
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_009DDDA40_2_009DDDA4
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_00B61EDF0_2_00B61EDF
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_00B61F010_2_00B61F01
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: String function: 00BB03A0 appears 35 times
Source: uw7vXaPNPF.exe, 00000000.00000000.1342315652.00000000009D6000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs uw7vXaPNPF.exe
Source: uw7vXaPNPF.exeBinary or memory string: OriginalFilenamedefOff.exe. vs uw7vXaPNPF.exe
Source: uw7vXaPNPF.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_050915D0 ChangeServiceConfigA,0_2_050915D0
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\uw7vXaPNPF.exe.logJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeMutant created: NULL
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: uw7vXaPNPF.exeReversingLabs: Detection: 60%
Source: uw7vXaPNPF.exeVirustotal: Detection: 61%
Source: uw7vXaPNPF.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: uw7vXaPNPF.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: uw7vXaPNPF.exeString found in binary or memory: RtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNe
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeSection loaded: sspicli.dllJump to behavior
Source: uw7vXaPNPF.exeStatic file information: File size 2814464 > 1048576
Source: uw7vXaPNPF.exeStatic PE information: Raw size of yyhljryf is bigger than: 0x100000 < 0x2a6400
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: uw7vXaPNPF.exe, 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation

barindex
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeUnpacked PE file: 0.2.uw7vXaPNPF.exe.9d0000.0.unpack :EW;.rsrc:W;.idata :W;yyhljryf:EW;ddvyecmu:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: uw7vXaPNPF.exeStatic PE information: real checksum: 0x2b2552 should be: 0x2b46b7
Source: uw7vXaPNPF.exeStatic PE information: section name:
Source: uw7vXaPNPF.exeStatic PE information: section name: .idata
Source: uw7vXaPNPF.exeStatic PE information: section name: yyhljryf
Source: uw7vXaPNPF.exeStatic PE information: section name: ddvyecmu
Source: uw7vXaPNPF.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_00B710CF push 68D6A77Ah; mov dword ptr [esp], ebp0_2_00B707E9
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_00B6F6F5 push esi; mov dword ptr [esp], 340913D7h0_2_00B72A05
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_00B61988 push 38E50907h; mov dword ptr [esp], eax0_2_00B619C9
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_00B61988 push 42A7E3DBh; mov dword ptr [esp], eax0_2_00B61A37
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_00B61988 push ebp; mov dword ptr [esp], eax0_2_00B61A99
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_00B61AD0 push ebp; mov dword ptr [esp], 3F59B4A8h0_2_00B61B13
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_00B61AD0 push ebp; mov dword ptr [esp], edx0_2_00B61B48
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_00B61AD0 push eax; mov dword ptr [esp], ebx0_2_00B61B5F
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_009DED09 push 5E6A1688h; mov dword ptr [esp], ebx0_2_009DEED2
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_00B620B7 push edx; mov dword ptr [esp], edi0_2_00B620D9
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_00B620B7 push 5AA7DD75h; mov dword ptr [esp], edi0_2_00B620F2
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_00B620B7 push ecx; mov dword ptr [esp], esi0_2_00B62107
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_00B620B7 push ebx; mov dword ptr [esp], edx0_2_00B6211E
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_00B6F0A6 push edi; mov dword ptr [esp], ebp0_2_00B6F0D8
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_00BE30A6 push 17556359h; mov dword ptr [esp], edx0_2_00BE30D0
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_00B5F0AA push 2B53CDFDh; mov dword ptr [esp], edx0_2_00B5F311
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_00B5F0AA push edx; mov dword ptr [esp], 7FE37B00h0_2_00B5F31C
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_00C340E6 push edi; mov dword ptr [esp], edx0_2_00C340FD
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_00C340E6 push ecx; mov dword ptr [esp], 3DFE6B38h0_2_00C34101
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_00B6209F push ecx; mov dword ptr [esp], esi0_2_00B62107
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_00B6209F push ebx; mov dword ptr [esp], edx0_2_00B6211E
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_00C270EC push ebp; mov dword ptr [esp], edi0_2_00C27100
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_00B6208C push edx; mov dword ptr [esp], edi0_2_00B620D9
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_00B6208C push 5AA7DD75h; mov dword ptr [esp], edi0_2_00B620F2
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_00B6208C push ecx; mov dword ptr [esp], esi0_2_00B62107
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_00B6208C push ebx; mov dword ptr [esp], edx0_2_00B6211E
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_009E10DB push edi; mov dword ptr [esp], ecx0_2_009E10E1
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_00B700D5 push esi; mov dword ptr [esp], 7FFA2DA9h0_2_00B72820
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_00B5F0DC push edi; mov dword ptr [esp], edx0_2_00B5F6B0
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_009DC0EF push 7DB724CBh; mov dword ptr [esp], edi0_2_009DC4EE
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_00B5F035 push 3EE63E50h; mov dword ptr [esp], edx0_2_00B5F03A

