Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1561535
MD5:38f5cd89e8b865100e7f123b9e84e2a3
SHA1:fc75e15ee0f5476a93a227172839b9846f804d1b
SHA256:b908490eebcd33d505498b1a05e560d86de224c3025e3db179479850c71bcbc2
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SIDT)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5352 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 38F5CD89E8B865100E7F123B9E84E2A3)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.2266812792.0000000000AD2000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2132630272.00000000048F0000.00000004.00001000.00020000.00000000.sdmp

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5E0B40_2_00C5E0B4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5E0C50_2_00C5E0C5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5E0DD0_2_00C5E0DD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ADE1230_2_00ADE123
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5E1160_2_00C5E116
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5E12A0_2_00C5E12A
Source: file.exe, 00000000.00000002.2266828872.0000000000AD6000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exeString found in binary or memory: zRtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNeP
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 2784256 > 1048576
Source: file.exeStatic PE information: Raw size of lwvfpqpj is bigger than: 0x100000 < 0x2a1c00
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.2266812792.0000000000AD2000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2132630272.00000000048F0000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.ad0000.0.unpack :EW;.rsrc:W;.idata :W;lwvfpqpj:EW;nnhflwrw:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x2aaed0 should be: 0x2b6585
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name: lwvfpqpj
Source: file.exeStatic PE information: section name: nnhflwrw
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AE10BC push 5FFE9BC7h; mov dword ptr [esp], ebx0_2_00AE3857
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5E0B4 push edx; mov dword ptr [esp], 59FD728Eh0_2_00C5E134
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5E0B4 push 086D5530h; mov dword ptr [esp], edx0_2_00C5E156
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5E0B4 push ecx; mov dword ptr [esp], 575D4998h0_2_00C5E167
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5E0B4 push 63DA2533h; mov dword ptr [esp], eax0_2_00C5E19D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5E0B4 push ecx; mov dword ptr [esp], 7DBFDC86h0_2_00C5E2A4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5E0B4 push ebx; mov dword ptr [esp], 7FB78FD8h0_2_00C5E2D7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5E0B4 push 179BA14Bh; mov dword ptr [esp], ebx0_2_00C5E318
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5E0B4 push ecx; mov dword ptr [esp], eax0_2_00C5E385
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C61B67 push esi; ret 0_2_00C61BD3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C6CB2D push 03CED6BBh; mov dword ptr [esp], ebx0_2_00C6CFEC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ADEF85 push 0F9E269Ch; mov dword ptr [esp], esi0_2_00ADFB57
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5E0C5 push edx; mov dword ptr [esp], 59FD728Eh0_2_00C5E134
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5E0C5 push 086D5530h; mov dword ptr [esp], edx0_2_00C5E156
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5E0C5 push ecx; mov dword ptr [esp], 575D4998h0_2_00C5E167
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5E0C5 push 63DA2533h; mov dword ptr [esp], eax0_2_00C5E19D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5E0C5 push ecx; mov dword ptr [esp], 7DBFDC86h0_2_00C5E2A4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5E0C5 push ebx; mov dword ptr [esp], 7FB78FD8h0_2_00C5E2D7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5E0C5 push 179BA14Bh; mov dword ptr [esp], ebx0_2_00C5E318
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5E0C5 push ecx; mov dword ptr [esp], eax0_2_00C5E385
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ADD0AA push edx; mov dword ptr [esp], eax0_2_00ADD14E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C740C0 push edx; ret 0_2_00C740CF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C730CD push 38A8898Dh; mov dword ptr [esp], ebx0_2_00C730F2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C760CB push 56C9F8EAh; mov dword ptr [esp], edi0_2_00C760F8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C760CB push eax; mov dword ptr [esp], ebp0_2_00C7610D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C760CB push 5D8690B3h; mov dword ptr [esp], ecx0_2_00C76163
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ADC0BD push 1BDDBB49h; mov dword ptr [esp], ebx0_2_00ADC569
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5E0DD push edx; mov dword ptr [esp], 59FD728Eh0_2_00C5E134
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5E0DD push 086D5530h; mov dword ptr [esp], edx0_2_00C5E156
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5E0DD push ecx; mov dword ptr [esp], 575D4998h0_2_00C5E167
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5E0DD push 63DA2533h; mov dword ptr [esp], eax0_2_00C5E19D
Source: file.exeStatic PE information: section name: entropy: 7.8142055214167545

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADE820 second address: ADE824 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADE824 second address: ADE830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADE830 second address: ADE835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5DF59 second address: C5DF5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5E0BA second address: C5E0D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FA930CFA70Ah 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5E0D0 second address: C5E0FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ecx 0x00000008 jmp 00007FA930CFA7ACh 0x0000000d jmp 00007FA930CFA7ACh 0x00000012 pop ecx 0x00000013 ja 00007FA930CFA7B2h 0x00000019 jnc 00007FA930CFA7A6h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5E0FF second address: C5E10F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jng 00007FA930CFA706h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5E40E second address: C5E418 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA930CFA7A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5E418 second address: C5E448 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FA930CFA712h 0x0000000c jmp 00007FA930CFA713h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5E448 second address: C5E44C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5E5D2 second address: C5E5F1 instructions: 0x00000000 rdtsc 0x00000002 js 00007FA930CFA706h 0x00000008 jmp 00007FA930CFA710h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5E5F1 second address: C5E5F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C61729 second address: C61811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edi 0x00000006 je 00007FA930CFA706h 0x0000000c pop edi 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 call 00007FA930CFA70Fh 0x00000016 xor ecx, 757F1325h 0x0000001c pop ecx 0x0000001d push 00000000h 0x0000001f mov dh, bh 0x00000021 push DFE8F180h 0x00000026 jmp 00007FA930CFA70Eh 0x0000002b add dword ptr [esp], 20170F00h 0x00000032 jnp 00007FA930CFA71Ch 0x00000038 push 00000003h 0x0000003a xor dword ptr [ebp+122D2BFFh], edx 0x00000040 push 00000000h 0x00000042 push 00000000h 0x00000044 push esi 0x00000045 call 00007FA930CFA708h 0x0000004a pop esi 0x0000004b mov dword ptr [esp+04h], esi 0x0000004f add dword ptr [esp+04h], 00000018h 0x00000057 inc esi 0x00000058 push esi 0x00000059 ret 0x0000005a pop esi 0x0000005b ret 0x0000005c je 00007FA930CFA70Ch 0x00000062 mov dword ptr [ebp+122D2C5Ch], edi 0x00000068 jno 00007FA930CFA70Eh 0x0000006e push 00000003h 0x00000070 jno 00007FA930CFA724h 0x00000076 push 8C39F7D2h 0x0000007b push eax 0x0000007c push edx 0x0000007d ja 00007FA930CFA716h 0x00000083 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C61882 second address: C61888 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C61888 second address: C618B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push eax 0x0000000c jns 00007FA930CFA707h 0x00000012 stc 0x00000013 pop esi 0x00000014 push 00000000h 0x00000016 push 793F3BCCh 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e push esi 0x0000001f pop esi 0x00000020 jmp 00007FA930CFA70Eh 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C61959 second address: C619A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA930CFA7B5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f jno 00007FA930CFA7ACh 0x00000015 jnl 00007FA930CFA7A8h 0x0000001b popad 0x0000001c mov eax, dword ptr [eax] 0x0000001e jbe 00007FA930CFA7ACh 0x00000024 pushad 0x00000025 push ebx 0x00000026 pop ebx 0x00000027 push eax 0x00000028 pop eax 0x00000029 popad 0x0000002a mov dword ptr [esp+04h], eax 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 pushad 0x00000032 popad 0x00000033 push ebx 0x00000034 pop ebx 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C619A7 second address: C619CF instructions: 0x00000000 rdtsc 0x00000002 ja 00007FA930CFA70Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b adc esi, 420E75B3h 0x00000011 lea ebx, dword ptr [ebp+1245760Ch] 0x00000017 mov esi, dword ptr [ebp+122D31F5h] 0x0000001d xchg eax, ebx 0x0000001e pushad 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C619CF second address: C619F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FA930CFA7B9h 0x0000000a popad 0x0000000b push eax 0x0000000c jno 00007FA930CFA7B4h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C80DFD second address: C80E01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C80E01 second address: C80E1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FA930CFA7A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FA930CFA7AAh 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C80E1D second address: C80E27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C80E27 second address: C80E2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C80E2F second address: C80E36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C80E36 second address: C80E3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C810F8 second address: C81120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FA930CFA717h 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007FA930CFA706h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8153D second address: C81541 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C81541 second address: C8154C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C816A8 second address: C816AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C816AF second address: C816B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C816B5 second address: C816C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007FA930CFA7A6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C81B15 second address: C81B19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C79409 second address: C7940E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7940E second address: C79417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C81F3F second address: C81F90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA930CFA7B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FA930CFA7B5h 0x00000012 jnc 00007FA930CFA7A6h 0x00000018 jmp 00007FA930CFA7B0h 0x0000001d popad 0x0000001e jmp 00007FA930CFA7ACh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8246B second address: C82471 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8283F second address: C82863 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA930CFA7B5h 0x00000009 popad 0x0000000a jmp 00007FA930CFA7AAh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C82863 second address: C82868 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C82868 second address: C8287A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FA930CFA7A6h 0x0000000a pop esi 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8287A second address: C828B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jns 00007FA930CFA719h 0x0000000e jmp 00007FA930CFA717h 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C82B55 second address: C82B5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4FBEB second address: C4FBF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4FBF5 second address: C4FBF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4FBF9 second address: C4FC54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FA930CFA71Bh 0x0000000c jmp 00007FA930CFA713h 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007FA930CFA718h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jc 00007FA930CFA708h 0x00000021 push eax 0x00000022 pop eax 0x00000023 jmp 00007FA930CFA717h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4FC54 second address: C4FC5E instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA930CFA7ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4FC5E second address: C4FC66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8581B second address: C85820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8E931 second address: C8E935 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8E935 second address: C8E965 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA930CFA7A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA930CFA7ADh 0x00000012 jmp 00007FA930CFA7B6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8E965 second address: C8E96A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8DD86 second address: C8DD8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8DD8B second address: C8DD90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8DEF4 second address: C8DEFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8DEFA second address: C8DF0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FA930CFA70Ah 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8DF0F second address: C8DF13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8E069 second address: C8E06F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8E06F second address: C8E079 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8E079 second address: C8E08C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA930CFA70Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8E08C second address: C8E090 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8E090 second address: C8E0AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA930CFA70Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edi 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8E0AB second address: C8E0B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8E1F8 second address: C8E1FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8E1FC second address: C8E207 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8E207 second address: C8E218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FA930CFA706h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8E218 second address: C8E21C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8E21C second address: C8E220 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8E220 second address: C8E22F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FA930CFA7A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8E22F second address: C8E235 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8F06F second address: C8F075 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8F310 second address: C8F320 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA930CFA706h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8F320 second address: C8F324 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8FC02 second address: C8FC12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8FF4D second address: C8FF56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8FF56 second address: C8FF5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8FF5A second address: C8FF72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA930CFA7ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8FF72 second address: C8FF76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9021B second address: C90287 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FA930CFA7A6h 0x00000009 jmp 00007FA930CFA7AAh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007FA930CFA7A8h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e xchg eax, ebx 0x0000002f pushad 0x00000030 jmp 00007FA930CFA7AEh 0x00000035 pushad 0x00000036 push esi 0x00000037 pop esi 0x00000038 jmp 00007FA930CFA7B9h 0x0000003d popad 0x0000003e popad 0x0000003f push eax 0x00000040 push eax 0x00000041 push edx 0x00000042 push esi 0x00000043 push ebx 0x00000044 pop ebx 0x00000045 pop esi 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C907C4 second address: C907C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C907C8 second address: C9081C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FA930CFA7A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e clc 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007FA930CFA7A8h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b push 00000000h 0x0000002d xchg eax, ebx 0x0000002e jmp 00007FA930CFA7B1h 0x00000033 push eax 0x00000034 pushad 0x00000035 push ecx 0x00000036 push ebx 0x00000037 pop ebx 0x00000038 pop ecx 0x00000039 push eax 0x0000003a push edx 0x0000003b push ebx 0x0000003c pop ebx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C92155 second address: C921E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FA930CFA706h 0x0000000a popad 0x0000000b pop ebx 0x0000000c push eax 0x0000000d pushad 0x0000000e push esi 0x0000000f pushad 0x00000010 popad 0x00000011 pop esi 0x00000012 jmp 00007FA930CFA716h 0x00000017 popad 0x00000018 nop 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007FA930CFA708h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 00000018h 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 jmp 00007FA930CFA718h 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push esi 0x0000003d call 00007FA930CFA708h 0x00000042 pop esi 0x00000043 mov dword ptr [esp+04h], esi 0x00000047 add dword ptr [esp+04h], 00000017h 0x0000004f inc esi 0x00000050 push esi 0x00000051 ret 0x00000052 pop esi 0x00000053 ret 0x00000054 push 00000000h 0x00000056 movsx esi, si 0x00000059 stc 0x0000005a xchg eax, ebx 0x0000005b push eax 0x0000005c push edx 0x0000005d push ecx 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C921E4 second address: C921E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C921E9 second address: C921FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA930CFA710h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C921FD second address: C92222 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FA930CFA7A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jno 00007FA930CFA7A6h 0x00000016 jmp 00007FA930CFA7AEh 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C92222 second address: C9222C instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA930CFA70Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C94A3C second address: C94A41 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C95851 second address: C95863 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FA930CFA706h 0x0000000a popad 0x0000000b pop esi 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C95863 second address: C95867 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9909D second address: C990AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA930CFA70Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C96073 second address: C96077 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C96077 second address: C9607D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C99683 second address: C99687 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9607D second address: C96087 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FA930CFA706h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C99846 second address: C99852 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9A8E7 second address: C9A8EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C99852 second address: C99858 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9D927 second address: C9D939 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jnp 00007FA930CFA706h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9D939 second address: C9D93E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA0D3B second address: CA0D3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA0D3F second address: CA0D43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA0D43 second address: CA0D4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA3C33 second address: CA3C48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA930CFA7AAh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA533A second address: CA5345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA5345 second address: CA534A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA1DBF second address: CA1DC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA640F second address: CA6424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007FA930CFA7ACh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA7424 second address: CA7436 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA930CFA70Dh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAA528 second address: CAA5A0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007FA930CFA7A8h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 or bh, 00000054h 0x00000025 mov dword ptr [ebp+122D30B6h], eax 0x0000002b push 00000000h 0x0000002d pushad 0x0000002e push esi 0x0000002f mov ecx, dword ptr [ebp+122D5D13h] 0x00000035 pop ecx 0x00000036 sub dword ptr [ebp+122D31D2h], eax 0x0000003c popad 0x0000003d mov di, EFC3h 0x00000041 push 00000000h 0x00000043 push 00000000h 0x00000045 push esi 0x00000046 call 00007FA930CFA7A8h 0x0000004b pop esi 0x0000004c mov dword ptr [esp+04h], esi 0x00000050 add dword ptr [esp+04h], 00000019h 0x00000058 inc esi 0x00000059 push esi 0x0000005a ret 0x0000005b pop esi 0x0000005c ret 0x0000005d xchg eax, esi 0x0000005e push eax 0x0000005f push edx 0x00000060 jg 00007FA930CFA7ACh 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CABED3 second address: CABED7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB915A second address: CB915E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB915E second address: CB9162 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB92E1 second address: CB92F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jno 00007FA930CFA7A6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB92F2 second address: CB92F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB92F8 second address: CB92FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB943A second address: CB9445 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jbe 00007FA930CFA706h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC0C50 second address: CC0C7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 push eax 0x00000007 jmp 00007FA930CFA7ABh 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FA930CFA7B5h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC0C7F second address: CC0C89 instructions: 0x00000000 rdtsc 0x00000002 je 00007FA930CFA706h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC0E83 second address: CC0E87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC6D59 second address: CC6D5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC6D5E second address: CC6D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC62E9 second address: CC62EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC6BC9 second address: CC6BCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCC353 second address: CCC35A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCC35A second address: CCC360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCC360 second address: CCC367 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCB7BD second address: CCB7C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCB7C1 second address: CCB7C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCADB3 second address: CCADD1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FA930CFA7A6h 0x00000009 jmp 00007FA930CFA7ADh 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCBDAC second address: CCBDCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007FA930CFA71Bh 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C532F9 second address: C5333D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA930CFA7AEh 0x00000007 jmp 00007FA930CFA7AFh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jnp 00007FA930CFA7CFh 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FA930CFA7B9h 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5333D second address: C53343 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD2F8F second address: CD2F93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9695C second address: C79409 instructions: 0x00000000 rdtsc 0x00000002 je 00007FA930CFA708h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D34F7h], ecx 0x00000013 lea eax, dword ptr [ebp+1248C702h] 0x00000019 mov ecx, dword ptr [ebp+122D1C96h] 0x0000001f push eax 0x00000020 jmp 00007FA930CFA70Dh 0x00000025 mov dword ptr [esp], eax 0x00000028 mov cl, B8h 0x0000002a call dword ptr [ebp+122D3510h] 0x00000030 push edi 0x00000031 pushad 0x00000032 push eax 0x00000033 pop eax 0x00000034 pushad 0x00000035 popad 0x00000036 popad 0x00000037 pop edi 0x00000038 push eax 0x00000039 push edx 0x0000003a push ebx 0x0000003b push esi 0x0000003c pop esi 0x0000003d pop ebx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C96F00 second address: C96F04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C970E1 second address: C97113 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA930CFA706h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b jns 00007FA930CFA706h 0x00000011 pop ecx 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 ja 00007FA930CFA706h 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FA930CFA711h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C97113 second address: C97117 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C97257 second address: C97268 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C97268 second address: C9726C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C972E4 second address: C972EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C97828 second address: C9782C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9798F second address: C97999 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA930CFA706h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C97BC7 second address: C97BCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C97C9A second address: C97CB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jnp 00007FA930CFA706h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 jng 00007FA930CFA70Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C97CB2 second address: C97D17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 jmp 00007FA930CFA7ADh 0x0000000a pop ecx 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007FA930CFA7A8h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 call 00007FA930CFA7B2h 0x0000002c cld 0x0000002d pop ecx 0x0000002e lea eax, dword ptr [ebp+1248C746h] 0x00000034 mov dword ptr [ebp+124710D7h], esi 0x0000003a mov edi, ebx 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f jns 00007FA930CFA7A8h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C97D17 second address: C97D48 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA930CFA70Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d cld 0x0000000e lea eax, dword ptr [ebp+1248C702h] 0x00000014 push eax 0x00000015 pushad 0x00000016 jmp 00007FA930CFA711h 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C97D48 second address: C79FA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007FA930CFA7A8h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 call dword ptr [ebp+12463943h] 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d pushad 0x0000002e popad 0x0000002f ja 00007FA930CFA7A6h 0x00000035 jno 00007FA930CFA7A6h 0x0000003b push ebx 0x0000003c pop ebx 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C79FA6 second address: C79FB8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FA930CFA70Bh 0x00000008 pop esi 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5686C second address: C56874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD33AF second address: CD33B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD33B3 second address: CD33BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD3971 second address: CD398A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 