Boot Survival

barindex
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B627BB second address: B627C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B619A8 second address: B619AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B61D80 second address: B61D85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B61EE8 second address: B61EEE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B61EEE second address: B61EF3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B61EF3 second address: B61F10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB12CBAF1B0h 0x0000000c jp 00007FB12CBAF1A6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B64F15 second address: B64F19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B64FD8 second address: B64FDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B64FDE second address: B64FE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B650EA second address: B650EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B650EF second address: B65134 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB12CBDA244h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d xor dword ptr [ebp+122D26BDh], esi 0x00000013 push 00000000h 0x00000015 mov si, 4AF3h 0x00000019 call 00007FB12CBDA239h 0x0000001e jne 00007FB12CBDA23Eh 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push ecx 0x0000002a pop ecx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B65134 second address: B6514C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB12CBAF1B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B6514C second address: B6516B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FB12CBDA236h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 pushad 0x00000013 push esi 0x00000014 jl 00007FB12CBDA236h 0x0000001a pop esi 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B6516B second address: B6516F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B6516F second address: B65192 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB12CBDA247h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B65192 second address: B65197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B652C9 second address: B652E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB12CBDA244h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B8345E second address: B83463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B83463 second address: B83477 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB12CBDA23Ah 0x00000009 jl 00007FB12CBDA236h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B8357D second address: B8358F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB12CBAF1ACh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B8358F second address: B83593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B83593 second address: B83599 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B839AF second address: B839D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB12CBDA249h 0x00000008 js 00007FB12CBDA236h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B83B7F second address: B83B95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B84271 second address: B84284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push ecx 0x0000000a je 00007FB12CBDA236h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B8450C second address: B84510 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B77EA3 second address: B77EAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FB12CBDA236h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B84C9A second address: B84C9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B84C9E second address: B84CA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B84CA2 second address: B84CAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B84CAC second address: B84CB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FB12CBDA236h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B84CB6 second address: B84CC2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B84F69 second address: B84F79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B84F79 second address: B84F7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B84F7F second address: B84F93 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB12CBDA23Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B84F93 second address: B84F9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FB12CBAF1A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B853CA second address: B853CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B853CE second address: B853E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007FB12CBAF1A6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B853E0 second address: B853E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B853E4 second address: B853EA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B853EA second address: B853F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B853F0 second address: B853F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B853F6 second address: B853FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B8645D second address: B86461 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B86C6E second address: B86C94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB12CBDA246h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007FB12CBDA23Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B86C94 second address: B86C98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B87D06 second address: B87D35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jbe 00007FB12CBDA240h 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jl 00007FB12CBDA236h 0x00000019 popad 0x0000001a mov eax, dword ptr [eax] 0x0000001c push ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FB12CBDA240h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B8F5EB second address: B8F5EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B8F5EF second address: B8F5F9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B8F5F9 second address: B8F5FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B8F76A second address: B8F785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 je 00007FB12CBDA23Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007FB12CBDA236h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B8F785 second address: B8F789 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B8FD4C second address: B8FD7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB12CBDA242h 0x0000000e jmp 00007FB12CBDA245h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B8FD7C second address: B8FDAD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB12CBAF1ACh 0x0000000b push edi 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop edi 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB12CBAF1B8h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B8FDAD second address: B8FDB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B8FDB3 second address: B8FDB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B8FDB9 second address: B8FDC4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B8FF94 second address: B8FF9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B8FF9A second address: B8FFA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B91645 second address: B9164B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B9164B second address: B9164F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B917B6 second address: B917BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B917BB second address: B917C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B917C1 second address: B917C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B91B8F second address: B91B99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FB12CBDA236h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B924BD second address: B924C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FB12CBAF1A6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B9257D second address: B92587 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FB12CBDA236h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B92587 second address: B9258B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B92646 second address: B9264C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B92800 second address: B92804 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B92804 second address: B9280A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B9280A second address: B92825 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB12CBAF1B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B92825 second address: B92829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B92F51 second address: B92F55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B92F55 second address: B92F86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a movzx esi, di 0x0000000d mov edi, dword ptr [ebp+122D2259h] 0x00000013 push 00000000h 0x00000015 movsx edi, si 0x00000018 push 00000000h 0x0000001a pushad 0x0000001b mov edi, 201123D6h 0x00000020 stc 0x00000021 popad 0x00000022 xchg eax, ebx 0x00000023 push eax 0x00000024 push edx 0x00000025 jng 00007FB12CBDA23Ch 0x0000002b rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B941E4 second address: B941FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB12CBAF1ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B941FB second address: B941FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B941FF second address: B94203 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B9628D second address: B96293 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B96293 second address: B962A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jbe 00007FB12CBAF1AEh 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B96DCE second address: B96DD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B96DD3 second address: B96E18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB12CBAF1ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e jmp 00007FB12CBAF1AFh 0x00000013 push 00000000h 0x00000015 mov esi, 3C2481A9h 0x0000001a jmp 00007FB12CBAF1ABh 0x0000001f push eax 0x00000020 pushad 0x00000021 pushad 0x00000022 push edi 0x00000023 pop edi 0x00000024 jnl 00007FB12CBAF1A6h 0x0000002a popad 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B977C4 second address: B97855 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB12CBDA236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ecx 0x0000000e popad 0x0000000f push eax 0x00000010 jng 00007FB12CBDA243h 0x00000016 nop 0x00000017 jnp 00007FB12CBDA24Fh 0x0000001d jbe 00007FB12CBDA249h 0x00000023 mov dword ptr [ebp+124665A8h], ebx 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push edi 0x0000002e call 00007FB12CBDA238h 0x00000033 pop edi 0x00000034 mov dword ptr [esp+04h], edi 0x00000038 add dword ptr [esp+04h], 00000015h 0x00000040 inc edi 0x00000041 push edi 0x00000042 ret 0x00000043 pop edi 0x00000044 ret 0x00000045 push eax 0x00000046 adc si, CA8Fh 0x0000004b pop esi 0x0000004c push 00000000h 0x0000004e xor esi, dword ptr [ebp+122D3B5Ah] 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 jmp 00007FB12CBDA247h 0x0000005c rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B97551 second address: B97555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B98172 second address: B9818D instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB12CBDA23Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007FB12CBDA236h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B9818D second address: B98193 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B98193 second address: B98199 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B98199 second address: B981D7 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB12CBAF1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov edi, dword ptr [ebp+122D3A66h] 0x00000013 mov esi, eax 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 mov edi, dword ptr [ebp+122D3A92h] 0x0000001f xchg eax, ebx 0x00000020 push eax 0x00000021 push edi 0x00000022 jmp 00007FB12CBAF1ADh 0x00000027 pop edi 0x00000028 pop eax 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d pushad 0x0000002e popad 0x0000002f jns 00007FB12CBAF1A6h 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B981D7 second address: B981DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B981DC second address: B981E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B9890A second address: B98932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pushad 0x00000008 jc 00007FB12CBDA24Dh 0x0000000e jmp 00007FB12CBDA247h 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B9C712 second address: B9C718 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B9E611 second address: B9E615 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B9E615 second address: B9E61B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B9D7CD second address: B9D851 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB12CBDA241h 0x00000009 popad 0x0000000a pop ebx 0x0000000b nop 0x0000000c cld 0x0000000d push dword ptr fs:[00000000h] 0x00000014 xor dword ptr [ebp+12480AD7h], ebx 0x0000001a and edi, 1D5F8FA1h 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 js 00007FB12CBDA23Ch 0x0000002d mov dword ptr [ebp+122D26EEh], edx 0x00000033 mov eax, dword ptr [ebp+122D0991h] 0x00000039 mov ebx, esi 0x0000003b push FFFFFFFFh 0x0000003d push 00000000h 0x0000003f push esi 0x00000040 call 00007FB12CBDA238h 0x00000045 pop esi 0x00000046 mov dword ptr [esp+04h], esi 0x0000004a add dword ptr [esp+04h], 0000001Bh 0x00000052 inc esi 0x00000053 push esi 0x00000054 ret 0x00000055 pop esi 0x00000056 ret 0x00000057 push eax 0x00000058 pushad 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007FB12CBDA244h 0x00000060 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B9E61B second address: B9E6AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB12CBAF1B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov edi, dword ptr [ebp+122D209Bh] 0x00000010 push 00000000h 0x00000012 pushad 0x00000013 je 00007FB12CBAF1BFh 0x00000019 jmp 00007FB12CBAF1B9h 0x0000001e call 00007FB12CBAF1B9h 0x00000023 push ecx 0x00000024 pop eax 0x00000025 pop edi 0x00000026 popad 0x00000027 push 00000000h 0x00000029 xor ebx, 44857873h 0x0000002f xchg eax, esi 0x00000030 pushad 0x00000031 push ecx 0x00000032 pushad 0x00000033 popad 0x00000034 pop ecx 0x00000035 jno 00007FB12CBAF1B0h 0x0000003b popad 0x0000003c push eax 0x0000003d pushad 0x0000003e jmp 00007FB12CBAF1B1h 0x00000043 push ecx 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B9E8BE second address: B9E8C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B9E8C2 second address: B9E8C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B9E8C8 second address: B9E8CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BA0776 second address: BA0782 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BA0782 second address: BA0786 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BA1753 second address: BA176B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB12CBAF1B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BA26C1 second address: BA26C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BA26C5 second address: BA272A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007FB12CBAF1A8h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 js 00007FB12CBAF1A9h 0x00000029 mov di, dx 0x0000002c movzx edi, dx 0x0000002f push 00000000h 0x00000031 mov dword ptr [ebp+122D37DCh], eax 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push edx 0x0000003c call 00007FB12CBAF1A8h 0x00000041 pop edx 0x00000042 mov dword ptr [esp+04h], edx 0x00000046 add dword ptr [esp+04h], 00000015h 0x0000004e inc edx 0x0000004f push edx 0x00000050 ret 0x00000051 pop edx 0x00000052 ret 0x00000053 push eax 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 push esi 0x00000058 pop esi 0x00000059 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BA272A second address: BA2734 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BA2895 second address: BA293A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 jmp 00007FB12CBAF1B8h 0x0000000c push eax 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop eax 0x00000010 popad 0x00000011 nop 0x00000012 mov dword ptr [ebp+122D263Ah], ecx 0x00000018 push dword ptr fs:[00000000h] 0x0000001f call 00007FB12CBAF1B8h 0x00000024 mov dword ptr [ebp+122D2C11h], edx 0x0000002a pop ebx 0x0000002b mov dword ptr fs:[00000000h], esp 0x00000032 push 00000000h 0x00000034 push edi 0x00000035 call 00007FB12CBAF1A8h 0x0000003a pop edi 0x0000003b mov dword ptr [esp+04h], edi 0x0000003f add dword ptr [esp+04h], 0000001Ah 0x00000047 inc edi 0x00000048 push edi 0x00000049 ret 0x0000004a pop edi 0x0000004b ret 0x0000004c or dword ptr [ebp+122D338Bh], ecx 0x00000052 mov eax, dword ptr [ebp+122D0245h] 0x00000058 mov ebx, dword ptr [ebp+122D3A56h] 0x0000005e add dword ptr [ebp+12474034h], ebx 0x00000064 push FFFFFFFFh 0x00000066 jng 00007FB12CBAF1ACh 0x0000006c mov dword ptr [ebp+122D312Bh], ebx 0x00000072 push eax 0x00000073 pushad 0x00000074 pushad 0x00000075 push eax 0x00000076 push edx 0x00000077 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BA293A second address: BA2940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BA2940 second address: BA294D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007FB12CBAF1ACh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BA3717 second address: BA377F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007FB12CBDA238h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 push 00000000h 0x00000025 jmp 00007FB12CBDA243h 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edi 0x0000002f call 00007FB12CBDA238h 0x00000034 pop edi 0x00000035 mov dword ptr [esp+04h], edi 0x00000039 add dword ptr [esp+04h], 00000018h 0x00000041 inc edi 0x00000042 push edi 0x00000043 ret 0x00000044 pop edi 0x00000045 ret 0x00000046 sub dword ptr [ebp+12473F73h], ebx 0x0000004c push eax 0x0000004d pushad 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BA377F second address: BA3789 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BA3789 second address: BA378D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BA378D second address: BA3791 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BA38F4 second address: BA38FE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB12CBDA23Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BA38FE second address: BA3982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 add edi, 66B62981h 0x0000000d push dword ptr fs:[00000000h] 0x00000014 xor di, 46F0h 0x00000019 mov dword ptr fs:[00000000h], esp 0x00000020 push 00000000h 0x00000022 push edx 0x00000023 call 00007FB12CBAF1A8h 0x00000028 pop edx 0x00000029 mov dword ptr [esp+04h], edx 0x0000002d add dword ptr [esp+04h], 00000014h 0x00000035 inc edx 0x00000036 push edx 0x00000037 ret 0x00000038 pop edx 0x00000039 ret 0x0000003a jnc 00007FB12CBAF1ACh 0x00000040 mov eax, dword ptr [ebp+122D127Dh] 0x00000046 mov dword ptr [ebp+122D3857h], ebx 0x0000004c push FFFFFFFFh 0x0000004e mov ebx, dword ptr [ebp+1248731Ch] 0x00000054 mov bh, F1h 0x00000056 nop 0x00000057 pushad 0x00000058 jl 00007FB12CBAF1B4h 0x0000005e jmp 00007FB12CBAF1AEh 0x00000063 pushad 0x00000064 jmp 00007FB12CBAF1ADh 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BA79B3 second address: BA79B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BA79B7 second address: BA7A2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 or edi, 1835EA16h 0x0000000e push 00000000h 0x00000010 mov dword ptr [ebp+122D30C9h], ebx 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push edi 0x0000001b call 00007FB12CBAF1A8h 0x00000020 pop edi 0x00000021 mov dword ptr [esp+04h], edi 0x00000025 add dword ptr [esp+04h], 0000001Ch 0x0000002d inc edi 0x0000002e push edi 0x0000002f ret 0x00000030 pop edi 0x00000031 ret 0x00000032 jmp 00007FB12CBAF1B7h 0x00000037 xchg eax, esi 0x00000038 ja 00007FB12CBAF1B4h 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 jc 00007FB12CBAF1ACh 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BA7A2A second address: BA7A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BA7A2E second address: BA7A33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BA7A33 second address: BA7A39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BA8A05 second address: BA8A09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BA8A09 second address: BA8A13 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB12CBDA236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BA8A13 second address: BA8A38 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FB12CBAF1B0h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007FB12CBAF1ACh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BA8A38 second address: BA8AD0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB12CBDA247h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007FB12CBDA238h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 xor bl, 0000005Dh 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push eax 0x0000002c call 00007FB12CBDA238h 0x00000031 pop eax 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 add dword ptr [esp+04h], 0000001Dh 0x0000003e inc eax 0x0000003f push eax 0x00000040 ret 0x00000041 pop eax 0x00000042 ret 0x00000043 push 00000000h 0x00000045 push 00000000h 0x00000047 push edi 0x00000048 call 00007FB12CBDA238h 0x0000004d pop edi 0x0000004e mov dword ptr [esp+04h], edi 0x00000052 add dword ptr [esp+04h], 0000001Bh 0x0000005a inc edi 0x0000005b push edi 0x0000005c ret 0x0000005d pop edi 0x0000005e ret 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 jnl 00007FB12CBDA238h 0x00000068 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BA7C8A second address: BA7C98 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b push edi 0x0000000c pop edi 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BA9C36 second address: BA9C3C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BA9C3C second address: BA9C42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BA9C42 second address: BA9C46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BA9C46 second address: BA9C59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c jnl 00007FB12CBAF1A6h 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BA9C59 second address: BA9CFE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FB12CBDA23Bh 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov dword ptr [ebp+122D37B8h], edi 0x00000012 push dword ptr fs:[00000000h] 0x00000019 push 00000000h 0x0000001b push ebp 0x0000001c call 00007FB12CBDA238h 0x00000021 pop ebp 0x00000022 mov dword ptr [esp+04h], ebp 0x00000026 add dword ptr [esp+04h], 0000001Ch 0x0000002e inc ebp 0x0000002f push ebp 0x00000030 ret 0x00000031 pop ebp 0x00000032 ret 0x00000033 call 00007FB12CBDA243h 0x00000038 push ecx 0x00000039 mov ebx, dword ptr [ebp+12459A30h] 0x0000003f pop ebx 0x00000040 pop edi 0x00000041 mov dword ptr fs:[00000000h], esp 0x00000048 mov eax, dword ptr [ebp+122D03E9h] 0x0000004e push 00000000h 0x00000050 push esi 0x00000051 call 00007FB12CBDA238h 0x00000056 pop esi 0x00000057 mov dword ptr [esp+04h], esi 0x0000005b add dword ptr [esp+04h], 00000017h 0x00000063 inc esi 0x00000064 push esi 0x00000065 ret 0x00000066 pop esi 0x00000067 ret 0x00000068 mov edi, 3F1A9BC5h 0x0000006d push FFFFFFFFh 0x0000006f xor dword ptr [ebp+122D35D5h], edi 0x00000075 push edi 0x00000076 mov edi, dword ptr [ebp+122D3BDEh] 0x0000007c pop edi 0x0000007d nop 0x0000007e push edi 0x0000007f pushad 0x00000080 push eax 0x00000081 push edx 0x00000082 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BA9CFE second address: BA9D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FB12CBAF1A6h 0x0000000a popad 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BAB9D3 second address: BAB9F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FB12CBDA248h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BACDD8 second address: BACDDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BBAD7E second address: BBAD82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BBAD82 second address: BBAD88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BBAEB3 second address: BBAED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB12CBDA243h 0x00000009 pop esi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BBAED4 second address: BBAEDE instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB12CBAF1A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BBAEDE second address: BBAEEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FB12CBDA238h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BBB071 second address: BBB097 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB12CBAF1B9h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BBB097 second address: BBB09D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BBB09D second address: BBB0A5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BC1B9B second address: BC1BEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB12CBDA241h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e push esi 0x0000000f push edi 0x00000010 pop edi 0x00000011 pop esi 0x00000012 push ecx 0x00000013 pushad 0x00000014 popad 0x00000015 pop ecx 0x00000016 popad 0x00000017 mov eax, dword ptr [eax] 0x00000019 jl 00007FB12CBDA23Ah 0x0000001f push ecx 0x00000020 pushad 0x00000021 popad 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 pushad 0x00000028 pushad 0x00000029 push eax 0x0000002a pop eax 0x0000002b jmp 00007FB12CBDA23Fh 0x00000030 popad 0x00000031 pushad 0x00000032 js 00007FB12CBDA236h 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BC808A second address: BC809B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB12CBAF1ADh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BC7399 second address: BC73B2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB12CBDA242h 0x00000008 jmp 00007FB12CBDA23Ch 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BC776D second address: BC7777 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB12CBAF1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BC7777 second address: BC77C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FB12CBDA236h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jnc 00007FB12CBDA236h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 jmp 00007FB12CBDA23Ah 0x0000001e jmp 00007FB12CBDA23Bh 0x00000023 push ecx 0x00000024 pop ecx 0x00000025 push eax 0x00000026 pop eax 0x00000027 popad 0x00000028 jg 00007FB12CBDA253h 0x0000002e jmp 00007FB12CBDA247h 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BC77C9 second address: BC77CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BC794D second address: BC7952 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BC7952 second address: BC7978 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB12CBAF1BEh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BC7BDF second address: BC7BE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BC7BE3 second address: BC7BEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007FB12CBAF1A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BC7BEF second address: BC7BF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B4A337 second address: B4A33B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B4A33B second address: B4A34C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB12CBDA23Bh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BCF2B9 second address: BCF2BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BCF2BD second address: BCF2C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BCF593 second address: BCF5AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB12CBAF1B5h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BCF5AE second address: BCF5B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BCF8A0 second address: BCF8B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FB12CBAF1A6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BCF8B1 second address: BCF8B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BCF8B5 second address: BCF8D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB12CBAF1B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007FB12CBAF1A6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BCF8D6 second address: BCF8F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB12CBDA23Bh 0x00000007 jmp 00007FB12CBDA240h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BCFA54 second address: BCFA86 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB12CBAF1A6h 0x00000008 jmp 00007FB12CBAF1B4h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FB12CBAF1ADh 0x00000014 pushad 0x00000015 push edi 0x00000016 pop edi 0x00000017 push eax 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BCFBEF second address: BCFC31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB12CBDA23Ah 0x00000008 jg 00007FB12CBDA236h 0x0000000e jmp 00007FB12CBDA246h 0x00000013 popad 0x00000014 pushad 0x00000015 jmp 00007FB12CBDA245h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BCFF01 second address: BCFF2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 jmp 00007FB12CBAF1B8h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pushad 0x00000010 jl 00007FB12CBAF1A6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BD07BE second address: BD07C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BD3A05 second