jo 00007FA930CFA706h 0x0000000e pop eax 0x0000000f push edi 0x00000010 jc 00007FA930CFA706h 0x00000016 pushad 0x00000017 popad 0x00000018 pop edi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD398A second address: CD3994 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA930CFA7AEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD3AE5 second address: CD3AFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 jmp 00007FA930CFA70Eh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD8104 second address: CD810A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDC371 second address: CDC38C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FA930CFA712h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDC38C second address: CDC3B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA930CFA7B8h 0x00000009 pop edx 0x0000000a pushad 0x0000000b jp 00007FA930CFA7A6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDC7F2 second address: CDC822 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA930CFA717h 0x0000000b jne 00007FA930CFA717h 0x00000011 jmp 00007FA930CFA70Bh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDC822 second address: CDC830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FA930CFA7AEh 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDCBD1 second address: CDCBE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 jl 00007FA930CFA706h 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDCE87 second address: CDCEBD instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA930CFA7B8h 0x00000008 jl 00007FA930CFA7B6h 0x0000000e jmp 00007FA930CFA7B0h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push edi 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDCEBD second address: CDCEC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDD027 second address: CDD03D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FA930CFA7B1h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDD03D second address: CDD058 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA930CFA717h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDD1DE second address: CDD1F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA930CFA7B4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDD35D second address: CDD363 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDD363 second address: CDD37E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA930CFA7A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FA930CFA7B1h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDD835 second address: CDD844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDC051 second address: CDC075 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA930CFA7A6h 0x00000008 jmp 00007FA930CFA7B2h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jnl 00007FA930CFA7A6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDC075 second address: CDC079 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDC079 second address: CDC08A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 js 00007FA930CFA7A6h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE0015 second address: CE0019 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE0019 second address: CE001F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE001F second address: CE002A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE002A second address: CE003B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007FA930CFA7A6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE2C78 second address: CE2C85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007FA930CFA706h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE2C85 second address: CE2C9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FA930CFA7AFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE2C9E second address: CE2CA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4C534 second address: C4C53A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4C53A second address: C4C544 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4C544 second address: C4C54E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FA930CFA7A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4C54E second address: C4C560 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA930CFA70Ch 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE56F4 second address: CE5702 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE9923 second address: CE9929 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEF2F4 second address: CEF315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA930CFA7B2h 0x00000009 jnc 00007FA930CFA7A6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEF315 second address: CEF32E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA930CFA715h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEF32E second address: CEF338 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA930CFA7A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEDC65 second address: CEDC6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEDEFC second address: CEDF28 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FA930CFA7B9h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop ebx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 je 00007FA930CFA7A6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEDF28 second address: CEDF38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FA930CFA70Bh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEDF38 second address: CEDF6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA930CFA7B5h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FA930CFA7B5h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEDF6C second address: CEDF70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C97644 second address: C97648 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C976F0 second address: C976FA instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA930CFA706h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C976FA second address: C976FF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEE512 second address: CEE51A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEE51A second address: CEE520 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEE520 second address: CEE524 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEEFFB second address: CEEFFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF3E84 second address: CF3E9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FA930CFA713h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF3E9D second address: CF3EBD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA930CFA7B6h 0x00000007 jng 00007FA930CFA7ACh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF30E8 second address: CF30F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FA930CFA706h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF3253 second address: CF327A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007FA930CFA7B2h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA930CFA7AEh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF327A second address: CF327E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C54D83 second address: C54D8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF3414 second address: CF3418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF3418 second address: CF341E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF36E5 second address: CF36EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF36EA second address: CF36FC instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA930CFA7ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF36FC second address: CF3700 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF3700 second address: CF3734 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA930CFA7ADh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007FA930CFA7B5h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push ebx 0x00000019 pushad 0x0000001a popad 0x0000001b pop ebx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF3734 second address: CF3741 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FA930CFA706h 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF389D second address: CF38A8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF38A8 second address: CF38AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF39F6 second address: CF3A2F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 js 00007FA930CFA7A6h 0x0000000d pop edi 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 pushad 0x00000013 jns 00007FA930CFA7A6h 0x00000019 je 00007FA930CFA7A6h 0x0000001f push edi 0x00000020 pop edi 0x00000021 jmp 00007FA930CFA7ACh 0x00000026 popad 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a je 00007FA930CFA7ACh 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF3A2F second address: CF3A33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFC41F second address: CFC432 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FA930CFA7A6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007FA930CFA7A6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFC432 second address: CFC436 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFC436 second address: CFC43E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFC43E second address: CFC444 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFC444 second address: CFC448 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFC448 second address: CFC44E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFC44E second address: CFC458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFC458 second address: CFC46E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA930CFA712h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFA2DF second address: CFA2E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFA3F0 second address: CFA3F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFA3F4 second address: CFA3FE instructions: 0x00000000 rdtsc 0x00000002 js 00007FA930CFA7A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFA3FE second address: CFA408 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA930CFA70Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFA408 second address: CFA415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jg 00007FA930CFA7A6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFA415 second address: CFA432 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FA930CFA706h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d ja 00007FA930CFA716h 0x00000013 push eax 0x00000014 push edx 0x00000015 jo 00007FA930CFA706h 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFA546 second address: CFA560 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FA930CFA7B4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFA560 second address: CFA568 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFA568 second address: CFA56C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFABDB second address: CFABDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFABDF second address: CFAC15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FA930CFA7B5h 0x0000000d pushad 0x0000000e jnc 00007FA930CFA7A6h 0x00000014 jg 00007FA930CFA7A6h 0x0000001a push edx 0x0000001b pop edx 0x0000001c jl 00007FA930CFA7A6h 0x00000022 popad 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFAEE6 second address: CFAEF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FA930CFA706h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007FA930CFA706h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFAEF9 second address: CFAF22 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push esi 0x0000000a pop esi 0x0000000b jne 00007FA930CFA7A6h 0x00000011 pop ecx 0x00000012 pushad 0x00000013 jmp 00007FA930CFA7B4h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFB29C second address: CFB2B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA930CFA711h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFB2B1 second address: CFB2BF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFB2BF second address: CFB2DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 jmp 00007FA930CFA713h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFB2DA second address: CFB2E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 pop esi 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFB8D0 second address: CFB8D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFB8D6 second address: CFB8DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFB8DA second address: CFB913 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA930CFA706h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d pushad 0x0000000e push ecx 0x0000000f jnc 00007FA930CFA706h 0x00000015 pushad 0x00000016 popad 0x00000017 pop ecx 0x00000018 pushad 0x00000019 jmp 00007FA930CFA70Dh 0x0000001e push edx 0x0000001f pop edx 0x00000020 jmp 00007FA930CFA70Dh 0x00000025 popad 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFBB8B second address: CFBBCA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA930CFA7B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FA930CFA7ACh 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007FA930CFA7B3h 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFBBCA second address: CFBBCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D00CE8 second address: D00CEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D00CEC second address: D00CF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0492B second address: D04930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D04930 second address: D0493D instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA930CFA708h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D03DDD second address: D03DF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA930CFA7B8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D03DF9 second address: D03E05 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D03E05 second address: D03E1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA930CFA7B2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D04343 second address: D04349 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D04349 second address: D0438F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FA930CFA7AEh 0x0000000a push eax 0x0000000b jmp 00007FA930CFA7B6h 0x00000010 pop eax 0x00000011 push esi 0x00000012 jng 00007FA930CFA7A6h 0x00000018 pushad 0x00000019 popad 0x0000001a pop esi 0x0000001b popad 0x0000001c jp 00007FA930CFA7B6h 0x00000022 push eax 0x00000023 push edx 0x00000024 push edi 0x00000025 pop edi 0x00000026 jl 00007FA930CFA7A6h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0467E second address: D04682 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D04682 second address: D04686 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D04686 second address: D046B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA930CFA70Fh 0x0000000b push ecx 0x0000000c jno 00007FA930CFA706h 0x00000012 jmp 00007FA930CFA70Ch 0x00000017 pop ecx 0x00000018 push ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0AE67 second address: D0AE75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FA930CFA7A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0AE75 second address: D0AE79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0AE79 second address: D0AE7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0AE7D second address: D0AE8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA930CFA70Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0B008 second address: D0B01B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FA930CFA7A6h 0x0000000a pop edi 0x0000000b jc 00007FA930CFA7ACh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0B01B second address: D0B028 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 js 00007FA930CFA706h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0B18F second address: D0B195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0B195 second address: D0B1A3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007FA930CFA706h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0BED8 second address: D0BEE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jp 00007FA930CFA7A6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D09E17 second address: D09E21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FA930CFA706h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D09E21 second address: D09E35 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA930CFA7A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e js 00007FA930CFA7A6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D09E35 second address: D09E43 instructions: 0x00000000 rdtsc 0x00000002 js 00007FA930CFA706h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D12C88 second address: D12C96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007FA930CFA7A6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D12DF0 second address: D12E0E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FA930CFA719h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D12E0E second address: D12E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FA930CFA7ADh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D12F90 second address: D12F95 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D12F95 second address: D12FA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FA930CFA7A6h 0x0000000a pop ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D20ABE second address: D20AD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA930CFA70Bh 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D249F9 second address: D24A2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA930CFA7B7h 0x00000009 jmp 00007FA930CFA7ADh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jnp 00007FA930CFA7A6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D24A2C second address: D24A30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D24A30 second address: D24A34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2A77D second address: D2A78D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2A8FD second address: D2A905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2A905 second address: D2A90C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2A90C second address: D2A93C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA930CFA7ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jne 00007FA930CFA7C3h 0x00000010 jmp 00007FA930CFA7B7h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2A93C second address: D2A95A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jmp 00007FA930CFA717h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2FA23 second address: D2FA2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FA930CFA7A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2FA2D second address: D2FA33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3B586 second address: D3B599 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA930CFA7AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3B599 second address: D3B5A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3B5A0 second address: D3B5D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA930CFA7B6h 0x00000009 popad 0x0000000a jmp 00007FA930CFA7B2h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3B5D6 second address: D3B5EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA930CFA70Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3B75B second address: D3B761 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3B895 second address: D3B8AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FA930CFA706h 0x0000000a popad 0x0000000b pushad 0x0000000c jno 00007FA930CFA706h 0x00000012 push edi 0x00000013 pop edi 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3B8AA second address: D3B8BC instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA930CFA7A8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jne 00007FA930CFA7ACh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3B8BC second address: D3B8DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FA930CFA70Ah 0x0000000d jmp 00007FA930CFA711h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3B8DF second address: D3B8FC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FA930CFA7B3h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3B8FC second address: D3B900 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3BFBF second address: D3BFD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 je 00007FA930CFA7ACh 0x0000000c jno 00007FA930CFA7A6h 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3BFD4 second address: D3BFEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 ja 00007FA930CFA708h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007FA930CFA71Fh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3BFEC second address: D3C003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA930CFA7B3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3C003 second address: D3C009 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3C009 second address: D3C00D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3C00D second address: D3C013 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3E332 second address: D3E35F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007FA930CFA7A6h 0x0000000c popad 0x0000000d jg 00007FA930CFA7C0h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3E35F second address: D3E384 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FA930CFA719h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3E384 second address: D3E390 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007FA930CFA7A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3E390 second address: D3E39C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FA930CFA706h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5A700 second address: D5A749 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edi 0x00000006 jmp 00007FA930CFA7B8h 0x0000000b jbe 00007FA930CFA7A6h 0x00000011 pop edi 0x00000012 pop eax 0x00000013 push esi 0x00000014 jmp 00007FA930CFA7B5h 0x00000019 pushad 0x0000001a jno 00007FA930CFA7A6h 0x00000020 push ecx 0x00000021 pop ecx 0x00000022 pushad 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C522 second address: D5C54D instructions: 0x00000000 rdtsc 0x00000002 js 00007FA930CFA706h 0x00000008 jc 00007FA930CFA706h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007FA930CFA70Eh 0x00000016 jmp 00007FA930CFA70Bh 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C54D second address: D5C553 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C553 second address: D5C559 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D60CA8 second address: D60CAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D60CAC second address: D60CBC instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FA930CFA706h 0x00000008 jnp 00007FA930CFA706h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D64A93 second address: D64AC0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA930CFA7AFh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007FA930CFA7B2h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D64AC0 second address: D64AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D64FFA second address: D65007 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D65007 second address: D6500B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6500B second address: D65059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jp 00007FA930CFA7BBh 0x00000015 pushad 0x00000016 ja 00007FA930CFA7A6h 0x0000001c jmp 00007FA930CFA7ACh 0x00000021 jmp 00007FA930CFA7B0h 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D65059 second address: D6505F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D651CE second address: D651D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6F0DC second address: D6F0E6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA930CFA70Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6F170 second address: D6F174 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D70B80 second address: D70B9E instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA930CFA706h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA930CFA712h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D70B9E second address: D70BA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D70BA2 second address: D70BA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D70BA8 second address: D70BB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FA930CFA7A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D70BB4 second address: D70BB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D69A6B second address: D69A7F instructions: 0x00000000 rdtsc 0x00000002 je 00007FA930CFA7A6h 0x00000008 jl 00007FA930CFA7A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D69A7F second address: D69A85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D69A85 second address: D69A99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA930CFA7B0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D68788 second address: D6878E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6878E second address: D68794 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D68794 second address: D687B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA930CFA70Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 jp 00007FA930CFA706h 0x00000016 push eax 0x00000017 pop eax 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D69896 second address: D6989C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6989C second address: D698CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FA930CFA714h 0x0000000a pop ecx 0x0000000b pushad 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop edx 0x00000010 push edi 0x00000011 jg 00007FA930CFA706h 0x00000017 pop edi 0x00000018 push eax 0x00000019 push edx 0x0000001a jp 00007FA930CFA706h 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D698CD second address: D698D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: CABF22 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D146F6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4AF0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4CE0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4B30000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5E0B4 rdtsc 0_2_00C5E0B4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C74679 sidt fword ptr [esp-02h]0_2_00C74679
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5276Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CBB0CE GetSystemInfo,VirtualAlloc,0_2_00CBB0CE
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.2267072822.0000000000C69000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2267072822.0000000000C69000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5E0B4 rdtsc 0_2_00C5E0B4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ADB7F6 LdrInitializeThunk,0_2_00ADB7F6
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, 00000000.00000002.2267341631.0000000000CB6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping641
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		41
Disable or Modify Tools		LSASS Memory2
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Bypass User Account Control		271
Virtualization/Sandbox Evasion		Security Account Manager271
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS23
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
Software Packing		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
Bypass User Account Control		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1561535
Start date and time:2024-11-23 17:44:06 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 16s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.evad.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • VT rate limit hit for: file.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File
Process:C:\Users\user\Desktop\file.exe
File Type:CSV text
Category:dropped
Size (bytes):226
Entropy (8bit):5.360398796477698
Encrypted:false
SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:3A8957C6382192B71471BD14359D0B12
SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:true
Reputation:high, very likely benign file
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.458793375743167
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:2'784'256 bytes
MD5:38f5cd89e8b865100e7f123b9e84e2a3
SHA1:fc75e15ee0f5476a93a227172839b9846f804d1b
SHA256:b908490eebcd33d505498b1a05e560d86de224c3025e3db179479850c71bcbc2
SHA512:10e5fa293787a3bd6b53adf64756c333aff344284820f9e4c317f722998fec0b931971ef02903cd928cab52dff02c2bcd532b4c04e4dbefdd861490aa6f56df7
SSDEEP:49152:huhAZDDcuicsNZbXDx/ZELi7sflRdhCz:IOZDDcutsNZbXDx/ZEEsth
TLSH:58D53B92B505B2CFE44B26B4962BCF82595D03F94B2508C39CADA57AFE63CC111FED24
File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............*.. ...`....@.. ....................... +.......*...`................................