address: BD3A09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BD3A09 second address: BD3A19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007FB12CBDA236h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BD3A19 second address: BD3A1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BD3A1F second address: BD3A28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BD8279 second address: BD827D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BD827D second address: BD8283 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BD8283 second address: BD828F instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB12CBAF1AEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BD828F second address: BD829B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB12CBDA23Eh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BD829B second address: BD82A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BD82A7 second address: BD82B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BD82B0 second address: BD82B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BD8591 second address: BD8597 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BD8981 second address: BD8987 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BD8987 second address: BD89E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FB12CBDA246h 0x0000000a pushad 0x0000000b jmp 00007FB12CBDA23Ah 0x00000010 jmp 00007FB12CBDA23Dh 0x00000015 push edx 0x00000016 pop edx 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FB12CBDA245h 0x0000001f jmp 00007FB12CBDA244h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BD8CE3 second address: BD8CF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB12CBAF1ADh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BDD60E second address: BDD61F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB12CBDA23Ah 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BDD61F second address: BDD629 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FB12CBAF1A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BDD629 second address: BDD645 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB12CBDA245h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BDD645 second address: BDD64B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B46C7B second address: B46C96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB12CBDA245h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B992EC second address: B992F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B998C0 second address: B9992A instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB12CBDA238h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jc 00007FB12CBDA23Eh 0x00000011 jo 00007FB12CBDA238h 0x00000017 pushad 0x00000018 popad 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d ja 00007FB12CBDA243h 0x00000023 mov eax, dword ptr [eax] 0x00000025 pushad 0x00000026 jc 00007FB12CBDA24Bh 0x0000002c jmp 00007FB12CBDA245h 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FB12CBDA248h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B99AA3 second address: B99AAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FB12CBAF1A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B99AAD second address: B99ACC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB12CBDA23Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007FB12CBDA236h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B99ACC second address: B99AD6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB12CBAF1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B99AD6 second address: B99ADC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B99ADC second address: B99AE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B99E09 second address: B99E22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB12CBDA245h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B99E22 second address: B99E28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B9A271 second address: B9A2B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007FB12CBDA238h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000019h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 movzx edx, ax 0x00000025 push 0000001Eh 0x00000027 mov dword ptr [ebp+122D37E1h], edx 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 jne 00007FB12CBDA238h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B9A3AD second address: B9A3B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B9A3B3 second address: B9A3B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B9A616 second address: B9A62C instructions: 0x00000000 rdtsc 0x00000002 je 00007FB12CBAF1A8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push edi 0x0000000f push edi 0x00000010 pop edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B9A62C second address: B9A6BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB12CBDA249h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007FB12CBDA238h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 jmp 00007FB12CBDA244h 0x0000002a lea eax, dword ptr [ebp+1248EF9Fh] 0x00000030 push 00000000h 0x00000032 push edi 0x00000033 call 00007FB12CBDA238h 0x00000038 pop edi 0x00000039 mov dword ptr [esp+04h], edi 0x0000003d add dword ptr [esp+04h], 0000001Bh 0x00000045 inc edi 0x00000046 push edi 0x00000047 ret 0x00000048 pop edi 0x00000049 ret 0x0000004a jmp 00007FB12CBDA23Ah 0x0000004f mov ecx, dword ptr [ebp+122D3399h] 0x00000055 nop 0x00000056 pushad 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a pop eax 0x0000005b rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B9A6BB second address: B9A725 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FB12CBAF1A8h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push edi 0x00000011 jmp 00007FB12CBAF1B8h 0x00000016 pop edi 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007FB12CBAF1A8h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 0000001Ah 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 xor dword ptr [ebp+122D1F9Eh], eax 0x00000038 lea eax, dword ptr [ebp+1248EF5Bh] 0x0000003e jg 00007FB12CBAF1ABh 0x00000044 nop 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 push ecx 0x00000049 pop ecx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B9A725 second address: B9A741 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB12CBDA245h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B9A741 second address: B789D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007FB12CBAF1B7h 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007FB12CBAF1A8h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 or dword ptr [ebp+1246BBA2h], edx 0x0000002d call dword ptr [ebp+122D33AEh] 0x00000033 push eax 0x00000034 push edi 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BDC837 second address: BDC83D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BDC83D second address: BDC843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BDC9A0 second address: BDC9AA instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB12CBDA236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BDCB27 second address: BDCB3E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FB12CBAF1ADh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BDCB3E second address: BDCB7E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB12CBDA23Ch 0x00000008 jg 00007FB12CBDA247h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB12CBDA247h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BDD1E6 second address: BDD1EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BDD1EA second address: BDD20A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007FB12CBDA236h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jns 00007FB12CBDA23Ch 0x00000012 jne 00007FB12CBDA23Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BE324A second address: BE3265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB12CBAF1B4h 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BE3265 second address: BE326B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BE326B second address: BE3271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BE33EF second address: BE33F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BE33F3 second address: BE33FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FB12CBAF1A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BE33FF second address: BE341D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FB12CBDA248h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BE341D second address: BE3421 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BE3421 second address: BE342A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BE5ADB second address: BE5B15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB12CBAF1AFh 0x00000009 je 00007FB12CBAF1A6h 0x0000000f popad 0x00000010 jng 00007FB12CBAF1BCh 0x00000016 jmp 00007FB12CBAF1B6h 0x0000001b push eax 0x0000001c push edx 0x0000001d push edx 0x0000001e pop edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BE995E second address: BE99A8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jg 00007FB12CBDA236h 0x00000009 jmp 00007FB12CBDA247h 0x0000000e pop edi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007FB12CBDA23Ah 0x00000019 pushad 0x0000001a popad 0x0000001b jmp 00007FB12CBDA242h 0x00000020 popad 0x00000021 pushad 0x00000022 push ecx 0x00000023 pop ecx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BE99A8 second address: BE99AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BE99AF second address: BE99B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BE9C6B second address: BE9C73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BE9DF0 second address: BE9DF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BE9DF6 second address: BE9DFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BE9DFC second address: BE9E00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BE9E00 second address: BE9E0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FB12CBAF1A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BF17D5 second address: BF1804 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007FB12CBDA253h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BF1804 second address: BF1810 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FB12CBAF1A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BF1810 second address: BF1814 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BF1814 second address: BF182D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB12CBAF1ABh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007FB12CBAF1B2h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BF1AC4 second address: BF1AFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 jmp 00007FB12CBDA242h 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007FB12CBDA247h 0x00000014 push eax 0x00000015 pop eax 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BF1AFA second address: BF1B16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB12CBAF1B7h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BF1C5F second address: BF1C72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB12CBDA23Ah 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BF1C72 second address: BF1C78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BF1C78 second address: BF1C7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B99FFF second address: B9A003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B9A003 second address: B9A00D instructions: 0x00000000 rdtsc 0x00000002 je 00007FB12CBDA236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B9A0D9 second address: B9A0DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B9A0DD second address: B9A0E6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BF291F second address: BF2937 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB12CBAF1AEh 0x00000008 jo 00007FB12CBAF1ACh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BFB625 second address: BFB663 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB12CBDA236h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FB12CBDA23Bh 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007FB12CBDA248h 0x0000001a push esi 0x0000001b pop esi 0x0000001c pushad 0x0000001d popad 0x0000001e jp 00007FB12CBDA236h 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BFB663 second address: BFB66B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BFB66B second address: BFB66F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BFB66F second address: BFB68E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB12CBAF1B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BFB68E second address: BFB694 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BFB694 second address: BFB698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BF97C6 second address: BF97DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jl 00007FB12CBDA236h 0x0000000b jnp 00007FB12CBDA236h 0x00000011 popad 0x00000012 push edi 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BF97DD second address: BF97EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007FB12CBAF1A6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BF97EE second address: BF97F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BF97F2 second address: BF9806 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FB12CBAF1A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007FB12CBAF1AEh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BF9806 second address: BF980C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BF9B20 second address: BF9B24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BF9B24 second address: BF9B36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB12CBDA23Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BF9B36 second address: BF9B40 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB12CBAF1AEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BF9E1F second address: BF9E33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB12CBDA23Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BFABA0 second address: BFABAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FB12CBAF1A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BFABAA second address: BFABAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BFABAF second address: BFABC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB12CBAF1B3h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: BFCE16 second address: BFCE31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FB12CBDA246h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C015AF second address: C015D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB12CBAF1B4h 0x0000000c je 00007FB12CBAF1A6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C015D0 second address: C015E0 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB12CBDA236h 0x00000008 jnp 00007FB12CBDA236h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C015E0 second address: C01621 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB12CBAF1B0h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007FB12CBAF1C5h 0x00000017 jmp 00007FB12CBAF1B3h 0x0000001c jmp 00007FB12CBAF1ACh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C01621 second address: C0163F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB12CBDA241h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jo 00007FB12CBDA236h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C05BE2 second address: C05BFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB12CBAF1B8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C05D83 second address: C05D8F instructions: 0x00000000 rdtsc 0x00000002 js 00007FB12CBDA23Eh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C05EC9 second address: C05ECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C06188 second address: C0619D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB12CBDA23Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C0619D second address: C061A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C061A1 second address: C061D4 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB12CBDA236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FB12CBDA245h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FB12CBDA23Fh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C0633F second address: C06353 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB12CBAF1AFh 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C06353 second address: C06370 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB12CBDA238h 0x00000008 pushad 0x00000009 popad 0x0000000a jng 00007FB12CBDA247h 0x00000010 jmp 00007FB12CBDA23Bh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C064B8 second address: C064C7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB12CBAF1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C064C7 second address: C064EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB12CBDA247h 0x00000009 push eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C06619 second address: C0661D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C0661D second address: C0665D instructions: 0x00000000 rdtsc 0x00000002 js 00007FB12CBDA236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 jmp 00007FB12CBDA248h 0x00000019 jmp 00007FB12CBDA243h 0x0000001e pop ebx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B4BF46 second address: B4BF4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B4BF4A second address: B4BF63 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FB12CBDA241h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C0F7EE second address: C0F7F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B45181 second address: B451B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB12CBDA247h 0x00000009 jmp 00007FB12CBDA23Eh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 jg 00007FB12CBDA236h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B451B5 second address: B451D6 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB12CBAF1A6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007FB12CBAF1A6h 0x00000014 jmp 00007FB12CBAF1ADh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C0D9D8 second address: C0D9DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C0DE6D second address: C0DE97 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FB12CBAF1B2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB12CBAF1B0h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C0DE97 second address: C0DE9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C0E53D second address: C0E542 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C0E542 second address: C0E55E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB12CBDA241h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C0E55E second address: C0E562 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C0E562 second address: C0E580 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB12CBDA248h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C0E848 second address: C0E84E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C0D538 second address: C0D53C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C0D53C second address: C0D551 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB12CBAF1ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C0D551 second address: C0D555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C16F30 second address: C16F35 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C16BFD second address: C16C0F instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB12CBDA236h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007FB12CBDA236h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C2892C second address: C2894E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB12CBAF1B7h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C2894E second address: C2895E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB12CBDA23Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C2895E second address: C2897E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB12CBAF1B6h 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C28AB7 second address: C28AD5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FB12CBDA243h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C28AD5 second address: C28ADB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C28ADB second address: C28AEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007FB12CBDA236h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C28AEE second address: C28AF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C2B214 second address: C2B23B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FB12CBDA23Dh 0x0000000d push edi 0x0000000e pop edi 0x0000000f jmp 00007FB12CBDA23Fh 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C2B23B second address: C2B270 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB12CBAF1ABh 0x00000008 jmp 00007FB12CBAF1B1h 0x0000000d jmp 00007FB12CBAF1B2h 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C2B270 second address: C2B276 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C2F9CB second address: C2F9DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FB12CBAF1A6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C2F9DC second address: C2F9E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C2F9E0 second address: C2F9E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C2E561 second address: C2E577 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB12CBDA23Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C2E577 second address: C2E583 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB12CBAF1A6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C2E6E2 second address: C2E6EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C2E6EB second address: C2E6FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB12CBAF1A6h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B50FAD second address: B50FC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB12CBDA23Bh 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e jng 00007FB12CBDA238h 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B50FC9 second address: B50FD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B50FD1 second address: B50FD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C35E8E second address: C35E92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C35E92 second address: C35EDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB12CBDA23Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FB12CBDA249h 0x0000000f jmp 00007FB12CBDA243h 0x00000014 jmp 00007FB12CBDA249h 0x00000019 push eax 0x0000001a push edx 0x0000001b jnc 00007FB12CBDA236h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C375F9 second address: C375FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C375FD second address: C37603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C37603 second address: C3760B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C3760B second address: C3760F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C3760F second address: C3761F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C3761F second address: C37624 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C3C06E second address: C3C073 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B52A83 second address: B52A8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: B52A8B second address: B52A8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C3BF1E second address: C3BF22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C3BF22 second address: C3BF26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C4263A second address: C4265E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB12CBDA249h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C4265E second address: C4267A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB12CBAF1B8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C4267A second address: C4267E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C42806 second address: C4280C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C42A7E second address: C42ABC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edi 0x00000007 jp 00007FB12CBDA23Ch 0x0000000d push edi 0x0000000e jmp 00007FB12CBDA23Bh 0x00000013 push eax 0x00000014 pop eax 0x00000015 pop edi 0x00000016 jmp 00007FB12CBDA247h 0x0000001b popad 0x0000001c push edx 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C42ABC second address: C42AC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FB12CBAF1A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C42C25 second address: C42C2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C42DD2 second address: C42DD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C42DD8 second address: C42DF0 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB12CBDA238h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB12CBDA23Ah 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C43B86 second address: C43B8B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C463C9 second address: C463DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FB12CBDA236h 0x0000000a jmp 00007FB12CBDA23Bh 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C4A230 second address: C4A234 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C4A234 second address: C4A25C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007FB12CBDA241h 0x0000000c pop ebx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jnp 00007FB12CBDA23Ch 0x00000016 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C4A25C second address: C4A261 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C4A261 second address: C4A269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C49F89 second address: C49F8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C55767 second address: C5576B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C5576B second address: C55777 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007FB12CBAF1A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C69235 second address: C69252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB12CBDA23Ah 0x00000009 jng 00007FB12CBDA236h 0x0000000f popad 0x00000010 push ebx 0x00000011 jne 00007FB12CBDA236h 0x00000017 pop ebx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C6D235 second address: C6D23A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C7527A second address: C75285 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnc 00007FB12CBDA236h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C771A1 second address: C771C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB12CBAF1B9h 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C771C3 second address: C771DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FB12CBDA240h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C771DA second address: C771F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB12CBAF1B1h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C771F5 second address: C771FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FB12CBDA236h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C6CF2F second address: C6CF35 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRDTSC instruction interceptor: First address: C6D0B2 second address: C6D0E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c js 00007FB12CBDA236h 0x00000012 jc 00007FB12CBDA236h 0x00000018 push eax 0x00000019 pop eax 0x0000001a popad 0x0000001b pushad 0x0000001c jmp 00007FB12CBDA23Bh 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 pushad 0x00000025 jg 00007FB12CBDA236h 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeSpecial instruction interceptor: First address: 9DDD20 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeSpecial instruction interceptor: First address: BACE25 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeSpecial instruction interceptor: First address: 9DDC6A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeSpecial instruction interceptor: First address: C183B4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeMemory allocated: 4FB0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeMemory allocated: 5130000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeMemory allocated: 4FB0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_00B65240 rdtsc 0_2_00B65240
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exe TID: 7736Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_00BBDEF2 GetSystemInfo,VirtualAlloc,0_2_00BBDEF2
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: uw7vXaPNPF.exeBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: uw7vXaPNPF.exeBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: uw7vXaPNPF.exe, 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the drive
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeFile opened: NTICE
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeFile opened: SICE
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_00B65240 rdtsc 0_2_00B65240
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_009DB984 LdrInitializeThunk,0_2_009DB984
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeMemory allocated: page read and write | page guardJump to behavior
Source: uw7vXaPNPF.exe, uw7vXaPNPF.exe, 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: "Program Manager
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeCode function: 0_2_00BB44ED GetSystemTime,GetFileTime,0_2_00BB44ED