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x6ae000
Entrypoint Section:.taggant
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FA9311BEB9Ah
cvtps2pd xmm5, qword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [edx+ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx+ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], eax
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x20000x40000x120081bc110715cdfc83ecd2e43f3e74bf30False0.9342447916666666data7.8142055214167545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
lwvfpqpj0xa0000x2a20000x2a1c0002cf3deba236a4c85d0f414e44cf2b20unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
nnhflwrw0x2ac0000x20000x400b4273496e5fc546865bfa0e3723ac78bFalse0.7978515625data6.189989955573055IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant0x2ae0000x40000x220004e8e0069b62f5b3d2587811715b3eb7False0.07134650735294118DOS executable (COM)0.8242649444619938IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x60900x30cdata0.42948717948717946
RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

Imports

DLLImport
kernel32.dlllstrcpy

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:11:44:57
Start date:23/11/2024
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\file.exe"
Imagebase:0xad0000
File size:2'784'256 bytes
MD5 hash:38F5CD89E8B865100E7F123B9E84E2A3
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:4.2%
    Dynamic/Decrypted Code Coverage:9.8%
    Signature Coverage:21.7%
    Total number of Nodes:92
    Total number of Limit Nodes:10
    execution_graph 7238 cbc068 7240 cbc074 7238->7240 7241 cbc086 7240->7241 7244 cbbc8f 7241->7244 7246 cbbd23 7244->7246 7247 cbbca0 7244->7247 7247->7246 7248 cbbafa VirtualProtect 7247->7248 7249 cbb939 7247->7249 7248->7247 7252 cbb940 7249->7252 7251 cbb98a 7251->7247 7252->7251 7254 cbb847 7252->7254 7258 cbbafa 7252->7258 7255 cbb85c 7254->7255 7256 cbb8e6 GetModuleFileNameA 7255->7256 7257 cbb91c 7255->7257 7256->7255 7257->7252 7261 cbbb0e 7258->7261 7259 cbbb26 7259->7252 7260 cbbc49 VirtualProtect 7260->7261 7261->7259 7261->7260 7262 cbb0ce GetSystemInfo 7263 cbb0ee 7262->7263 7264 cbb12c VirtualAlloc 7262->7264 7263->7264 7277 cbb41a 7264->7277 7266 cbb173 7267 cbb41a VirtualAlloc GetModuleFileNameA VirtualProtect 7266->7267 7276 cbb248 7266->7276 7270 cbb19d 7267->7270 7268 cbb264 GetModuleFileNameA VirtualProtect 7269 cbb20c 7268->7269 7271 cbb41a VirtualAlloc GetModuleFileNameA VirtualProtect 7270->7271 7270->7276 7272 cbb1c7 7271->7272 7273 cbb41a VirtualAlloc GetModuleFileNameA VirtualProtect 7272->7273 7272->7276 7274 cbb1f1 7273->7274 7274->7269 7275 cbb41a VirtualAlloc GetModuleFileNameA VirtualProtect 7274->7275 7274->7276 7275->7276 7276->7268 7276->7269 7279 cbb422 7277->7279 7280 cbb44e 7279->7280 7281 cbb436 7279->7281 7283 cbb2e6 2 API calls 7280->7283 7287 cbb2e6 7281->7287 7284 cbb45f 7283->7284 7289 cbb471 7284->7289 7292 cbb2ee 7287->7292 7290 cbb482 VirtualAlloc 7289->7290 7291 cbb46d 7289->7291 7290->7291 7293 cbb301 7292->7293 7294 cbb939 2 API calls 7293->7294 7295 cbb344 7293->7295 7294->7295 7296 4af1308 7297 4af1349 ImpersonateLoggedOnUser 7296->7297 7298 4af1376 7297->7298 7299 4af0d48 7300 4af0d93 OpenSCManagerW 7299->7300 7302 4af0ddc 7300->7302 7307 c6180e 7308 c6181f CreateFileA 7307->7308 7310 c61861 7308->7310 7311 c6ba4f 7312 c6d8f1 LoadLibraryA 7311->7312 7314 c6cb2d 7315 c6d52c 7314->7315 7316 c6cfe1 7314->7316 7317 c6d556 RegOpenKeyA 7315->7317 7318 c6d57d RegOpenKeyA 7315->7318 7316->7316 7317->7318 7319 c6d573 7317->7319 7320 c6d59a 7318->7320 7319->7318 7320->7316 7321 c6d5de GetNativeSystemInfo 7320->7321 7321->7316 7325 c5e0b4 LoadLibraryA 7326 c5e0ca LoadLibraryA 7325->7326 7328 c5e27e 7326->7328 7329 ae10bc 7330 ae382b 7329->7330 7331 ae57f1 7330->7331 7333 cbb26f 7330->7333 7334 cbb27d 7333->7334 7335 cbb29d 7334->7335 7337 cbb53f 7334->7337 7335->7331 7338 cbb572 7337->7338 7339 cbb54f 7337->7339 7338->7334 7339->7338 7340 cbb939 2 API calls 7339->7340 7340->7338 7341 aded1e 7342 adf969 VirtualAlloc 7341->7342 7343 adf97d 7342->7343 7350 cbc0d2 7352 cbc0de 7350->7352 7353 cbc0f0 7352->7353 7354 cbc118 7353->7354 7355 cbbc8f 2 API calls 7353->7355 7355->7354 7356 adb7f6 7357 adb7fb 7356->7357 7358 adb966 LdrInitializeThunk 7357->7358 7363 4af1510 7364 4af1558 ControlService 7363->7364 7365 4af158f 7364->7365

    Executed Functions

    Function 00C5E0B4 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 251libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 68 c5e0b4-c5e0f1 LoadLibraryA 72 c5e0f7-c5e102 68->72 73 c5e103-c5e11d 68->73 72->73 77 c5e131-c5e265 LoadLibraryA 73->77 78 c5e123-c5e125 73->78 79 c5e27e-c5e3fc 77->79 78->77 83 c5e3fd 79->83 83->83
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2267072822.0000000000C5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
    • Associated: 00000000.00000002.2266798076.0000000000AD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266812792.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266828872.0000000000AD6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266844511.0000000000ADA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266861371.0000000000AE6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266968832.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267016378.0000000000C43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267040415.0000000000C5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267056563.0000000000C5C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267072822.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267106159.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267121518.0000000000C73000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267140969.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267156681.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267172413.0000000000C85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267187122.0000000000C86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267201282.0000000000C87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267216188.0000000000C88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267232857.0000000000C97000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267247208.0000000000C98000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267262898.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267278421.0000000000CA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267293808.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267309983.0000000000CAB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267326685.0000000000CB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267341631.0000000000CB6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267356545.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267372247.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267391108.0000000000CC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267406269.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267424200.0000000000CDC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267439810.0000000000CE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267455305.0000000000CE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267470309.0000000000CE7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267485660.0000000000CEF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267500280.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267516171.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267533084.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267552778.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267569173.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267588086.0000000000D06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267604394.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267658035.0000000000D64000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267699705.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267789026.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267803984.0000000000D7E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ad0000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: u.i
    • API String ID: 1029625771-2982628862
    • Opcode ID: 4f3dfb9cce4bd50b8eec5088ee64b30e13a5833027fa146c36fb2220b38c10fa
    • Instruction ID: 3b54481709959565644660cf337d01899484bffb29045e2f5ed770cdb2aac17b
    • Opcode Fuzzy Hash: 4f3dfb9cce4bd50b8eec5088ee64b30e13a5833027fa146c36fb2220b38c10fa
    • Instruction Fuzzy Hash: 8681CEF650C300AFE3056F19DC81ABAFBE9FF95331F22482DEAC582600E77555889A57
    Function 00CBB0CE Relevance: 3.1, APIs: 2, Instructions: 107memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 84 cbb0ce-cbb0e8 GetSystemInfo 85 cbb0ee-cbb126 84->85 86 cbb12c-cbb175 VirtualAlloc call cbb41a 84->86 85->86 90 cbb25b-cbb260 call cbb264 86->90 91 cbb17b-cbb19f call cbb41a 86->91 97 cbb262-cbb263 90->97 91->90 98 cbb1a5-cbb1c9 call cbb41a 91->98 98->90 101 cbb1cf-cbb1f3 call cbb41a 98->101 101->90 104 cbb1f9-cbb206 101->104 105 cbb22c-cbb243 call cbb41a 104->105 106 cbb20c-cbb227 104->106 109 cbb248-cbb24a 105->109 110 cbb256 106->110 109->90 111 cbb250 109->111 110->97 111->110
    APIs
    • GetSystemInfo.KERNELBASE(?,-117F5FEC), ref: 00CBB0DA
    • VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 00CBB13B
    Memory Dump Source
    • Source File: 00000000.00000002.2267372247.0000000000CB9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
    • Associated: 00000000.00000002.2266798076.0000000000AD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266812792.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266828872.0000000000AD6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266844511.0000000000ADA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266861371.0000000000AE6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266968832.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267016378.0000000000C43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267040415.0000000000C5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267056563.0000000000C5C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267072822.0000000000C5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267072822.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267106159.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267121518.0000000000C73000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267140969.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267156681.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267172413.0000000000C85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267187122.0000000000C86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267201282.0000000000C87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267216188.0000000000C88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267232857.0000000000C97000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267247208.0000000000C98000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267262898.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267278421.0000000000CA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267293808.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267309983.0000000000CAB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267326685.0000000000CB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267341631.0000000000CB6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267356545.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267391108.0000000000CC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267406269.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267424200.0000000000CDC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267439810.0000000000CE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267455305.0000000000CE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267470309.0000000000CE7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267485660.0000000000CEF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267500280.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267516171.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267533084.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267552778.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267569173.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267588086.0000000000D06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267604394.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267658035.0000000000D64000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267699705.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267789026.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267803984.0000000000D7E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ad0000_file.jbxd
    Similarity
    • API ID: AllocInfoSystemVirtual
    • String ID:
    • API String ID: 3440192736-0
    • Opcode ID: 6ba80379f698a033b1469eb4b8fc93e50ec7fbc57db3b826006fd8e673e4841d
    • Instruction ID: 04afb8973704c77a1f7af5facace4a161f06d8cfc92ac5c34490509f62583ada
    • Opcode Fuzzy Hash: 6ba80379f698a033b1469eb4b8fc93e50ec7fbc57db3b826006fd8e673e4841d
    • Instruction Fuzzy Hash: 34414271D40206AFE325DF60C945BDAB7ACBF5C741F0014A2B217DD882E7B099D4CBA1
    Function 00C5E0DD Relevance: 1.5, Strings: 1, Instructions: 243COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2267072822.0000000000C5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
    • Associated: 00000000.00000002.2266798076.0000000000AD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266812792.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266828872.0000000000AD6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266844511.0000000000ADA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266861371.0000000000AE6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266968832.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267016378.0000000000C43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267040415.0000000000C5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267056563.0000000000C5C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267072822.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267106159.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267121518.0000000000C73000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267140969.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267156681.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267172413.0000000000C85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267187122.0000000000C86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267201282.0000000000C87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267216188.0000000000C88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267232857.0000000000C97000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267247208.0000000000C98000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267262898.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267278421.0000000000CA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267293808.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267309983.0000000000CAB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267326685.0000000000CB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267341631.0000000000CB6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267356545.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267372247.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267391108.0000000000CC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267406269.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267424200.0000000000CDC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267439810.0000000000CE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267455305.0000000000CE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267470309.0000000000CE7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267485660.0000000000CEF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267500280.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267516171.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267533084.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267552778.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267569173.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267588086.0000000000D06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267604394.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267658035.0000000000D64000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267699705.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267789026.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267803984.0000000000D7E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ad0000_file.jbxd
    Similarity
    • API ID:
    • String ID: u.i
    • API String ID: 0-2982628862
    • Opcode ID: cfc758a54636c695fbab86a881873e30122c97e28ffb4823b1f024fd351b31de
    • Instruction ID: 58986299a712bc9ae37eaf7d24d154d933ec1e02782684364e98f2c675e016ff
    • Opcode Fuzzy Hash: cfc758a54636c695fbab86a881873e30122c97e28ffb4823b1f024fd351b31de
    • Instruction Fuzzy Hash: CB819AF250C304AFE3066F19DC81ABAFBE4EF94321F16482DEAC483651E73558859B5B
    Function 00C5E0C5 Relevance: 1.5, Strings: 1, Instructions: 240COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2267072822.0000000000C5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
    • Associated: 00000000.00000002.2266798076.0000000000AD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266812792.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266828872.0000000000AD6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266844511.0000000000ADA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266861371.0000000000AE6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266968832.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267016378.0000000000C43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267040415.0000000000C5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267056563.0000000000C5C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267072822.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267106159.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267121518.0000000000C73000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267140969.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267156681.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267172413.0000000000C85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267187122.0000000000C86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267201282.0000000000C87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267216188.0000000000C88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267232857.0000000000C97000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267247208.0000000000C98000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267262898.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267278421.0000000000CA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267293808.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267309983.0000000000CAB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267326685.0000000000CB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267341631.0000000000CB6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267356545.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267372247.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267391108.0000000000CC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267406269.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267424200.0000000000CDC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267439810.0000000000CE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267455305.0000000000CE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267470309.0000000000CE7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267485660.0000000000CEF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267500280.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267516171.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267533084.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267552778.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267569173.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267588086.0000000000D06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267604394.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267658035.0000000000D64000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267699705.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267789026.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267803984.0000000000D7E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ad0000_file.jbxd
    Similarity
    • API ID:
    • String ID: u.i
    • API String ID: 0-2982628862
    • Opcode ID: 86828f06bc4c697a4d0527246bcfe97e5ae5ced7dd0d11838e6b7a202f42c930
    • Instruction ID: 10984c589aa0bf2f8b90eaecd3543e3ff6516013d8ac2fcf99ed2e73ad777446
    • Opcode Fuzzy Hash: 86828f06bc4c697a4d0527246bcfe97e5ae5ced7dd0d11838e6b7a202f42c930
    • Instruction Fuzzy Hash: 5771BCB650C304AFE305AF19DC81A7AFBE9FF94321F22482DE6C482600E73555889B5B
    Function 00C5E116 Relevance: 1.5, Strings: 1, Instructions: 209COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2267072822.0000000000C5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
    • Associated: 00000000.00000002.2266798076.0000000000AD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266812792.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266828872.0000000000AD6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266844511.0000000000ADA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266861371.0000000000AE6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266968832.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267016378.0000000000C43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267040415.0000000000C5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267056563.0000000000C5C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267072822.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267106159.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267121518.0000000000C73000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267140969.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267156681.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267172413.0000000000C85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267187122.0000000000C86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267201282.0000000000C87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267216188.0000000000C88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267232857.0000000000C97000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267247208.0000000000C98000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267262898.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267278421.0000000000CA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267293808.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267309983.0000000000CAB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267326685.0000000000CB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267341631.0000000000CB6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267356545.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267372247.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267391108.0000000000CC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267406269.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267424200.0000000000CDC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267439810.0000000000CE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267455305.0000000000CE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267470309.0000000000CE7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267485660.0000000000CEF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267500280.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267516171.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267533084.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267552778.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267569173.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267588086.0000000000D06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267604394.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267658035.0000000000D64000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267699705.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267789026.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267803984.0000000000D7E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ad0000_file.jbxd
    Similarity
    • API ID:
    • String ID: u.i
    • API String ID: 0-2982628862
    • Opcode ID: f2e61e4f32b0915fe59472f8e5af8fbab9e5c8ebbd59c6e381b9fae86271dcc1
    • Instruction ID: 9b706e27165bf7dc0bbdf891797f76a1a0010663802b95f042717edad7123886
    • Opcode Fuzzy Hash: f2e61e4f32b0915fe59472f8e5af8fbab9e5c8ebbd59c6e381b9fae86271dcc1
    • Instruction Fuzzy Hash: 307189B250C304AFE3056F19DC81A7AFBE5FF98321F16482DE6C483610E73554858B97
    Function 00C5E12A Relevance: 1.5, Strings: 1, Instructions: 205COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2267072822.0000000000C5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
    • Associated: 00000000.00000002.2266798076.0000000000AD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266812792.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266828872.0000000000AD6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266844511.0000000000ADA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266861371.0000000000AE6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266968832.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267016378.0000000000C43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267040415.0000000000C5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267056563.0000000000C5C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267072822.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267106159.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267121518.0000000000C73000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267140969.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267156681.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267172413.0000000000C85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267187122.0000000000C86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267201282.0000000000C87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267216188.0000000000C88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267232857.0000000000C97000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267247208.0000000000C98000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267262898.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267278421.0000000000CA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267293808.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267309983.0000000000CAB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267326685.0000000000CB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267341631.0000000000CB6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267356545.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267372247.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267391108.0000000000CC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267406269.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267424200.0000000000CDC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267439810.0000000000CE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267455305.0000000000CE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267470309.0000000000CE7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267485660.0000000000CEF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267500280.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267516171.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267533084.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267552778.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267569173.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267588086.0000000000D06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267604394.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267658035.0000000000D64000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267699705.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267789026.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267803984.0000000000D7E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ad0000_file.jbxd
    Similarity
    • API ID:
    • String ID: u.i
    • API String ID: 0-2982628862
    • Opcode ID: 449eddbf7115e75903f7521e6771697611049299d272b89127b6e2640e33a20c
    • Instruction ID: c8a17e3ec9b2b7d0c42ce9b968e4739e0c9f9bd596b9e96ba25b6bc3e4eb37bc
    • Opcode Fuzzy Hash: 449eddbf7115e75903f7521e6771697611049299d272b89127b6e2640e33a20c
    • Instruction Fuzzy Hash: A67177B250D304AFE306AF19DC81A7AFBE5FF98321F16492DE6C483610E73554848B9B
    Function 00ADB7F6 Relevance: 1.3, Strings: 1, Instructions: 18COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2266844511.0000000000ADA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
    • Associated: 00000000.00000002.2266798076.0000000000AD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266812792.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266828872.0000000000AD6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266861371.0000000000AE6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266968832.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267016378.0000000000C43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267040415.0000000000C5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267056563.0000000000C5C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267072822.0000000000C5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267072822.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267106159.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267121518.0000000000C73000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267140969.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267156681.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267172413.0000000000C85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267187122.0000000000C86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267201282.0000000000C87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267216188.0000000000C88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267232857.0000000000C97000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267247208.0000000000C98000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267262898.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267278421.0000000000CA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267293808.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267309983.0000000000CAB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267326685.0000000000CB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267341631.0000000000CB6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267356545.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267372247.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267391108.0000000000CC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267406269.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267424200.0000000000CDC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267439810.0000000000CE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267455305.0000000000CE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267470309.0000000000CE7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267485660.0000000000CEF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267500280.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267516171.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267533084.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267552778.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267569173.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267588086.0000000000D06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267604394.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267658035.0000000000D64000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267699705.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267789026.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267803984.0000000000D7E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ad0000_file.jbxd
    Similarity
    • API ID:
    • String ID: !!iH
    • API String ID: 0-3430752988
    • Opcode ID: dcb9243f984c9f67a4c75dd55dffb9823aa386f74063d85e7ca379d521641a51
    • Instruction ID: 7bb0af06c25354c08b06cb4aa2cc1bf83d9d1654b47b76174264b82e9c507609
    • Opcode Fuzzy Hash: dcb9243f984c9f67a4c75dd55dffb9823aa386f74063d85e7ca379d521641a51
    • Instruction Fuzzy Hash: 5AE0C2711684CACEDF169F208A1179E365EEB41B00F22012BFB139AF46CB3D4C1187B5