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeRegistry value created: TamperProtection 0Jump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\uw7vXaPNPF.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
Windows Service
1
Windows Service
1
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
2
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Service Execution
1
DLL Side-Loading
1
Process Injection
41
Disable or Modify Tools
LSASS Memory641
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading
261
Virtualization/Sandbox Evasion
Security Account Manager2
Process Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
Bypass User Account Control
1
Process Injection
NTDS261
Virtualization/Sandbox Evasion
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information
LSA Secrets24
System Information Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
Obfuscated Files or Information
Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Software Packing
DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading
Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
Bypass User Account Control
/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
uw7vXaPNPF.exe61%ReversingLabsWin32.Spyware.Lummastealer
uw7vXaPNPF.exe61%VirustotalBrowse
uw7vXaPNPF.exe100%Joe Sandbox ML
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0035.t-0009.t-msedge.net
13.107.246.63
truefalse
    high
    No contacted IP infos
    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1579678
    Start date and time:2024-12-23 07:25:54 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 2m 29s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:3
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:uw7vXaPNPF.exe
    renamed because original name is a hash value
    Original Sample Name:0f57c7a8b420e451c9f4dfe710d0dcd3.exe
    Detection:MAL
    Classification:mal100.evad.winEXE@1/1@0/0
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:Failed
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Stop behavior analysis, all processes terminated
    • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
    • Excluded IPs from analysis (whitelisted): 13.107.246.63
    • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net
    • Report size getting too big, too many NtProtectVirtualMemory calls found.
    No simulations
    No context
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    s-part-0035.t-0009.t-msedge.netHOEcO4nqCT.exeGet hashmaliciousUnknownBrowse
    • 13.107.246.63
    D7M4c24p9T.exeGet hashmaliciousUnknownBrowse
    • 13.107.246.63
    fW6RLQpTIt.exeGet hashmaliciousCryptbotBrowse
    • 13.107.246.63
    gjEtERlBSv.exeGet hashmaliciousSocks5SystemzBrowse
    • 13.107.246.63
    clip64.dllGet hashmaliciousAmadeyBrowse
    • 13.107.246.63
    https://staging.effimate.toyo.ai-powered-services.com/Get hashmaliciousUnknownBrowse
    • 13.107.246.63
    https://customervoice.microsoft.com/Pages/ResponsePage.aspx?id=Ne7lLAcjQUaMUQJ9C8JRxUnNOxFiqmxEvtl5lDv69HJUMDcyQThVMFBaMzdYWTM3RDY1SVZJUUVaSC4uGet hashmaliciousUnknownBrowse
    • 13.107.246.63
    https://gADK.quantumdhub.ru/HX8hiLPadaz1N7WrltpPjHg34q_2C98ig/Get hashmaliciousUnknownBrowse
    • 13.107.246.63
    1734732185f25c13093a41a2402fb93b0e0049d55263e81e9d0e56f9c3736f6444c26eed34495.dat-decoded.exeGet hashmaliciousLummaCBrowse
    • 13.107.246.63
    2QaN4hOyJs.exeGet hashmaliciousXWormBrowse
    • 13.107.246.63
    No context
    No context
    No context
    Process:C:\Users\user\Desktop\uw7vXaPNPF.exe
    File Type:CSV text
    Category:dropped
    Size (bytes):226
    Entropy (8bit):5.360398796477698
    Encrypted:false
    SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
    MD5:3A8957C6382192B71471BD14359D0B12
    SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
    SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
    SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
    Malicious:true
    Reputation:high, very likely benign file
    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..
    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):6.4627969913065115
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.96%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:uw7vXaPNPF.exe
    File size:2'814'464 bytes
    MD5:0f57c7a8b420e451c9f4dfe710d0dcd3
    SHA1:ce586063030b771b50e0527f02ab8c11e75901b5
    SHA256:bc3b18240bfa7834a398945b207b76c4445be32e590ef8459b41e4423f737ad3
    SHA512:b22c22d5c7221611d6d7bd733e80e7f6105c3d161903a4dfe91ec460b7b0d26131ed3a4140a1f104382e3a721a41b7c490ff08cd3e6b62b9f1663752b897b3f0
    SSDEEP:49152:2Dwu9APnRSsufnJqBXd9e58stDE0gVxJQUWq316qWrVya4:2DRAPnMsufnJgX0WVUUWqEXrU
    TLSH:34D53BA2F50971CFE48E17789527CD8A9A6D03B91B1508C3AD6C75B9FD73CC212BAC24
    File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$...........@+.. ...`....@.. ........................+.....R%+...`................................
    Icon Hash:00928e8e8686b000
    Entrypoint:0x6b4000
    Entrypoint Section:.taggant
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
    Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:2eabe9054cad5152567f0699947a2c5b
    Instruction
    jmp 00007FB12D0D07DAh
    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x544.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    0x20000x40000x40004d1f9b87774d7072304da3a0ce1ea2deFalse0.3353271484375data5.063817710552147IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .rsrc0x60000x5440x60066f1faa8706f0a4070d24696bcded2f0False0.408203125data4.460395930973943IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    yyhljryf0xa0000x2a80000x2a640080986f9ce8bb4734c4cc56a9cfd5df3eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    ddvyecmu0x2b20000x20000x4007fe3a68ff142f15581ac7c247eb098ebFalse0.8115234375data6.3334895728613185IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .taggant0x2b40000x40000x2200aa0aab554de374a9857e528b3f7a272dFalse0.06973805147058823DOS executable (COM)0.8895844021079824IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_VERSION0x60a00x30cdata0.42948717948717946
    RT_MANIFEST0x63ac0x198ASCII text, with CRLF line terminators0.5833333333333334
    DLLImport
    kernel32.dlllstrcpy
    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Dec 23, 2024 07:26:42.352571964 CET1.1.1.1192.168.2.90x21baNo error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
    Dec 23, 2024 07:26:42.352571964 CET1.1.1.1192.168.2.90x21baNo error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false

    Click to jump to process

    Click to jump to process

    Click to dive into process behavior distribution

    Target ID:0
    Start time:01:26:45
    Start date:23/12/2024
    Path:C:\Users\user\Desktop\uw7vXaPNPF.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\uw7vXaPNPF.exe"
    Imagebase:0x9d0000
    File size:2'814'464 bytes
    MD5 hash:0F57C7A8B420E451C9F4DFE710D0DCD3
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true

    Reset < >

      Execution Graph

      Execution Coverage:6.6%
      Dynamic/Decrypted Code Coverage:4%
      Signature Coverage:4.6%
      Total number of Nodes:372
      Total number of Limit Nodes:24
      execution_graph 8596 5091308 8597 5091349 ImpersonateLoggedOnUser 8596->8597 8598 5091376 8597->8598 8599 5090d48 8600 5090d93 OpenSCManagerW 8599->8600 8602 5090ddc 8600->8602 8603 9e2b9c 8604 9e2bdc 8603->8604 8605 9e2ba9 8603->8605 8605->8604 8607 bbe093 8605->8607 8610 bbe0a1 8607->8610 8609 bbe0c1 8609->8604 8610->8609 8611 bbe363 8610->8611 8612 bbe373 8611->8612 8614 bbe396 8611->8614 8612->8614 8615 bbe75d 8612->8615 8614->8610 8619 bbe764 8615->8619 8617 bbe7ae 8617->8614 8619->8617 8620 bbe66b 8619->8620 8624 bbe91e 8619->8624 8622 bbe680 8620->8622 8621 bbe70a GetModuleFileNameA 8621->8622 8622->8621 8623 bbe740 8622->8623 8623->8619 8625 bbe932 GetModuleHandleA 8624->8625 8627 bbe94f 8624->8627 8626 bbe94a 8625->8626 8625->8627 8626->8619 8627->8626 8628 bbea6d VirtualProtect 8627->8628 8628->8627 8629 b6f6f5 8630 b729f8 LoadLibraryA 8629->8630 8631 b72c51 8630->8631 8632 bbdef2 GetSystemInfo 8633 bbdf12 8632->8633 8634 bbdf50 VirtualAlloc 8632->8634 8633->8634 8647 bbe23e 8634->8647 8636 bbdf97 8637 bbe23e VirtualAlloc GetModuleFileNameA GetModuleHandleA VirtualProtect 8636->8637 8646 bbe06c 8636->8646 8639 bbdfc1 8637->8639 8638 bbe088 GetModuleFileNameA GetModuleHandleA VirtualProtect 8640 bbe030 8638->8640 8641 bbe23e VirtualAlloc GetModuleFileNameA GetModuleHandleA VirtualProtect 8639->8641 8639->8646 8642 bbdfeb 8641->8642 8643 bbe23e VirtualAlloc GetModuleFileNameA GetModuleHandleA VirtualProtect 8642->8643 8642->8646 8644 bbe015 8643->8644 8644->8640 8645 bbe23e VirtualAlloc GetModuleFileNameA GetModuleHandleA VirtualProtect 8644->8645 8644->8646 8645->8646 8646->8638 8646->8640 8649 bbe246 8647->8649 8650 bbe25a 8649->8650 8651 bbe272 8649->8651 8657 bbe10a 8650->8657 8653 bbe10a 3 API calls 8651->8653 8654 bbe283 8653->8654 8659 bbe295 8654->8659 8662 bbe112 8657->8662 8660 bbe2a6 VirtualAlloc 8659->8660 8661 bbe291 8659->8661 8660->8661 8663 bbe125 8662->8663 8664 bbe168 8663->8664 8665 bbe75d 3 API calls 8663->8665 8665->8664 8666 bb4970 8668 bb497c 8666->8668 8673 bb03a0 GetCurrentThreadId 8668->8673 8670 bb4988 8672 bb49a8 8670->8672 8675 bb48c7 8670->8675 8674 bb03b8 8673->8674 8674->8670 8677 bb48d3 8675->8677 8678 bb48e7 8677->8678 8679 bb03a0 GetCurrentThreadId 8678->8679 8680 bb48ff 8679->8680 8688 bb0b04 8680->8688 8685 bb492a 8686 bb4957 GetFileAttributesA 8686->8685 8687 bb4946 GetFileAttributesW 8687->8685 8689 bb0bb8 8688->8689 8690 bb0b18 8688->8690 8689->8685 8692 bb0ab2 8689->8692 8690->8689 8696 bb0953 8690->8696 8693 bb0ac3 8692->8693 8694 bb0b00 8692->8694 8693->8694 8695 bb0953 2 API calls 8693->8695 8694->8685 8694->8686 8694->8687 8695->8693 8698 bb0980 8696->8698 8697 bb0a86 8697->8690 8698->8697 8699 bb09c9 8698->8699 8700 bb09ae PathAddExtensionA 8698->8700 8704 bb09eb 8699->8704 8708 bb05f4 8699->8708 8700->8699 8701 bb0a34 8701->8697 8703 bb0a5d 8701->8703 8706 bb05f4 lstrcmpiA 8701->8706 8703->8697 8707 bb05f4 lstrcmpiA 8703->8707 8704->8697 8704->8701 8705 bb05f4 lstrcmpiA 8704->8705 8705->8701 8706->8703 8707->8697 8709 bb0612 8708->8709 8710 bb0629 8709->8710 8712 bb0571 8709->8712 8710->8704 8713 bb059c 8712->8713 8714 bb05ce lstrcmpiA 8713->8714 8715 bb05e4 8713->8715 8714->8715 8715->8710 8716 bb1bb7 8719 bb19ff 8716->8719 8722 bb1a66 8719->8722 8721 bb1a14 8724 bb1a73 8722->8724 8726 bb1a89 8724->8726 8725 bb1aae 8728 bb03a0 GetCurrentThreadId 8725->8728 8726->8725 8737 bb1a91 8726->8737 8741 bbf165 8726->8741 8733 bb1ab3 8728->8733 8729 bb1b5e 8763 bb189e 8729->8763 8730 bb1b71 8731 bb1b7b LoadLibraryExW 8730->8731 8732 bb1b8f LoadLibraryExA 8730->8732 8735 bb1b35 8731->8735 8732->8735 8736 bb0ab2 2 API calls 8733->8736 8738 bb1ac4 8736->8738 8737->8729 8737->8730 8738->8737 8739 bb1af2 8738->8739 8743 bb13de 8739->8743 8767 bbf174 8741->8767 8744 bb13fa 8743->8744 8745 bb1404 8743->8745 8744->8735 8775 bb0c31 8745->8775 8750 bb14fe 8750->8744 8807 bb1bf0 8750->8807 8753 bb1454 8753->8750 8754 bb1481 8753->8754 8785 bb0e0f 8753->8785 8789 bb10aa 8754->8789 8757 bb148c 8757->8750 8794 bb1021 8757->8794 8759 bb14b9 8759->8750 8760 bb14e1 8759->8760 8798 bbedba 8759->8798 8760->8750 8802 bbeab3 8760->8802 8764 bb18a9 8763->8764 8765 bb18ca LoadLibraryExA 8764->8765 8766 bb18b9 8764->8766 8765->8766 8766->8735 8768 bbf184 8767->8768 8769 bb03a0 GetCurrentThreadId 8768->8769 8774 bbf1d6 8768->8774 8770 bbf1ec 8769->8770 8771 bb0ab2 2 API calls 8770->8771 8772 bbf1fe 8771->8772 8773 bb0ab2 2 API calls 8772->8773 8772->8774 8773->8774 8776 bb0c4d 8775->8776 8778 bb0ca6 8775->8778 8777 bb0c7d VirtualAlloc 8776->8777 8776->8778 8777->8778 8778->8744 8779 bb0cd7 VirtualAlloc 8778->8779 8780 bb0d1c 8779->8780 8780->8750 8781 bb0d54 8780->8781 8784 bb0d7c 8781->8784 8782 bb0d95 VirtualAlloc 8783 bb0df3 8782->8783 8782->8784 8783->8753 8784->8782 8784->8783 8786 bb0e2f 8785->8786 8788 bb0e2a 8785->8788 8787 bb0e62 lstrcmpiA 8786->8787 8786->8788 8787->8786 8787->8788 8788->8754 8790 bb11b6 8789->8790 8792 bb10d7 8789->8792 8790->8757 8792->8790 8809 bb0bbc 8792->8809 8817 bb1ccd 8792->8817 8795 bb104a 8794->8795 8796 bb108b 8795->8796 8797 bb1062 VirtualProtect 8795->8797 8796->8759 8797->8795 8797->8796 8799 bbee87 8798->8799 8800 bbedd6 8798->8800 8799->8760 8800->8799 8801 bbe91e 2 API calls 8800->8801 8801->8800 8803 bbeb47 8802->8803 8806 bbeac4 8802->8806 8803->8750 8804 bbe75d 3 API calls 8804->8806 8805 bbe91e GetModuleHandleA VirtualProtect 8805->8806 8806->8803 8806->8804 8806->8805 8842 bb1bfc 8807->8842 8810 bb19ff 18 API calls 8809->8810 8812 bb0bcf 8810->8812 8811 bb0c15 8811->8792 8812->8811 8813 bb0c21 8812->8813 8815 bb0bf8 8812->8815 8814 bb1bf0 2 API calls 8813->8814 8814->8811 8815->8811 8816 bb1bf0 2 API calls 8815->8816 8816->8811 8819 bb1cd6 8817->8819 8820 bb1ce5 8819->8820 8822 bb03a0 GetCurrentThreadId 8820->8822 8826 bb1ced 8820->8826 8821 bb1d1a GetProcAddress 8823 bb1d10 8821->8823 8824 bb1cf7 8822->8824 8825 bb1d07 8824->8825 8824->8826 8828 bb172e 8825->8828 8826->8821 8829 bb181a 8828->8829 8830 bb174d 8828->8830 8829->8823 8830->8829 8831 bb178a lstrcmpiA 8830->8831 8832 bb17b4 8830->8832 8831->8830 8831->8832 8832->8829 8834 bb1677 8832->8834 8835 bb1688 8834->8835 8836 bb16b8 lstrcpyn 8835->8836 8841 bb1713 8835->8841 8838 bb16d4 8836->8838 8836->8841 8837 bb0bbc 17 API calls 8839 bb1702 8837->8839 8838->8837 8838->8841 8840 bb1ccd 17 API calls 8839->8840 8839->8841 8840->8841 8841->8829 8843 bb1c0b 8842->8843 8844 bb1c13 8843->8844 8846 bb03a0 GetCurrentThreadId 8843->8846 8845 bb1c61 FreeLibrary 8844->8845 8850 bb1c48 8845->8850 8847 bb1c1d 8846->8847 8847->8844 8848 bb1c2d 8847->8848 8851 bb15de 8848->8851 8852 bb1641 8851->8852 8853 bb1601 8851->8853 8852->8850 8853->8852 8855 bb019a 8853->8855 8856 bb01a3 8855->8856 8857 bb01bb 8856->8857 8859 bb0181 8856->8859 8857->8852 8860 bb1bf0 2 API calls 8859->8860 8861 bb018e 8860->8861 8861->8856 8862 bbeef6 8864 bbef02 8862->8864 8865 bbef14 8864->8865 8866 bb19ff 18 API calls 8865->8866 8868 bbef23 8866->8868 8867 bbef3c 8868->8867 8869 bbeab3 3 API calls 8868->8869 8869->8867 8870 bb4cea 8872 bb4cf3 8870->8872 8873 bb03a0 GetCurrentThreadId 8872->8873 8874 bb4cff 8873->8874 8875 bb4d18 8874->8875 8876 bb4d4f ReadFile 8874->8876 8876->8875 8877 9ded09 8878 9deea7 VirtualAlloc 8877->8878 8879 9df100 8878->8879 8880 5091510 8881 5091558 ControlService 8880->8881 8882 509158f 8881->8882 8883 bb2062 8884 bb03a0 GetCurrentThreadId 8883->8884 8885 bb206e 8884->8885 8886 bb208c 8885->8886 8887 bb0ab2 2 API calls 8885->8887 8888 bb20bd GetModuleHandleExA 8886->8888 8889 bb2094 8886->8889 8887->8886 8888->8889 8890 50915d0 8891 509164e ChangeServiceConfigA 8890->8891 8893 50918da 8891->8893 8894 b650ad 8895 b650b1 CreateFileA 8894->8895 8897 b650cf 8895->8897 8898 bb5627 8899 bb03a0 GetCurrentThreadId 8898->8899 8900 bb5633 8899->8900 8901 bb569b MapViewOfFileEx 8900->8901 8902 bb564c 8900->8902 8901->8902 8903 bb445b 8904 bb03a0 GetCurrentThreadId 8903->8904 8905 bb4467 GetCurrentProcess 8904->8905 8906 bb44b3 8905->8906 8908 bb4477 8905->8908 8907 bb44b8 DuplicateHandle 8906->8907 8911 bb44ae 8907->8911 8908->8906 8909 bb44a2 8908->8909 8912 bb21f8 8909->8912 8915 bb2222 8912->8915 8913 bb22b5 8913->8911 8915->8913 8916 bb21e0 8915->8916 8919 bb024b 8916->8919 8920 bb0261 8919->8920 8922 bb027b 8920->8922 8923 bb022f 8920->8923 8922->8913 8926 bb21b9 CloseHandle 8923->8926 8925 bb023f 8925->8922 8927 bb21cd 8926->8927 8927->8925 8928 b652d5 8929 b65351 8928->8929 8930 b652dd CreateFileA 8928->8930 8932 b65307 8930->8932 8935 bb4bd7 8937 bb4be3 8935->8937 8938 bb03a0 GetCurrentThreadId 8937->8938 8939 bb4bef 8938->8939 8940 bb4c0f 8939->8940 8942 bb4ae3 8939->8942 8944 bb4aef 8942->8944 8945 bb4b03 8944->8945 8946 bb03a0 GetCurrentThreadId 8945->8946 8947 bb4b1b 8946->8947 8948 bb4b30 8947->8948 8968 bb49fc 8947->8968 8952 bb4b38 8948->8952 8960 bb4aa1 IsBadWritePtr 8948->8960 8955 bb4b89 CreateFileW 8952->8955 8956 bb4bac CreateFileA 8952->8956 8953 bb0ab2 2 API calls 8954 bb4b6b 8953->8954 8954->8952 8957 bb4b73 8954->8957 8959 bb4b79 8955->8959 8956->8959 8962 bb22f6 8957->8962 8961 bb4ac3 8960->8961 8961->8952 8961->8953 8963 bb2303 8962->8963 8964 bb233c CreateFileA 8963->8964 8967 bb23fe 8963->8967 8965 bb2388 8964->8965 8966 bb21b9 CloseHandle 8965->8966 8965->8967 8966->8967 8967->8959 8970 bb4a0b GetWindowsDirectoryA 8968->8970 8971 bb4a35 8970->8971 8972 bb54c9 8974 bb54d5 8972->8974 8976 bb54ed 8974->8976 8977 bb5517 8976->8977 8978 bb5403 8976->8978 8980 bb540f 8978->8980 8981 bb03a0 GetCurrentThreadId 8980->8981 8982 bb5422 8981->8982 8983 bb549b 8982->8983 8984 bb5460 8982->8984 8987 bb543c 8982->8987 8985 bb54a0 CreateFileMappingA 8983->8985 8984->8987 8988 bb2ada 8984->8988 8985->8987 8990 bb2af1 8988->8990 8989 bb2b5a CreateFileA 8992 bb2b9f 8989->8992 8990->8989 8991 bb2bee 8990->8991 8991->8987 8992->8991 8993 bb21b9 CloseHandle 8992->8993 8993->8991 8994 bb1f0f 8996 bb1f1b 8994->8996 8997 bb1f2f 8996->8997 8999 bb1f57 8997->8999 9000 bb1f70 8997->9000 9002 bb1f79 9000->9002 9003 bb1f88 9002->9003 9004 bb1f90 9003->9004 9005 bb03a0 GetCurrentThreadId 9003->9005 9006 bb2033 GetModuleHandleW 9004->9006 9007 bb2041 GetModuleHandleA 9004->9007 9008 bb1f9a 9005->9008 9009 bb1fc8 9006->9009 9007->9009 9010 bb1fb5 9008->9010 9011 bb0ab2 2 API calls 9008->9011 9010->9004 9010->9009 9011->9010 9012 bbee8c 9014 bbee98 9012->9014 9015 bbeeaa 9014->9015 9016 bbeab3 3 API calls 9015->9016 9017 bbeebc 9016->9017 9018 b710cf 9022 b707d1 9018->9022 9019 b72457 RegOpenKeyA 9019->9022 9020 b72430 RegOpenKeyA 9020->9019 9020->9022 9021 b724b8 GetNativeSystemInfo 9021->9022 9022->9018 9022->9019 9022->9020 9022->9021 9023 b702a0 9022->9023 9024 50910f0 9025 5091131 9024->9025 9028 bb30f4 9025->9028 9026 5091151 9029 bb03a0 GetCurrentThreadId 9028->9029 9030 bb3100 9029->9030 9031 bb3129 9030->9031 9032 bb3119 9030->9032 9034 bb312e CloseHandle 9031->9034 9033 bb21e0 CloseHandle 9032->9033 9035 bb311f 9033->9035 9034->9035 9035->9026 9036 bbef42 9038 bbef4e 9036->9038 9039 bbef60 9038->9039 9044 bb1a18 9039->9044 9041 bbef6f 9042 bbef88 9041->9042 9043 bbeab3 GetModuleFileNameA GetModuleHandleA VirtualProtect 9041->9043 9043->9042 9046 bb1a24 9044->9046 9047 bb1a39 9046->9047 9048 bb1a66 18 API calls 9047->9048 9049 bb1a57 9047->9049 9048->9049 9050 b61988 LoadLibraryA 9051 b619a3 9050->9051