    Function 00C6CB2D Relevance: 4.6, APIs: 3, Instructions: 87registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 c6cb2d-c6cb3c 1 c6cfe1-c6d02f 0->1 2 c6d52c-c6d554 0->2 3 c6e2ac 1->3 6 c6d556-c6d571 RegOpenKeyA 2->6 7 c6d57d-c6d598 RegOpenKeyA 2->7 5 c6e2b0 3->5 5->5 6->7 8 c6d573 6->8 9 c6d5b0-c6d5dc 7->9 10 c6d59a-c6d5a4 7->10 8->7 13 c6d5de-c6d5e7 GetNativeSystemInfo 9->13 14 c6d5e9-c6d5f3 9->14 10->9 13->14 15 c6d5f5 14->15 16 c6d5ff-c6d60d 14->16 15->16 18 c6d60f 16->18 19 c6d619-c6d620 16->19 18->19 20 c6d626-c6d62d 19->20 21 c6d633 19->21 20->21 22 c6d8ab-c6d8b2 20->22 21->22 22->1 23 c6d8b8-c6d8c0 22->23 23->3
    APIs
    • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00C6D569
    • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00C6D590
    • GetNativeSystemInfo.KERNELBASE(?), ref: 00C6D5E7
    Memory Dump Source
    • Source File: 00000000.00000002.2267072822.0000000000C69000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
    • Associated: 00000000.00000002.2266798076.0000000000AD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266812792.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266828872.0000000000AD6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266844511.0000000000ADA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266861371.0000000000AE6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266968832.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267016378.0000000000C43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267040415.0000000000C5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267056563.0000000000C5C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267072822.0000000000C5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267106159.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267121518.0000000000C73000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267140969.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267156681.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267172413.0000000000C85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267187122.0000000000C86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267201282.0000000000C87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267216188.0000000000C88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267232857.0000000000C97000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267247208.0000000000C98000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267262898.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267278421.0000000000CA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267293808.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267309983.0000000000CAB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267326685.0000000000CB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267341631.0000000000CB6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267356545.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267372247.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267391108.0000000000CC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267406269.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267424200.0000000000CDC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267439810.0000000000CE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267455305.0000000000CE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267470309.0000000000CE7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267485660.0000000000CEF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267500280.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267516171.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267533084.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267552778.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267569173.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267588086.0000000000D06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267604394.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267658035.0000000000D64000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267699705.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267789026.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267803984.0000000000D7E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ad0000_file.jbxd
    Similarity
    • API ID: Open$InfoNativeSystem
    • String ID:
    • API String ID: 1247124224-0
    • Opcode ID: d49215311440525e217d10b06f1fe5af61cf7354bc830cae840e79bd11d2272a
    • Instruction ID: 24c5ff632ec891bf55fd9c61bc0fedeaf5af356fd490b67e2d14a43e8ff07cec
    • Opcode Fuzzy Hash: d49215311440525e217d10b06f1fe5af61cf7354bc830cae840e79bd11d2272a
    • Instruction Fuzzy Hash: 414116B140820EDFEB21EF55C889AEE7AF4FF15314F01081AE982C2951D7768DA4CF1A
    Function 00CBBAFA Relevance: 1.6, APIs: 1, Instructions: 112COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 112 cbbafa-cbbb08 113 cbbb2b-cbbb35 call cbb98f 112->113 114 cbbb0e-cbbb20 112->114 119 cbbb3b 113->119 120 cbbb40-cbbb49 113->120 114->113 118 cbbb26 114->118 121 cbbc8a-cbbc8c 118->121 119->121 122 cbbb4f-cbbb56 120->122 123 cbbb61-cbbb68 120->123 122->123 124 cbbb5c 122->124 125 cbbb6e 123->125 126 cbbb73-cbbb83 123->126 124->121 125->121 126->121 127 cbbb89-cbbb95 call cbba64 126->127 130 cbbb98-cbbb9c 127->130 130->121 131 cbbba2-cbbbac 130->131 132 cbbbd3-cbbbd6 131->132 133 cbbbb2-cbbbc5 131->133 134 cbbbd9-cbbbdc 132->134 133->132 140 cbbbcb-cbbbcd 133->140 135 cbbc82-cbbc85 134->135 136 cbbbe2-cbbbe9 134->136 135->130 138 cbbbef-cbbbf5 136->138 139 cbbc17-cbbc30 136->139 141 cbbbfb-cbbc00 138->141 142 cbbc12 138->142 146 cbbc49-cbbc51 VirtualProtect 139->146 147 cbbc36-cbbc44 139->147 140->132 140->135 141->142 143 cbbc06-cbbc0c 141->143 144 cbbc7a-cbbc7d 142->144 143->139 143->142 144->134 148 cbbc57-cbbc5a 146->148 147->148 148->144 150 cbbc60-cbbc79 148->150 150->144
    Memory Dump Source
    • Source File: 00000000.00000002.2267372247.0000000000CB9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
    • Associated: 00000000.00000002.2266798076.0000000000AD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266812792.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266828872.0000000000AD6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266844511.0000000000ADA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266861371.0000000000AE6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266968832.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267016378.0000000000C43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267040415.0000000000C5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267056563.0000000000C5C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267072822.0000000000C5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267072822.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267106159.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267121518.0000000000C73000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267140969.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267156681.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267172413.0000000000C85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267187122.0000000000C86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267201282.0000000000C87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267216188.0000000000C88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267232857.0000000000C97000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267247208.0000000000C98000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267262898.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267278421.0000000000CA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267293808.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267309983.0000000000CAB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267326685.0000000000CB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267341631.0000000000CB6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267356545.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267391108.0000000000CC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267406269.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267424200.0000000000CDC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267439810.0000000000CE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267455305.0000000000CE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267470309.0000000000CE7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267485660.0000000000CEF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267500280.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267516171.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267533084.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267552778.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267569173.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267588086.0000000000D06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267604394.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267658035.0000000000D64000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267699705.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267789026.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267803984.0000000000D7E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ad0000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 775d3c80e78f011e075d95ecaf2317c25f8605ac8cc802a66b9ad332906cfe5d
    • Instruction ID: de156f989f1026358d8fdc6e2c21b434ba06f06f3ebbdd2b28f52ff38a3d52a5
    • Opcode Fuzzy Hash: 775d3c80e78f011e075d95ecaf2317c25f8605ac8cc802a66b9ad332906cfe5d
    • Instruction Fuzzy Hash: A7419BB1900209EFEB24CF14C944BFEBBB0FF00315F248495F916AA591CBB1AE90DB90
    Function 00C61915 Relevance: 1.6, APIs: 1, Instructions: 106fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 152 c61915-c6191f 153 c61950-c61978 152->153 154 c61921 152->154 159 c61984 153->159 160 c6197e-c61983 153->160 155 c61926-c6192a 154->155 155->155 157 c6192c-c6192e 155->157 157->153 161 c6198c-c6198f 159->161 162 c6198a-c6198b 159->162 160->159 163 c61995-c6199a 161->163 164 c6199b-c619a9 161->164 162->161 163->164 165 c619b5-c619ef 164->165 166 c619af-c619b4 164->166 168 c619f5-c61a02 165->168 169 c61a03-c61a20 CreateFileA 165->169 166->165 168->169 172 c61a26-c61a35 call c61a38 169->172 173 c61c19-c61c2a call c61c2d 169->173
    APIs
    • CreateFileA.KERNELBASE(00000000), ref: 00C61A04
    Memory Dump Source
    • Source File: 00000000.00000002.2267072822.0000000000C5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
    • Associated: 00000000.00000002.2266798076.0000000000AD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266812792.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266828872.0000000000AD6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266844511.0000000000ADA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266861371.0000000000AE6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266968832.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267016378.0000000000C43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267040415.0000000000C5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267056563.0000000000C5C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267072822.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267106159.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267121518.0000000000C73000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267140969.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267156681.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267172413.0000000000C85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267187122.0000000000C86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267201282.0000000000C87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267216188.0000000000C88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267232857.0000000000C97000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267247208.0000000000C98000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267262898.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267278421.0000000000CA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267293808.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267309983.0000000000CAB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267326685.0000000000CB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267341631.0000000000CB6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267356545.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267372247.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267391108.0000000000CC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267406269.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267424200.0000000000CDC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267439810.0000000000CE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267455305.0000000000CE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267470309.0000000000CE7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267485660.0000000000CEF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267500280.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267516171.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267533084.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267552778.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267569173.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267588086.0000000000D06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267604394.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267658035.0000000000D64000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267699705.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267789026.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267803984.0000000000D7E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ad0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 0ceaaf83082bb01b46650bd470377b910a2d706fcf4ce61a29295d5aa6db7959
    • Instruction ID: 38eb5e18aeaf205c46795dbf615380498207a2178bac57db6d908a84ef2a5c1d
    • Opcode Fuzzy Hash: 0ceaaf83082bb01b46650bd470377b910a2d706fcf4ce61a29295d5aa6db7959
    • Instruction Fuzzy Hash: 4D21A7F314E2913DF212C6D55EA09FA6B6DDA9377673C8966FC02D7843D2904D496230
    Function 00C6193B Relevance: 1.6, APIs: 1, Instructions: 98fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 178 c6193b-c6193c 179 c61942-c61947 178->179 180 c61948-c61978 178->180 179->180 183 c61984 180->183 184 c6197e-c61983 180->184 185 c6198c-c6198f 183->185 186 c6198a-c6198b 183->186 184->183 187 c61995-c6199a 185->187 188 c6199b-c619a9 185->188 186->185 187->188 189 c619b5-c619ef 188->189 190 c619af-c619b4 188->190 192 c619f5-c61a02 189->192 193 c61a03-c61a20 CreateFileA 189->193 190->189 192->193 196 c61a26-c61a35 call c61a38 193->196 197 c61c19-c61c2a call c61c2d 193->197
    APIs
    • CreateFileA.KERNELBASE(00000000), ref: 00C61A04
    Memory Dump Source
    • Source File: 00000000.00000002.2267072822.0000000000C5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