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 195 bbdef2-bbdf0c GetSystemInfo 196 bbdf12-bbdf4a 195->196 197 bbdf50-bbdf99 VirtualAlloc call bbe23e 195->197 196->197 201 bbe07f-bbe084 call bbe088 197->201 202 bbdf9f-bbdfc3 call bbe23e 197->202 209 bbe086-bbe087 201->209 202->201 208 bbdfc9-bbdfed call bbe23e 202->208 208->201 212 bbdff3-bbe017 call bbe23e 208->212 212->201 215 bbe01d-bbe02a 212->215 216 bbe050-bbe067 call bbe23e 215->216 217 bbe030-bbe04b 215->217 220 bbe06c-bbe06e 216->220 221 bbe07a 217->221 220->201 222 bbe074 220->222 221->209 222->221
      APIs
      • GetSystemInfo.KERNELBASE(?,-118F5FEC), ref: 00BBDEFE
      • VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 00BBDF5F
      Memory Dump Source
      • Source File: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: AllocInfoSystemVirtual
      • String ID:
      • API String ID: 3440192736-0
      • Opcode ID: b91a8284267b391d532c5e6de92c095888e5744c595b988e4cd84b3c655521d2
      • Instruction ID: e445233ea49a053d015bae6155593af1ec85439bc47d96d166bd0d2227fffc62
      • Opcode Fuzzy Hash: b91a8284267b391d532c5e6de92c095888e5744c595b988e4cd84b3c655521d2
      • Instruction Fuzzy Hash: 114117B1900206AFD725DF62CC45BE6BBECFB18741F0041A6AA07D9892E7B1D5D48BA1

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 352 50915d0-509165a 354 509165c-5091666 352->354 355 5091693-50916b5 352->355 354->355 356 5091668-509166a 354->356 360 50916f1-5091712 355->360 361 50916b7-50916c4 355->361 358 509168d-5091690 356->358 359 509166c-5091676 356->359 358->355 362 5091678 359->362 363 509167a-5091689 359->363 371 509174b-509176d 360->371 372 5091714-509171e 360->372 361->360 364 50916c6-50916c8 361->364 362->363 363->363 365 509168b 363->365 366 50916eb-50916ee 364->366 367 50916ca-50916d4 364->367 365->358 366->360 369 50916d8-50916e7 367->369 370 50916d6 367->370 369->369 373 50916e9 369->373 370->369 378 50917a9-50917ca 371->378 379 509176f-509177c 371->379 372->371 374 5091720-5091722 372->374 373->366 376 5091745-5091748 374->376 377 5091724-509172e 374->377 376->371 380 5091730 377->380 381 5091732-5091741 377->381 389 50917cc-50917d6 378->389 390 5091803-5091825 378->390 379->378 383 509177e-5091780 379->383 380->381 381->381 382 5091743 381->382 382->376 384 50917a3-50917a6 383->384 385 5091782-509178c 383->385 384->378 387 509178e 385->387 388 5091790-509179f 385->388 387->388 388->388 392 50917a1 388->392 389->390 391 50917d8-50917da 389->391 398 5091861-50918d8 ChangeServiceConfigA 390->398 399 5091827-5091834 390->399 393 50917fd-5091800 391->393 394 50917dc-50917e6 391->394 392->384 393->390 396 50917e8 394->396 397 50917ea-50917f9 394->397 396->397 397->397 400 50917fb 397->400 405 50918da-50918e0 398->405 406 50918e1-5091920 398->406 399->398 401 5091836-5091838 399->401 400->393 403 509185b-509185e 401->403 404 509183a-5091844 401->404 403->398 407 5091848-5091857 404->407 408 5091846 404->408 405->406 412 5091930-5091934 406->412 413 5091922-5091926 406->413 407->407 410 5091859 407->410 408->407 410->403 415 5091944-5091948 412->415 416 5091936-509193a 412->416 413->412 414 5091928-509192b call 509013c 413->414 414->412 417 5091958-509195c 415->417 418 509194a-509194e 415->418 416->415 420 509193c-509193f call 509013c 416->420 422 509196c-5091970 417->422 423 509195e-5091962 417->423 418->417 421 5091950-5091953 call 509013c 418->421 420->415 421->417 427 5091980-5091984 422->427 428 5091972-5091976 422->428 423->422 426 5091964-5091967 call 509013c 423->426 426->422 431 5091994 427->431 432 5091986-509198a 427->432 428->427 430 5091978-509197b call 509013c 428->430 430->427 435 5091995 431->435 432->431 434 509198c-509198f call 509013c 432->434 434->431 435->435
      APIs
      • ChangeServiceConfigA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 050918C8
      Memory Dump Source
      • Source File: 00000000.00000002.1501484139.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5090000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: ChangeConfigService
      • String ID:
      • API String ID: 3849694230-0
      • Opcode ID: 57ee0b9068b6a57968fec0fe2bc7e7bf973758142dccf37904c524cc81e6e113
      • Instruction ID: bc9d8b8a9ec504feed5ae64d87f36d84c0fb76b7b9bf33cef33294f238579654
      • Opcode Fuzzy Hash: 57ee0b9068b6a57968fec0fe2bc7e7bf973758142dccf37904c524cc81e6e113
      • Instruction Fuzzy Hash: 36C16A71E0025A9FDF14CFA8E9857EEBBF2FF44300F048129E855A7288D7748881EB81
      APIs
      • CreateFileA.KERNELBASE(?,D4DF2F4F), ref: 00B652F8
      Memory Dump Source
      • Source File: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: 018297fb250e8842ac7ac6fdb60d23e0dec80d9ca4b5c2cd27c6bc01d4826bbc
      • Instruction ID: f7314de88bb948a555675c9d7e3361ff05a87b183e6910d79b5e028803b6a99b
      • Opcode Fuzzy Hash: 018297fb250e8842ac7ac6fdb60d23e0dec80d9ca4b5c2cd27c6bc01d4826bbc
      • Instruction Fuzzy Hash: 1801F7F244CB55ADD7309F648DA46BD37E9EB92330F3006A6E84296582E2E90D395624
      Memory Dump Source
      • Source File: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 036c4a85514a4874fbc3635589d0c8ad827a05141385f6896ae7eb2b3fd40b5c
      • Instruction ID: 1934f0292f072a3ef9292617b52cd682e3b0ef98c277e207cf1f887450e3bedf
      • Opcode Fuzzy Hash: 036c4a85514a4874fbc3635589d0c8ad827a05141385f6896ae7eb2b3fd40b5c
      • Instruction Fuzzy Hash: C6E08C3108E7C2DECB474B7848661507F709E1B21C32E68DBD5C9DB263C2192416C703

      Control-flow Graph

      APIs
      • LoadLibraryExW.KERNEL32(?,?,?), ref: 00BB1B84
      • LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 00BB1B98
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID: .dll$.exe$1002
      • API String ID: 1029625771-847511843
      • Opcode ID: aae0d043cac43e95627fcb61ff2f66e7bbda99f0c1c1b3e954ec2c7b006fa87c
      • Instruction ID: 9ec6cd15f8d67600a6087c7e1f33df8599192af12137d6dcf7c64ff19ebd4413
      • Opcode Fuzzy Hash: aae0d043cac43e95627fcb61ff2f66e7bbda99f0c1c1b3e954ec2c7b006fa87c
      • Instruction Fuzzy Hash: 3A319F31900109EFCF25AF58D964AFD7BF6FF04350F5088A5F80696121EBB09DA1DBA1

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 38 bbe91e-bbe92c 39 bbe94f-bbe959 call bbe7b3 38->39 40 bbe932-bbe944 GetModuleHandleA 38->40 45 bbe95f 39->45 46 bbe964-bbe96d 39->46 40->39 41 bbe94a 40->41 43 bbeaae-bbeab0 41->43 45->43 47 bbe973-bbe97a 46->47 48 bbe985-bbe98c 46->48 47->48 49 bbe980 47->49 50 bbe992 48->50 51 bbe997-bbe9a7 48->51 49->43 50->43 51->43 52 bbe9ad-bbe9b9 call bbe888 51->52 55 bbe9bc-bbe9c0 52->55 55->43 56 bbe9c6-bbe9d0 55->56 57 bbe9f7-bbe9fa 56->57 58 bbe9d6-bbe9e9 56->58 59 bbe9fd-bbea00 57->59 58->57 63 bbe9ef-bbe9f1 58->63 61 bbeaa6-bbeaa9 59->61 62 bbea06-bbea0d 59->62 61->55 64 bbea3b-bbea54 62->64 65 bbea13-bbea19 62->65 63->57 63->61 71 bbea5a-bbea68 64->71 72 bbea6d-bbea75 VirtualProtect 64->72 66 bbea1f-bbea24 65->66 67 bbea36 65->67 66->67 68 bbea2a-bbea30 66->68 69 bbea9e-bbeaa1 67->69 68->64 68->67 69->59 73 bbea7b-bbea7e 71->73 72->73 73->69 75 bbea84-bbea9d 73->75 75->69
      APIs
      • GetModuleHandleA.KERNELBASE(?,?,6578652E,?,00000001,00000000,?), ref: 00BBE93A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: HandleModule
      • String ID: .exe$.exe
      • API String ID: 4139908857-1392631246
      • Opcode ID: 670a41efa05adcab5703c68a4ebde41a95c685154da75382f04da7947203d8bd
      • Instruction ID: ed7fe09385b73108a6439c243230426b10cadbd4a45269e8dbb1faa5c39bb054
      • Opcode Fuzzy Hash: 670a41efa05adcab5703c68a4ebde41a95c685154da75382f04da7947203d8bd
      • Instruction Fuzzy Hash: 58416771900206EFDB20CF64D944BFA7BF5FB40310F148095E962AA1A2D3B1EC94DB91

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 77 bb1f79-bb1f8a call bb18dd 80 bb1f90 77->80 81 bb1f95-bb1f9e call bb03a0 77->81 82 bb2029-bb202d 80->82 88 bb1fd2-bb1fd9 81->88 89 bb1fa4-bb1fb0 call bb0ab2 81->89 84 bb2033-bb203c GetModuleHandleW 82->84 85 bb2041-bb2044 GetModuleHandleA 82->85 87 bb204a 84->87 85->87 91 bb2054-bb2056 87->91 92 bb1fdf-bb1fe6 88->92 93 bb2024 call bb044b 88->93 95 bb1fb5-bb1fb7 89->95 92->93 96 bb1fec-bb1ff3 92->96 93->82 95->93 97 bb1fbd-bb1fc2 95->97 96->93 98 bb1ff9-bb2000 96->98 97->93 99 bb1fc8-bb204f call bb044b 97->99 98->93 100 bb2006-bb201a 98->100 99->91 100->93
      APIs
      • GetModuleHandleW.KERNEL32(?,?,?,?,00BB1F0B,?,00000000,00000000), ref: 00BB2036
      • GetModuleHandleA.KERNEL32(00000000,?,?,?,00BB1F0B,?,00000000,00000000), ref: 00BB2044
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: HandleModule
      • String ID: .dll
      • API String ID: 4139908857-2738580789
      • Opcode ID: 7bebfbefb4de0eb542495c298ee61536cec2f811d79a85d2f6816fdb0a61f2e5
      • Instruction ID: 5523154943e7095f8b17782caf3e5f1da4f1c90a81d9f15d99e429d61d7ce094
      • Opcode Fuzzy Hash: 7bebfbefb4de0eb542495c298ee61536cec2f811d79a85d2f6816fdb0a61f2e5
      • Instruction Fuzzy Hash: EB115E31600A09EFDB36AF24D8587F976F1FF00345F8081A2A502444E1C7F599D4DB81

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 104 bb48d3-bb48e1 105 bb48f3 104->105 106 bb48e7-bb48ee 104->106 107 bb48fa-bb4910 call bb03a0 call bb0b04 105->107 106->107 112 bb492f 107->112 113 bb4916-bb4924 call bb0ab2 107->113 115 bb4933-bb4936 112->115 119 bb493b-bb4940 113->119 120 bb492a 113->120 117 bb4966-bb496d call bb044b 115->117 122 bb4957-bb495a GetFileAttributesA 119->122 123 bb4946-bb4952 GetFileAttributesW 119->123 120->115 124 bb4960-bb4961 122->124 123->124 124->117
      APIs
      • GetFileAttributesW.KERNELBASE(011B0174,-118F5FEC), ref: 00BB494C
      • GetFileAttributesA.KERNEL32(00000000,-118F5FEC), ref: 00BB495A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: AttributesFile
      • String ID: @
      • API String ID: 3188754299-2726393805
      • Opcode ID: e77911c8ef6abe7eee60ddf0ef3399e429fe7828b7fc7c44e8913ce11c866105
      • Instruction ID: 19e362f8f96e519484ea5cb3df1c13aeec4361936d808aece2f1ab8f69f9d97c
      • Opcode Fuzzy Hash: e77911c8ef6abe7eee60ddf0ef3399e429fe7828b7fc7c44e8913ce11c866105
      • Instruction Fuzzy Hash: A70119B0A05244FFEB21AF58D9497FE7EF0FF81345F2080E5E54269096D7F09A91E684

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 125 b710cf-b710e6 126 b72406-b7242e 125->126 128 b72457-b72472 RegOpenKeyA 126->128 129 b72430-b7244b RegOpenKeyA 126->129 131 b72474-b7247e 128->131 132 b7248a-b724b6 128->132 129->128 130 b7244d 129->130 130->128 131->132 135 b724c3-b724cd 132->135 136 b724b8-b724c1 GetNativeSystemInfo 132->136 137 b724cf 135->137 138 b724d9-b724e7 135->138 136->135 137->138 140 b724f3-b724fa 138->140 141 b724e9 138->141 142 b72500-b72507 140->142 143 b7250d 140->143 141->140 142->143 144 b707d1-b707d8 142->144 143->143 145 b702a0-b720e4 144->145 146 b707de-b707e9 144->146 148 b720e9 145->148 146->125 148->148
      APIs
      • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00B72443
      • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00B7246A
      • GetNativeSystemInfo.KERNELBASE(?), ref: 00B724C1
      Memory Dump Source
      • Source File: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: Open$InfoNativeSystem
      • String ID:
      • API String ID: 1247124224-0
      • Opcode ID: 44960f502204d339208d231f3606e94e7625f5fcc76e9d6d39f0e70666d70049
      • Instruction ID: 7ce55088ef6ad0a6a96d7b7b0126d944d06e989c69cb8eddfeecbbc1f49fdf30
      • Opcode Fuzzy Hash: 44960f502204d339208d231f3606e94e7625f5fcc76e9d6d39f0e70666d70049
      • Instruction Fuzzy Hash: 9F31067250414EEEEF11DF60C888BEE3BE4EF04314F440466EA5691950DBBA8DA4DF58

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 149 bb0953-bb0983 151 bb0989-bb099e 149->151 152 bb0aae-bb0aaf 149->152 151->152 154 bb09a4-bb09a8 151->154 155 bb09ca-bb09d1 154->155 156 bb09ae-bb09c0 PathAddExtensionA 154->156 157 bb09f3-bb09fa 155->157 158 bb09d7-bb09e6 call bb05f4 155->158 161 bb09c9 156->161 159 bb0a3c-bb0a43 157->159 160 bb0a00-bb0a07 157->160 167 bb09eb-bb09ed 158->167 165 bb0a49-bb0a5f call bb05f4 159->165 166 bb0a65-bb0a6c 159->166 163 bb0a0d-bb0a16 160->163 164 bb0a20-bb0a2f call bb05f4 160->164 161->155 163->164 168 bb0a1c 163->168 174 bb0a34-bb0a36 164->174 165->152 165->166 171 bb0a8e-bb0a95 166->171 172 bb0a72-bb0a88 call bb05f4 166->172 167->152 167->157 168->164 171->152 173 bb0a9b-bb0aa8 call bb062d 171->173 172->152 172->171 173->152 174->152 174->159
      APIs
      • PathAddExtensionA.KERNELBASE(?,00000000), ref: 00BB09B5
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: ExtensionPath
      • String ID: \\?\
      • API String ID: 158807944-4282027825
      • Opcode ID: fea2703f255e87a1b7f925d83f1e5c9b2a001a0bd82c99c9a24f45c6d76526bf
      • Instruction ID: a8779fd819b1fe2cec69f1f0cc31b648a809389f1b45c1dba5485bcf845c9099
      • Opcode Fuzzy Hash: fea2703f255e87a1b7f925d83f1e5c9b2a001a0bd82c99c9a24f45c6d76526bf
      • Instruction Fuzzy Hash: F7310735A10609FFDF21EF94D949BFEB6B5FF48704F000590B902A54A0D7B29AA1EF50

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 180 bb2062-bb2075 call bb03a0 183 bb207b-bb2087 call bb0ab2 180->183 184 bb20b8-bb20cc call bb044b GetModuleHandleExA 180->184 188 bb208c-bb208e 183->188 189 bb20d6-bb20d8 184->189 188->184 190 bb2094-bb209b 188->190 191 bb20a1 190->191 192 bb20a4-bb20d1 call bb044b 190->192 191->192 192->189
      APIs
        • Part of subcall function 00BB03A0: GetCurrentThreadId.KERNEL32 ref: 00BB03AF
      • GetModuleHandleExA.KERNELBASE(?,?,?), ref: 00BB20C6
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: CurrentHandleModuleThread
      • String ID: .dll
      • API String ID: 2752942033-2738580789
      • Opcode ID: 0fcc3cbdb38978632201ce1d93dbab6613c53efec75f2041dd018562cce81422
      • Instruction ID: 432ef37d23be56f3e1f4c30f818d26c3bf72e3d9461a0d743340c027fe3638c4
      • Opcode Fuzzy Hash: 0fcc3cbdb38978632201ce1d93dbab6613c53efec75f2041dd018562cce81422
      • Instruction Fuzzy Hash: A3F06D31104205ABEB10BF64D889AFE3BE1FF08350F508491FE0585152C7B1C490DB51

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 223 bb4aef-bb4afd 224 bb4b0f 223->224 225 bb4b03-bb4b0a 223->225 226 bb4b16-bb4b22 call bb03a0 224->226 225->226 229 bb4b28-bb4b32 call bb49fc 226->229 230 bb4b3d-bb4b4d call bb4aa1 226->230 229->230 237 bb4b38 229->237 235 bb4b5f-bb4b6d call bb0ab2 230->235 236 bb4b53-bb4b5a 230->236 238 bb4b7e-bb4b83 235->238 243 bb4b73-bb4b74 call bb22f6 235->243 236->238 237->238 241 bb4b89-bb4ba7 CreateFileW 238->241 242 bb4bac-bb4bc1 CreateFileA 238->242 244 bb4bc7-bb4bc8 241->244 242->244 247 bb4b79 243->247 246 bb4bcd-bb4bd4 call bb044b 244->246 247->246
      APIs
      • CreateFileW.KERNELBASE(011B0174,?,?,-118F5FEC,?,?,?,-118F5FEC,?), ref: 00BB4BA1
        • Part of subcall function 00BB4AA1: IsBadWritePtr.KERNEL32(?,00000004), ref: 00BB4AAF
      • CreateFileA.KERNEL32(?,?,?,-118F5FEC,?,?,?,-118F5FEC,?), ref: 00BB4BC1
      Memory Dump Source
      • Source File: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: CreateFile$Write
      • String ID:
      • API String ID: 1125675974-0
      • Opcode ID: f5aff1c33e7af65ab9f02f77fa1a6edd4fdf035dce527a85d517eb574ac514a5
      • Instruction ID: 6a27ff41da20e7d3faae4c8ea696f7a9730ff5cdd28b5d057385c3833e6f4469
      • Opcode Fuzzy Hash: f5aff1c33e7af65ab9f02f77fa1a6edd4fdf035dce527a85d517eb574ac514a5
      • Instruction Fuzzy Hash: 6311D671500109FBDF22AFA4DA49BFE3AB2BF04344F008195BA06654A2C7B5C9A1EB91

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 250 bb445b-bb4471 call bb03a0 GetCurrentProcess 253 bb44b3-bb44d5 call bb044b DuplicateHandle 250->253 254 bb4477-bb447a 250->254 260 bb44df-bb44e1 253->260 254->253 255 bb4480-bb4483 254->255 255->253 257 bb4489-bb449c call bb01fa 255->257 257->253 262 bb44a2-bb44da call bb21f8 call bb044b 257->262 262->260
      APIs
        • Part of subcall function 00BB03A0: GetCurrentThreadId.KERNEL32 ref: 00BB03AF
      • GetCurrentProcess.KERNEL32(-118F5FEC), ref: 00BB4468
      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00BB44CE
      Memory Dump Source
      • Source File: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: Current$DuplicateHandleProcessThread
      • String ID:
      • API String ID: 3748180921-0
      • Opcode ID: d8ddbd7466f3b3aeebb6f73527b76fdae4c876fb0815211b8f8687757a5a5b77
      • Instruction ID: 211e9990e270716ebb9bb4796427e9078977989fd2b2a560653e36d719ddd767
      • Opcode Fuzzy Hash: d8ddbd7466f3b3aeebb6f73527b76fdae4c876fb0815211b8f8687757a5a5b77
      • Instruction Fuzzy Hash: F2014B3210000AEB8F22AFA8ED08DFE3BF5FF88350B008151FA05A0115CBB5C472EB61

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 267 50915c4-509165a 269 509165c-5091666 267->269 270 5091693-50916b5 267->270 269->270 271 5091668-509166a 269->271 275 50916f1-5091712 270->275 276 50916b7-50916c4 270->276 273 509168d-5091690 271->273 274 509166c-5091676 271->274 273->270 277 5091678 274->277 278 509167a-5091689 274->278 286 509174b-509176d 275->286 287 5091714-509171e 275->287 276->275 279 50916c6-50916c8 276->279 277->278 278->278 280 509168b 278->280 281 50916eb-50916ee 279->281 282 50916ca-50916d4 279->282 280->273 281->275 284 50916d8-50916e7 282->284 285 50916d6 282->285 284->284 288 50916e9 284->288 285->284 293 50917a9-50917ca 286->293 294 509176f-509177c 286->294 287->286 289 5091720-5091722 287->289 288->281 291 5091745-5091748 289->291 292 5091724-509172e 289->292 291->286 295 5091730 292->295 296 5091732-5091741 292->296 304 50917cc-50917d6 293->304 305 5091803-5091825 293->305 294->293 298 509177e-5091780 294->298 295->296 296->296 297 5091743 296->297 297->291 299 50917a3-50917a6 298->299 300 5091782-509178c 298->300 299->293 302 509178e 300->302 303 5091790-509179f 300->303 302->303 303->303 307 50917a1 303->307 304->305 306 50917d8-50917da 304->306 313 5091861-5091867 305->313 314 5091827-5091834 305->314 308 50917fd-5091800 306->308 309 50917dc-50917e6 306->309 307->299 308->305 311 50917e8 309->311 312 50917ea-50917f9 309->312 311->312 312->312 315 50917fb 312->315 317 5091871-50918d8 ChangeServiceConfigA 313->317 314->313 316 5091836-5091838 314->316 315->308 318 509185b-509185e 316->318 319 509183a-5091844 316->319 320 50918da-50918e0 317->320 321 50918e1-5091920 317->321 318->313 322 5091848-5091857 319->322 323 5091846 319->323 320->321 327 5091930-5091934 321->327 328 5091922-5091926 321->328 322->322 325 5091859 322->325 323->322 325->318 330 5091944-5091948 327->330 331 5091936-509193a 327->331 328->327 329 5091928-509192b call 509013c 328->329 329->327 332 5091958-509195c 330->332 333 509194a-509194e 330->333 331->330 335 509193c-509193f call 509013c 331->335 337 509196c-5091970 332->337 338 509195e-5091962 332->338 333->332 336 5091950-5091953 call 509013c 333->336 335->330 336->332 342 5091980-5091984 337->342 343 5091972-5091976 337->343 338->337 341 5091964-5091967 call 509013c 338->341 341->337 346 5091994 342->346 347 5091986-509198a 342->347 343->342 345 5091978-509197b call 509013c 343->345 345->342 350 5091995 346->350 347->346 349 509198c-509198f call 509013c 347->349 349->346 350->350
      APIs
      • ChangeServiceConfigA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 050918C8
      Memory Dump Source
      • Source File: 00000000.00000002.1501484139.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5090000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: ChangeConfigService
      • String ID:
      • API String ID: 3849694230-0
      • Opcode ID: c70627fb364954980786667fc4f302b8a23d7b1a23e7921dab33d2f3f44e7632
      • Instruction ID: 50e808a67645ca2cb48a05fa2bd9f907c986b3d133293b9969aed6d2cee10906
      • Opcode Fuzzy Hash: c70627fb364954980786667fc4f302b8a23d7b1a23e7921dab33d2f3f44e7632
      • Instruction Fuzzy Hash: D0C16A75E0025A9FDF14CFA8E9857EEBBF2FB44300F148129E855E7288D7748881EB81

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 437 b64f71-b64f77 438 b64fe9-b64fee 437->438 439 b64f79-b64fa5 call b64fa8 437->439 441 b65052-b65053 438->441 442 b64ff0-b64ffd 438->442 444 b65059-b65060 441->444 443 b64fff-b65034 442->443 442->444 452 b6503a 443->452 453 b65035 call b6503d 443->453 446 b65066 444->446 447 b6507e 444->447 446->447 450 b65086-b650a1 447->450 451 b65084-b65085 447->451 455 b650a7 450->455 456 b650b1-b650b2 450->456 451->450 453->452 455->456 458 b650c0-b650c9 CreateFileA 456->458 459 b650b8-b650bf 456->459 460 b650cf-b650f1 458->460 461 b6533b-b65345 call b65348 458->461 459->458 464 b650f7 460->464 465 b65105-b651c5 call b6511f call b651c8 460->465 464->465
      Memory Dump Source
      • Source File: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 272c78878d37333ebc8ad719aece0b3759eb0756767429873c8a8f40636568c1
      • Instruction ID: dc20669ef2f171f778660f649037e91a6dec80d78fed26d8ff3437c1aa3011bc
      • Opcode Fuzzy Hash: 272c78878d37333ebc8ad719aece0b3759eb0756767429873c8a8f40636568c1
      • Instruction Fuzzy Hash: 0C4126B314C7527EE722CA609DA1BFF7BACDB82730F31449AF442DA482C29C4C659275

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 476 b6506b-b65075 477 b65077-b6507e 476->477 478 b6500f-b65034 476->478 482 b65086-b650a1 477->482 483 b65084-b65085 477->483 480 b6503a 478->480 481 b65035 call b6503d 478->481 481->480 484 b650a7 482->484 485 b650b1-b650b2 482->485 483->482 484->485 486 b650c0-b650c9 CreateFileA 485->486 487 b650b8-b650bf 485->487 488 b650cf-b650f1 486->488 489 b6533b-b65345 call b65348 486->489 487->486 492 b650f7 488->492 493 b65105-b651c5 call b6511f call b651c8 488->493 492->493
      APIs
      • CreateFileA.KERNELBASE(?,F53787D4), ref: 00B650C1
      Memory Dump Source
      • Source File: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: 819e6a405e4b6c08142821ba5a8319b688ca1d896ac556e503c7bf82240be18e
      • Instruction ID: f9f46cba492fb1dff568e6e5588e935a31d0b077ef40dd2c19a028432574aee6
      • Opcode Fuzzy Hash: 819e6a405e4b6c08142821ba5a8319b688ca1d896ac556e503c7bf82240be18e
      • Instruction Fuzzy Hash: 043113B614C3517EE322CF609D91BFB7BACEB83730F31849AF442DA442D2694C259671

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 504 b65050-b65060 507 b65066 504->507 508 b6507e 504->508 507->508 509 b65086-b650a1 508->509 510 b65084-b65085 508->510 511 b650a7 509->511 512 b650b1-b650b2 509->512 510->509 511->512 513 b650c0-b650c9 CreateFileA 512->513 514 b650b8-b650bf 512->514 515 b650cf-b650f1 513->515 516 b6533b-b65345 call b65348 513->516 514->513 519 b650f7 515->519 520 b65105-b651c5 call b6511f call b651c8 515->520 519->520
      APIs
      • CreateFileA.KERNELBASE(?,F53787D4), ref: 00B650C1
      Memory Dump Source
      • Source File: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: 8d23da556b0f1c9b757e73733b3c7dfe52491c84dbca01566b9836024a980383
      • Instruction ID: 6c6a4f12b70d0f7aac48aeac71ce2e963a091b34c5e2c845108a83e8c00d3d86
      • Opcode Fuzzy Hash: 8d23da556b0f1c9b757e73733b3c7dfe52491c84dbca01566b9836024a980383
      • Instruction Fuzzy Hash: D23147B700C6917EE321CA606D60AFB7BBCDAC3730F3544DAF842D6442D2990C259371
      APIs
      • CreateFileA.KERNELBASE(?,F53787D4), ref: 00B650C1
      Memory Dump Source
      • Source File: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: 29bd4d71b082a7806d4a949ddff9aeeadba4d339d9ae0547d0a4baeafea2e140
      • Instruction ID: 47325821dbac3cfb7bcdd78357e3e10f84c6ae8dd079b6e256e18fe8c069ad41
      • Opcode Fuzzy Hash: 29bd4d71b082a7806d4a949ddff9aeeadba4d339d9ae0547d0a4baeafea2e140
      • Instruction Fuzzy Hash: 912192F710D6517EF221DA546E60BFB7BACDAC3730F3188ABF442D6542D2590C559231
      Memory Dump Source
      • Source File: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: 75baaf97949f2ad463ea3a28c12749e89726fd2b2ff3fe14ef6ea0a4b1a4e80b
      • Instruction ID: 3733175d6d308d7d2e6b9dfa0ab00a49c9447b8e8c130e632d2f8498932ae6ef
      • Opcode Fuzzy Hash: 75baaf97949f2ad463ea3a28c12749e89726fd2b2ff3fe14ef6ea0a4b1a4e80b
      • Instruction Fuzzy Hash: 34315BB614C642AFC3069F54D9916EABBE8FF86330F2444D6E585CB143E3A90806C731
      APIs
      • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 00BB2B8F
      Memory Dump Source
      • Source File: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: 9f48fd3551a0a137fcb0d4c963c3a32d0b45582ae48ac6f280b40be7712421d5
      • Instruction ID: a29593482cacb36990a261d681f8a87ab74007c92d8682f7e8aa0edaae325fa5
      • Opcode Fuzzy Hash: 9f48fd3551a0a137fcb0d4c963c3a32d0b45582ae48ac6f280b40be7712421d5
      • Instruction Fuzzy Hash: 65316B71900208FFDB209F65DD45FEEBBF8EB04724F2082A9F605AA191C7B19A41CB50
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID:
      • API String ID: 1029625771-0
      • Opcode ID: c0ef90b13f849a7e1c0fd955d64892db41727741a512ee00a87c04a032cfbae2
      • Instruction ID: 5e580085c9459dd9a0301198dc9a7c93040cfb602ef8f0b8766270da5ffb5c87
      • Opcode Fuzzy Hash: c0ef90b13f849a7e1c0fd955d64892db41727741a512ee00a87c04a032cfbae2
      • Instruction Fuzzy Hash: 1A31EBB250D700AFE301AF19DC85BBEBBE4EF88711F16482DE6C8C2600D63599548B97
      APIs
      • CreateFileA.KERNELBASE(00000003), ref: 00B64F26
      Memory Dump Source
      • Source File: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: a557e747b3199faf3770d7870c29f6e518e9209a72735c8cbb3b6d06b1a1e2b3
      • Instruction ID: 7e1fbdfc3aecb083f0bb13b7d87c4df1e91f7cbffc0bc392d0b50dc77af361f7
      • Opcode Fuzzy Hash: a557e747b3199faf3770d7870c29f6e518e9209a72735c8cbb3b6d06b1a1e2b3
      • Instruction Fuzzy Hash: 58219EB318CA42AED3058F609D51AF97BE8FB82730F3004D6E445C7483D3590D069730
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID:
      • API String ID: 1029625771-0
      • Opcode ID: b5ae000d1e0d257d6025f0e2261aaadf1b85945aa797fa263ca8615fad5ca10c
      • Instruction ID: 7740a495037fa728221cf3632176db39d19683baedfdcaf7b6e3f416142da39e
      • Opcode Fuzzy Hash: b5ae000d1e0d257d6025f0e2261aaadf1b85945aa797fa263ca8615fad5ca10c
      • Instruction Fuzzy Hash: CD3178B240C300AFE742AF18DC816BAFBE5EF54320F16482DE6D883610EB3598448B97
      APIs
      • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 00BB2378
      Memory Dump Source
      • Source File: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: 4537a339ed0ee8d406e91b50a5f33d2e9127fa239bcd56ed07aac9da488ffe36
      • Instruction ID: a435b46dbf4feb68fe05fba87b7b5bf48a3b8449aef565249c8e6351894e7b9b
      • Opcode Fuzzy Hash: 4537a339ed0ee8d406e91b50a5f33d2e9127fa239bcd56ed07aac9da488ffe36
      • Instruction Fuzzy Hash: CD319371A40204BFEB209F64EC45FE9B7F8EB04B24F2082A5F615EA1D1C3F5A592CB54
      APIs
      • CreateFileA.KERNELBASE(00000003), ref: 00B64F26
      Memory Dump Source
      • Source File: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: affc6a9b353c17222409abb322e7eaf0b195aebaad7cb8b0f99b04bcc98557b2
      • Instruction ID: 4f0cea4895285d0f758059b82b3d7abb4f52ac3034c8810d161edf4367f29054
      • Opcode Fuzzy Hash: affc6a9b353c17222409abb322e7eaf0b195aebaad7cb8b0f99b04bcc98557b2
      • Instruction Fuzzy Hash: 86216AB614C642AEC7068F54D9904EABBF8FF8633073444EAE081C7143E3A90916D771
      APIs
      • CreateFileA.KERNELBASE(00000003), ref: 00B64F26
      Memory Dump Source
      • Source File: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: 102be26d508e04e1a4b44e415b27215be632d27ff72a50523d33dd8bb7153c7c
      • Instruction ID: 687ecf331e8988e417686a47fce9f9e3179a7d5df73976e135079fb246623358
      • Opcode Fuzzy Hash: 102be26d508e04e1a4b44e415b27215be632d27ff72a50523d33dd8bb7153c7c
      • Instruction Fuzzy Hash: D0216BB618CA42AFC7068F54D9904AABBF8FB8673073444EAE085C7547D3A90D16D771
      Memory Dump Source
      • Source File: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: 6f3a43661638f6a594e1f39431d48f1ae904614e940df604351f72586b4a79e5
      • Instruction ID: 889bdf7da069f6828411988b8759ab6f01e190906dfcc85cf2255cda40007577
      • Opcode Fuzzy Hash: 6f3a43661638f6a594e1f39431d48f1ae904614e940df604351f72586b4a79e5
      • Instruction Fuzzy Hash: 9C116AA614C6829ED3029F649D514E9BBE8FA47330B3404AAE4C5CB543D3A9490BD731
      APIs
      • CreateFileA.KERNELBASE(00000003), ref: 00B64F26
      Memory Dump Source
      • Source File: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: 7fc7ef47ace96ce331dbc2f797477313c312254604ac46aff305fe18d20cef3b
      • Instruction ID: 49e43694929c6bcea45a73447d3b5125f8e541e2e300921e5dd256025f6c5070
      • Opcode Fuzzy Hash: 7fc7ef47ace96ce331dbc2f797477313c312254604ac46aff305fe18d20cef3b
      • Instruction Fuzzy Hash: 9B1157B644C6829ED3029F649DA14E9BBE8EE96330724059AE485CB147D369091AC731
      APIs
      • GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,?), ref: 00BBE718
      Memory Dump Source
      • Source File: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: FileModuleName
      • String ID:
      • API String ID: 514040917-0
      • Opcode ID: e7c2d9ae2d31388dcc825faad5bb64531717335b8cdc0c41ba043f0617cb49af
      • Instruction ID: 85948d0e6049ed157da00b21b13161b3008a36b55e02a4de62730501fbcc1f2c
      • Opcode Fuzzy Hash: e7c2d9ae2d31388dcc825faad5bb64531717335b8cdc0c41ba043f0617cb49af
      • Instruction Fuzzy Hash: 76119072A012299FEF319A168C48BFAB7FCEF14754F1441E5E825A2090DBF4DD808AB1
      APIs
      • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 05090DCD
      Memory Dump Source
      • Source File: 00000000.00000002.1501484139.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5090000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: ManagerOpen
      • String ID:
      • API String ID: 1889721586-0
      • Opcode ID: 5f736e73b0bec2fca6b11cc9dbcb2e1b139e2558dfc0a67a2b970a5d1f7dd1ff
      • Instruction ID: eaad15742517ee8db11b7ac951325ca56b9fe673e436a9e111dade7ab235930d
      • Opcode Fuzzy Hash: 5f736e73b0bec2fca6b11cc9dbcb2e1b139e2558dfc0a67a2b970a5d1f7dd1ff
      • Instruction Fuzzy Hash: 632138B6D016189FDB54CF99E485BDEFBF0FF88310F14826AD808AB248D7349545CBA4
      APIs
      • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 05090DCD
      Memory Dump Source
      • Source File: 00000000.00000002.1501484139.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5090000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: ManagerOpen
      • String ID:
      • API String ID: 1889721586-0
      • Opcode ID: 142c52c558f4a5ce270c90f0e4f42d3281cb9a333b26a78435f22a194cb440ed
      • Instruction ID: 2dabdab11569f0d396991cdce56927208897ff8390665dff3f62f6c79918401b
      • Opcode Fuzzy Hash: 142c52c558f4a5ce270c90f0e4f42d3281cb9a333b26a78435f22a194cb440ed
      • Instruction Fuzzy Hash: 482135B6C016189FCB54CF99D884BDEFBF4FF88310F14815AD808AB208D734A544CBA4
      APIs
      • ControlService.ADVAPI32(?,?,?), ref: 05091580
      Memory Dump Source
      • Source File: 00000000.00000002.1501484139.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5090000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: ControlService
      • String ID:
      • API String ID: 253159669-0
      • Opcode ID: 7eec8b91aa716affc5abe75ca6e3c023e3b63bdfe6a471b14cf06425db5dbf6c
      • Instruction ID: dbe5ad3dd59757809950c0567996eb23b3cad7905f17389344b059e818e34beb
      • Opcode Fuzzy Hash: 7eec8b91aa716affc5abe75ca6e3c023e3b63bdfe6a471b14cf06425db5dbf6c
      • Instruction Fuzzy Hash: FC2114B2900249DFDB10CF9AD584BDEFBF4FB48320F10846AE559A7240D378A645CFA5
      APIs
      • ControlService.ADVAPI32(?,?,?), ref: 05091580
      Memory Dump Source
      • Source File: 00000000.00000002.1501484139.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5090000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: ControlService
      • String ID:
      • API String ID: 253159669-0
      • Opcode ID: f50c35db56c8d842529a22286abd0cc799c95a1e1899736ce5f4b21c7cb234ff
      • Instruction ID: db611c0f8b745e6127cad12941d9f97b7cf280904324173a17fbc8f4c80c8e24
      • Opcode Fuzzy Hash: f50c35db56c8d842529a22286abd0cc799c95a1e1899736ce5f4b21c7cb234ff
      • Instruction Fuzzy Hash: 5011E4B6900249DFDB10CF9AD584BDEFBF4FB48320F14806AE559A7250D378A644CFA5
      APIs
        • Part of subcall function 00BB03A0: GetCurrentThreadId.KERNEL32 ref: 00BB03AF
      • MapViewOfFileEx.KERNELBASE(?,?,?,?,?,?,-118F5FEC), ref: 00BB56AE
      Memory Dump Source
      • Source File: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: CurrentFileThreadView
      • String ID:
      • API String ID: 1949693742-0
      • Opcode ID: f317c937cb4c57623a82372120d10da4b8e4be1676643e7bdb4a98c445efa434
      • Instruction ID: 13d0ab19b0db8a2ca0b953127a38e866c53ff08488e4dcc567842b5f2b5fbdcb
      • Opcode Fuzzy Hash: f317c937cb4c57623a82372120d10da4b8e4be1676643e7bdb4a98c445efa434
      • Instruction Fuzzy Hash: E111A83210064AFFCF22AFA4DD09EFE3BB6AF58340B404591FA0255021D7B6C471EB62
      Memory Dump Source
      • Source File: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: CurrentThread
      • String ID:
      • API String ID: 2882836952-0
      • Opcode ID: 7621238276d1ea988aa57609972edc3ed621f91c952dd7ce4f5585176e465cdc
      • Instruction ID: f4022271dc83958994c92ec199f827172a0d8cdef014298a1ce20811d0483f42
      • Opcode Fuzzy Hash: 7621238276d1ea988aa57609972edc3ed621f91c952dd7ce4f5585176e465cdc
      • Instruction Fuzzy Hash: A6113C7150054AEBCF22AFA4C909BFE3BE5EF44341F008490F90649265C7F5C5A2EB52
      APIs
      • ImpersonateLoggedOnUser.KERNELBASE ref: 05091367
      Memory Dump Source
      • Source File: 00000000.00000002.1501484139.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5090000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: ImpersonateLoggedUser
      • String ID:
      • API String ID: 2216092060-0
      • Opcode ID: bff5bf5fb11968f99be7b34e96e904b9ed33bf15061a19e4ab8ca08e5d674ac7
      • Instruction ID: f8a6a3120ca2a93c8c7f5489cfba3c7e48506a8db18d666aa5a1795502b49520
      • Opcode Fuzzy Hash: bff5bf5fb11968f99be7b34e96e904b9ed33bf15061a19e4ab8ca08e5d674ac7
      • Instruction Fuzzy Hash: 531166B2900249CFDB20CF9AD585BEEFBF4EF48320F14846AD459A3240D778A544CFA1
      APIs
      • CreateFileA.KERNELBASE(?,D4DF2F4F), ref: 00B652F8
      Memory Dump Source
      • Source File: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: 33143a9b98e4837b99e69e4bc82c14b4ca31e2775067b3d4423dede27da1e92e
      • Instruction ID: 40f9214c87579ef3cfe7387d2534f793f7a6e59bd605bd7e687e67565e75afe5
      • Opcode Fuzzy Hash: 33143a9b98e4837b99e69e4bc82c14b4ca31e2775067b3d4423dede27da1e92e
      • Instruction Fuzzy Hash: 75019EF250C7458EE710CF205DB41BE3BB8DA92330F7005DAE842C7143D3A80D6A9728
      APIs
      • ImpersonateLoggedOnUser.KERNELBASE ref: 05091367
      Memory Dump Source
      • Source File: 00000000.00000002.1501484139.0000000005090000.00000040.00000800.00020000.00000000.sdmp, Offset: 05090000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5090000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: ImpersonateLoggedUser
      • String ID:
      • API String ID: 2216092060-0
      • Opcode ID: 165f54f62216c1f9c804093152bb81a152ba8429e5fc732394425fb937d10a0d
      • Instruction ID: 7e62249328629c7c012e34d4accdc2e547d3123023963d63870a3a128a2f1b73
      • Opcode Fuzzy Hash: 165f54f62216c1f9c804093152bb81a152ba8429e5fc732394425fb937d10a0d
      • Instruction Fuzzy Hash: 911133B2900249CFDB20CF9AD545BDEFBF8EB48320F24846AD518A3640D778A944CFA5
      APIs
      • CreateFileA.KERNELBASE(?,D4DF2F4F), ref: 00B652F8
      Memory Dump Source
      • Source File: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: e94cb2e6520a0b761ed13fcb35f1ad0fc7d55d7ec585187b191a82e462670251
      • Instruction ID: 236d99d6dc220ef52ab4d0d8e83d56c043432769adddc9b603f43546f078cf52
      • Opcode Fuzzy Hash: e94cb2e6520a0b761ed13fcb35f1ad0fc7d55d7ec585187b191a82e462670251
      • Instruction Fuzzy Hash: D5F028F2448A05ADD7208F5099A15BE7BEDE692330F3009A6E802D6902E3E90D3E6664
      APIs
      • CreateFileA.KERNELBASE(?,D4DF2F4F), ref: 00B652F8
      Memory Dump Source
      • Source File: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: 8712e97f19ec8d526fe8036cc35ce637ebdae5fe493202243a77d4d95aeaf875
      • Instruction ID: 879afa865e2ea4cc0da3fe99237765c2a154aedca9da021c8bcce2e57f8c5f6d
      • Opcode Fuzzy Hash: 8712e97f19ec8d526fe8036cc35ce637ebdae5fe493202243a77d4d95aeaf875
      • Instruction Fuzzy Hash: 7CF081F240C7059DE720CF109DE057E37A9DA81370F70055AE842C2442D3B90D395618
      APIs
        • Part of subcall function 00BB03A0: GetCurrentThreadId.KERNEL32 ref: 00BB03AF
      • ReadFile.KERNELBASE(?,00000000,?,00000400,?,-118F5FEC,?,?,00BB2A22,?,?,00000400,?,00000000,?,00000000), ref: 00BB4D5F
      Memory Dump Source
      • Source File: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: CurrentFileReadThread
      • String ID:
      • API String ID: 2348311434-0
      • Opcode ID: bd8f69f3c9aabf8045ef0e91249fafabc47dd5034fe1bf65a7241b9ac43949c3
      • Instruction ID: 8bd9c5fd53b10c3556c355194406f8a98d6bead5e503c4d4060858a6f2605b19
      • Opcode Fuzzy Hash: bd8f69f3c9aabf8045ef0e91249fafabc47dd5034fe1bf65a7241b9ac43949c3
      • Instruction Fuzzy Hash: 39F0C93210050AFBCF12AFA8D919EFE3FB6FF45350B0085A1F61559161C7B2C862EBA1
      APIs
      • CreateFileA.KERNELBASE(?,D4DF2F4F), ref: 00B652F8
      Memory Dump Source
      • Source File: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: 36239037f02f40e9dc58c5d85077e2f6444d767dd07a3c4556a06bff37f4eb05
      • Instruction ID: 0ac4ee7bf36e73b3a68c9e5651b4e49d3c325f37dc0d8cff707fa6dd00485445
      • Opcode Fuzzy Hash: 36239037f02f40e9dc58c5d85077e2f6444d767dd07a3c4556a06bff37f4eb05
      • Instruction Fuzzy Hash: C0E0E5F24486155CE710DF149DA0ABE37ADE6D1330F304455E846D6441E2A80D390628
      APIs
      • CreateFileA.KERNELBASE(?,D4DF2F4F), ref: 00B652F8
      Memory Dump Source
      • Source File: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: 35664c4d3293590a42bf9f944d65df2f1e4a5ceed02317414ae9415b369ed868
      • Instruction ID: f6871e538590f7f8ff06f22452708293c2c6332ffafe6f6cdc8914caafb0231b
      • Opcode Fuzzy Hash: 35664c4d3293590a42bf9f944d65df2f1e4a5ceed02317414ae9415b369ed868
      • Instruction Fuzzy Hash: 57F0E5B290C7864ED720DF3488A062D3BA4CA927A0F2009EAD481CB441C2A50C2B8B15
      APIs
      • CreateFileA.KERNELBASE(?,D4DF2F4F), ref: 00B652F8
      Memory Dump Source
      • Source File: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: 127e210bb562ae035dd65ccd928e17ac6c36f5ce7f1a72548071c10c725089b8
      • Instruction ID: 1b766d292c548c4b6ab41ef7cad1b58458c1d11b4adfa938815ffb87d2ef847d
      • Opcode Fuzzy Hash: 127e210bb562ae035dd65ccd928e17ac6c36f5ce7f1a72548071c10c725089b8
      • Instruction Fuzzy Hash: F5E092B25486564EE7109F3098A126D7BB0EB92330F3044AAD442D6502C2E9496A4714
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID:
      • API String ID: 1029625771-0
      • Opcode ID: 467acaf560245e2b44a54e1f84f31b10f74c6ce1543672f707b23b5587482dde
      • Instruction ID: be88b18a2a0856655b65dac43fdc06ac1f61031b492f8c05a543e7f994790820
      • Opcode Fuzzy Hash: 467acaf560245e2b44a54e1f84f31b10f74c6ce1543672f707b23b5587482dde
      • Instruction Fuzzy Hash: C4D017B000C200DFC7012F58C88853DFBE4FF19300F218D5DDAE992210D3718460AB13
      APIs
      • VirtualAlloc.KERNELBASE(00000000), ref: 009DEEC1
      Memory Dump Source
      • Source File: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: d4ccb417048a209921072686ac5f7a1d70519b0c158f8f33f2c50e8405f1e17a
      • Instruction ID: dff0b7e53f1de13657a2be6c0308044114d06ab614dcbc253eb530bad0ebf477
      • Opcode Fuzzy Hash: d4ccb417048a209921072686ac5f7a1d70519b0c158f8f33f2c50e8405f1e17a
      • Instruction Fuzzy Hash: C2017CB211C610ABD300BF29DC85ABBBBE4EF44310F06492EE5C5C3600E63598408797
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: lstrcmpi
      • String ID:
      • API String ID: 1586166983-0
      • Opcode ID: 604b8b0114fab6c8765e5f507d7a2f67b78c19eddcdac4c0ca6c2f47e3ca03f3
      • Instruction ID: f693cd140fa3b514e39b192ff260f02371da5d78dd9d4730ec94b35f55ea1276
      • Opcode Fuzzy Hash: 604b8b0114fab6c8765e5f507d7a2f67b78c19eddcdac4c0ca6c2f47e3ca03f3
      • Instruction Fuzzy Hash: 7B01E835A10109BFCF21AFA5DC45DEFBBB6FF54741F0011A1A805A4460E772D661DFA0
      APIs
      • VirtualAlloc.KERNELBASE(00000000), ref: 009DEEC1
      Memory Dump Source
      • Source File: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 2e259facbac087f4b4033cd3646891b111eacf0c61d332ac6ee3cf2a0bfde4a9
      • Instruction ID: 7a5cfe48678dbcd2b4a76f16529dbf8e51680c0925d0d319c1bb7af0e392b3cc
      • Opcode Fuzzy Hash: 2e259facbac087f4b4033cd3646891b111eacf0c61d332ac6ee3cf2a0bfde4a9
      • Instruction Fuzzy Hash: 9BF03CB251C6149FD704BF29DC866BAB7E4EF45300F0A482ED5C5C7740E635A8408B97
      APIs
      • VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,?,00BBE291,?,?,00BBDF97,?,?,00BBDF97,?,?,00BBDF97), ref: 00BBE2B5
      Memory Dump Source
      • Source File: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 7f901a3160614ad900eab177a2fa261de006cffc1473325c7c162a8e95f7b90c
      • Instruction ID: 67e6ca54ae0d493d10c47244199d0ffc552dc093e95ddf94ddc413ec92ea0e2d
      • Opcode Fuzzy Hash: 7f901a3160614ad900eab177a2fa261de006cffc1473325c7c162a8e95f7b90c
      • Instruction Fuzzy Hash: BFF081B1904205EFDB25CF55CD09BE9BFE4FF54751F118065E44A9B5A1D3B198C0CBA0
      APIs
        • Part of subcall function 00BB03A0: GetCurrentThreadId.KERNEL32 ref: 00BB03AF
      • CloseHandle.KERNELBASE(00BB2AB7,-118F5FEC,?,?,00BB2AB7,?), ref: 00BB3132
      Memory Dump Source
      • Source File: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: CloseCurrentHandleThread
      • String ID:
      • API String ID: 3305057742-0
      • Opcode ID: 41cabbfdd84471361feaf134d90078057186a6156e2919c412f875a58323a191
      • Instruction ID: b8045fe03af2ebeb0d0eb60e5a023c20295106132f406892f67caf5227608ec0
      • Opcode Fuzzy Hash: 41cabbfdd84471361feaf134d90078057186a6156e2919c412f875a58323a191
      • Instruction Fuzzy Hash: 6DE04F76604106B7CA10BB7DDC0ADFF2BECAF94B90B0081A1F106A5041CEE4C292D6A1
      APIs
      • CloseHandle.KERNELBASE(?,?,00BB023F,?,?), ref: 00BB21BF
      Memory Dump Source
      • Source File: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: CloseHandle
      • String ID:
      • API String ID: 2962429428-0
      • Opcode ID: 282ad15609651213df9d8423f0951060b89e5c9ab1d0f4863865477b24605be2
      • Instruction ID: 702362d17833af57cd83f9d2cebab70538b3f88664ccf2fb2478553c589ff141
      • Opcode Fuzzy Hash: 282ad15609651213df9d8423f0951060b89e5c9ab1d0f4863865477b24605be2
      • Instruction Fuzzy Hash: 1AB09B3140010977CF01BF55DC0584DBF65BF15755740C110B51A541718B71D560DBD0
      APIs
        • Part of subcall function 00BB03A0: GetCurrentThreadId.KERNEL32 ref: 00BB03AF
      • GetSystemTime.KERNEL32(?,-118F5FEC), ref: 00BB4522
      • GetFileTime.KERNEL32(?,?,?,?,-118F5FEC), ref: 00BB4565
      Memory Dump Source
      • Source File: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: Time$CurrentFileSystemThread
      • String ID:
      • API String ID: 2191017843-0
      • Opcode ID: 9ea96d4d38777bf1eff197894388ca0c561b92ba87889fee1960f9708d17985a
      • Instruction ID: 260a32e9f928e0c535c3c78a50e6db712bbb90505e30d3b9b7bbb76b4a0f6a22
      • Opcode Fuzzy Hash: 9ea96d4d38777bf1eff197894388ca0c561b92ba87889fee1960f9708d17985a
      • Instruction Fuzzy Hash: 8E012132100545FBCB21AF19D80CDFE3FB5FF96310B004161F40545462CBB2C4A1D691
      APIs
      • CryptVerifySignatureA.ADVAPI32(?,?,?,?,?,?), ref: 00BB53F2
      Memory Dump Source
      • Source File: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: CryptSignatureVerify
      • String ID:
      • API String ID: 1015439381-0
      • Opcode ID: 9b7cfadff441e64f89d115d4595761480cf441fbcbeee6cf8da0b29d0407ec13
      • Instruction ID: 415786b8a4fbcfe0cfdd5bed3413c92805eb9ef76ee7fbfa52042f9706347cf5
      • Opcode Fuzzy Hash: 9b7cfadff441e64f89d115d4595761480cf441fbcbeee6cf8da0b29d0407ec13
      • Instruction Fuzzy Hash: 0DF0583260120AFFCF11CF94C944A9C7BF1FF18388B008465F91696250C7B59AA0EF45
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID:
      • String ID: NTDL
      • API String ID: 0-3662016964
      • Opcode ID: 67ce74282b56a5d5623da822fb5b93aad196232f704395b5c6ccc9a1ee3b0f9e
      • Instruction ID: c65d63804ff4bab0fcc8afeecb0f1a43f63b957f69749e91baef4e031369f32d
      • Opcode Fuzzy Hash: 67ce74282b56a5d5623da822fb5b93aad196232f704395b5c6ccc9a1ee3b0f9e
      • Instruction Fuzzy Hash: 8771DF7668931E8BCB11DF24C4401DF77A5EB96320F24C52BC8828BB41D3B69D11DF99
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID:
      • String ID: SR*n
      • API String ID: 0-1386546681
      • Opcode ID: 062d48fec95f91291ba162d7ede3aa2a077d8659e128dd60771bdb04e77ea6f1
      • Instruction ID: d48b1f663bd3425dbb711e45877c4f1ef1fe13bdbdf0b4f01ad12ab13bcc9699
      • Opcode Fuzzy Hash: 062d48fec95f91291ba162d7ede3aa2a077d8659e128dd60771bdb04e77ea6f1
      • Instruction Fuzzy Hash: 4541D9B660C300AFE701AE5DDD8167EFBE6EFD8320F26892DE6C4C3615E67558018662
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID:
      • String ID: SR*n
      • API String ID: 0-1386546681
      • Opcode ID: dfe7db30cee7185883cb60561941dc3e6e61fd3c79f135303a66e8ad24bbf13a
      • Instruction ID: 7ec6da843bc0aa574842195846c9e90378406df7cdf70740572063f2bfe5a351
      • Opcode Fuzzy Hash: dfe7db30cee7185883cb60561941dc3e6e61fd3c79f135303a66e8ad24bbf13a
      • Instruction Fuzzy Hash: 8F41B7B6A0C300AFE701AE5DDD8162AFBE6EFD8320F26892DE6C4C3615D63558018693
      APIs
        • Part of subcall function 00BB03A0: GetCurrentThreadId.KERNEL32 ref: 00BB03AF
        • Part of subcall function 00BB4AA1: IsBadWritePtr.KERNEL32(?,00000004), ref: 00BB4AAF
      • wsprintfA.USER32 ref: 00BB3A69
      • LoadImageA.USER32(?,?,?,?,?,?), ref: 00BB3B2D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: CurrentImageLoadThreadWritewsprintf
      • String ID: %8x$%8x
      • API String ID: 439219941-2046107164
      • Opcode ID: 922b63eb8448b8c77393b9ccdb32dfa29f7e00a42d35de15c88ca35b3fb8b06c
      • Instruction ID: 6e2249e8679d80880ce05e6ca4c828c51ef9278957b39fcf4d03a60e4475cb0f
      • Opcode Fuzzy Hash: 922b63eb8448b8c77393b9ccdb32dfa29f7e00a42d35de15c88ca35b3fb8b06c
      • Instruction Fuzzy Hash: 7831047590010AFBCF11DFA4DD49EEEBBB5FF88700F108165FA11A61A0C7B19A61DB90
      APIs
      • GetFileAttributesExW.KERNEL32(011B0174,00004020,00000000,-118F5FEC), ref: 00BB46E1
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1499257247.0000000000BAC000.00000040.00000001.01000000.00000003.sdmp, Offset: 009D0000, based on PE: true
      • Associated: 00000000.00000002.1498790630.00000000009D0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498815648.00000000009D2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498832712.00000000009D6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498849275.00000000009DA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498866735.00000000009E4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498883440.00000000009E5000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1498907303.00000000009E6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499041474.0000000000B43000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499059192.0000000000B46000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B5F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499081940.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499116747.0000000000B6C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499133075.0000000000B6D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499149672.0000000000B6E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499164619.0000000000B6F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499197519.0000000000B99000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499215061.0000000000B9B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499231236.0000000000BA2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499277964.0000000000BB6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499301615.0000000000BB8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499336558.0000000000BD1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499356186.0000000000BD4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499377385.0000000000BD5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499394258.0000000000BD9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499484537.0000000000BDA000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499503684.0000000000BE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499519797.0000000000BE2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499540242.0000000000BE6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499558902.0000000000BEE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499576634.0000000000BF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499593525.0000000000BFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499613056.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499628247.0000000000BFE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499648445.0000000000C02000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499666021.0000000000C04000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499682202.0000000000C07000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499702283.0000000000C09000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499720015.0000000000C10000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499741878.0000000000C23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499756945.0000000000C25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499789771.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499829353.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1499845820.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9d0000_uw7vXaPNPF.jbxd
      Similarity
      • API ID: AttributesFile
      • String ID: @
      • API String ID: 3188754299-2726393805
      • Opcode ID: 6d47164f672b556f6c59f50acc95b82df9d86e8fa0526ca5cc9250eb8ea92061
      • Instruction ID: ecc8e1c28699f5ac28e00ea682309a6939db80bcb5284a80a4409355a2573c93
      • Opcode Fuzzy Hash: 6d47164f672b556f6c59f50acc95b82df9d86e8fa0526ca5cc9250eb8ea92061
      • Instruction Fuzzy Hash: 4C318BB1504305EFDB24DF44D888BEEBBF0FF09300F108599E956676A1C3B1AAA5DB90