    • Associated: 00000000.00000002.2266798076.0000000000AD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266812792.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266828872.0000000000AD6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266844511.0000000000ADA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266861371.0000000000AE6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266968832.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267016378.0000000000C43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267040415.0000000000C5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267056563.0000000000C5C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267072822.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267106159.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267121518.0000000000C73000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267140969.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267156681.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267172413.0000000000C85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267187122.0000000000C86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267201282.0000000000C87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267216188.0000000000C88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267232857.0000000000C97000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267247208.0000000000C98000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267262898.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267278421.0000000000CA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267293808.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267309983.0000000000CAB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267326685.0000000000CB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267341631.0000000000CB6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267356545.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267372247.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267391108.0000000000CC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267406269.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267424200.0000000000CDC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267439810.0000000000CE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267455305.0000000000CE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267470309.0000000000CE7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267485660.0000000000CEF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267500280.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267516171.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267533084.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267552778.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267569173.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267588086.0000000000D06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267604394.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267658035.0000000000D64000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267699705.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267789026.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267803984.0000000000D7E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ad0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 8cff7e8784caa8373e3d1917819c66aede959f50c3226dcb9fbeea8d41acae90
    • Instruction ID: 0086fb6b59eaaf00bd629fb6b49950997db6dcb2456afee834b423ce310f4594
    • Opcode Fuzzy Hash: 8cff7e8784caa8373e3d1917819c66aede959f50c3226dcb9fbeea8d41acae90
    • Instruction Fuzzy Hash: 80117CF72892513DB121C5D56FA0DFBA75DE5C277A73C8926FC02E2803E2914D493130
    Function 00C617B0 Relevance: 1.6, APIs: 1, Instructions: 90fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 202 c617b0-c617d0 203 c617d6 202->203 204 c617f4-c617fb 202->204 203->204 205 c617dc 203->205 206 c61811-c61813 204->206 207 c61801 204->207 205->204 208 c6181f-c6185b CreateFileA 206->208 209 c61819 206->209 207->206 212 c61861-c61894 208->212 213 c61c19-c61c2a call c61c2d 208->213 209->208 218 c6189a 212->218 219 c6189b-c618b9 212->219 218->219 221 c618c5-c618d6 call c618d9 219->221 222 c618bf 219->222 222->221
    APIs
    • CreateFileA.KERNELBASE(?,8C39F7D2,00000003), ref: 00C6184D
    Memory Dump Source
    • Source File: 00000000.00000002.2267072822.0000000000C5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
    • Associated: 00000000.00000002.2266798076.0000000000AD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266812792.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266828872.0000000000AD6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266844511.0000000000ADA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266861371.0000000000AE6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266968832.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267016378.0000000000C43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267040415.0000000000C5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267056563.0000000000C5C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267072822.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267106159.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267121518.0000000000C73000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267140969.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267156681.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267172413.0000000000C85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267187122.0000000000C86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267201282.0000000000C87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267216188.0000000000C88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267232857.0000000000C97000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267247208.0000000000C98000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267262898.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267278421.0000000000CA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267293808.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267309983.0000000000CAB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267326685.0000000000CB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267341631.0000000000CB6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267356545.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267372247.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267391108.0000000000CC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267406269.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267424200.0000000000CDC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267439810.0000000000CE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267455305.0000000000CE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267470309.0000000000CE7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267485660.0000000000CEF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267500280.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267516171.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267533084.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267552778.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267569173.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267588086.0000000000D06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267604394.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267658035.0000000000D64000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267699705.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267789026.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267803984.0000000000D7E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ad0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: adb0e8176c8b8b354f08f5caa6013840be70277b736b7aeaf6a5ff7b6b765902
    • Instruction ID: d49c6ebaf2826e2d64e31f5116126825a08aba84b422452e51d51267c77fe017
    • Opcode Fuzzy Hash: adb0e8176c8b8b354f08f5caa6013840be70277b736b7aeaf6a5ff7b6b765902
    • Instruction Fuzzy Hash: 78213A72608245AEE3309E215994BFF7BA9EB99732F3E802AEC41D7183D2654C459324
    Function 00C61960 Relevance: 1.6, APIs: 1, Instructions: 82fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 225 c61960-c61978 226 c61984 225->226 227 c6197e-c61983 225->227 228 c6198c-c6198f 226->228 229 c6198a-c6198b 226->229 227->226 230 c61995-c6199a 228->230 231 c6199b-c619a9 228->231 229->228 230->231 232 c619b5-c619ef 231->232 233 c619af-c619b4 231->233 235 c619f5-c61a02 232->235 236 c61a03-c61a20 CreateFileA 232->236 233->232 235->236 239 c61a26-c61a35 call c61a38 236->239 240 c61c19-c61c2a call c61c2d 236->240
    APIs
    • CreateFileA.KERNELBASE(00000000), ref: 00C61A04
    Memory Dump Source
    • Source File: 00000000.00000002.2267072822.0000000000C5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
    • Associated: 00000000.00000002.2266798076.0000000000AD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266812792.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266828872.0000000000AD6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266844511.0000000000ADA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266861371.0000000000AE6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266968832.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267016378.0000000000C43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267040415.0000000000C5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267056563.0000000000C5C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267072822.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267106159.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267121518.0000000000C73000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267140969.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267156681.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267172413.0000000000C85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267187122.0000000000C86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267201282.0000000000C87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267216188.0000000000C88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267232857.0000000000C97000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267247208.0000000000C98000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267262898.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267278421.0000000000CA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267293808.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267309983.0000000000CAB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267326685.0000000000CB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267341631.0000000000CB6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267356545.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267372247.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267391108.0000000000CC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267406269.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267424200.0000000000CDC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267439810.0000000000CE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267455305.0000000000CE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267470309.0000000000CE7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267485660.0000000000CEF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267500280.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267516171.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267533084.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267552778.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267569173.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267588086.0000000000D06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267604394.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267658035.0000000000D64000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267699705.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267789026.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267803984.0000000000D7E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ad0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 7483a599c0201f589313372a79cc17358ee466ceef2707d46012b7f6cb996a50
    • Instruction ID: 5e8fd9143bb1f0587538748700ab3e0b0911117a72609aeaa5be303988a38ba4
    • Opcode Fuzzy Hash: 7483a599c0201f589313372a79cc17358ee466ceef2707d46012b7f6cb996a50
    • Instruction Fuzzy Hash: D211C2F714D2417EF611CAC5AFE09FAB76DEA8233A7388956FC02DB903D2514D096630
    Function 00C617E3 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 245 c617e3-c617ea 246 c6183c-c61844 245->246 247 c617ec-c617fb 245->247 248 c61846-c6185b CreateFileA 246->248 249 c61811-c61813 247->249 250 c61801 247->250 251 c61861-c61894 248->251 252 c61c19-c61c2a call c61c2d 248->252 253 c6181f-c61834 249->253 254 c61819 249->254 250->249 260 c6189a 251->260 261 c6189b-c618b9 251->261 253->248 254->253 260->261 263 c618c5-c618d6 call c618d9 261->263 264 c618bf 261->264 264->263
    APIs
    • CreateFileA.KERNELBASE(?,8C39F7D2,00000003), ref: 00C6184D
    Memory Dump Source
    • Source File: 00000000.00000002.2267072822.0000000000C5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
    • Associated: 00000000.00000002.2266798076.0000000000AD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266812792.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266828872.0000000000AD6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266844511.0000000000ADA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266861371.0000000000AE6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266968832.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267016378.0000000000C43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267040415.0000000000C5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267056563.0000000000C5C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267072822.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267106159.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267121518.0000000000C73000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267140969.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267156681.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267172413.0000000000C85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267187122.0000000000C86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267201282.0000000000C87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267216188.0000000000C88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267232857.0000000000C97000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267247208.0000000000C98000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267262898.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267278421.0000000000CA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267293808.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267309983.0000000000CAB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267326685.0000000000CB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267341631.0000000000CB6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267356545.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267372247.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267391108.0000000000CC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267406269.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267424200.0000000000CDC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267439810.0000000000CE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267455305.0000000000CE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267470309.0000000000CE7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267485660.0000000000CEF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267500280.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267516171.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267533084.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267552778.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267569173.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267588086.0000000000D06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267604394.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267658035.0000000000D64000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267699705.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267789026.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267803984.0000000000D7E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ad0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: f94a72b1a30926a3e8e611f20f20d433fc4e0dabaed5860c495228a2a3072e3f
    • Instruction ID: 779d310d58dc8c560096f7d04ffc0d162899930dd7ac1a0cbd92eee04c74422a
    • Opcode Fuzzy Hash: f94a72b1a30926a3e8e611f20f20d433fc4e0dabaed5860c495228a2a3072e3f
    • Instruction Fuzzy Hash: A7113A73648245AED3309F2598956BA7BA9EB9D731F3E802AE845D7182D3208C458720
    Function 00C6180E Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 267 c6180e-c6185b CreateFileA 271 c61861-c61894 267->271 272 c61c19-c61c2a call c61c2d 267->272 277 c6189a 271->277 278 c6189b-c618b9 271->278 277->278 280 c618c5-c618d6 call c618d9 278->280 281 c618bf 278->281 281->280
    APIs
    • CreateFileA.KERNELBASE(?,8C39F7D2,00000003), ref: 00C6184D
    Memory Dump Source
    • Source File: 00000000.00000002.2267072822.0000000000C5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
    • Associated: 00000000.00000002.2266798076.0000000000AD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266812792.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266828872.0000000000AD6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266844511.0000000000ADA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266861371.0000000000AE6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266968832.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267016378.0000000000C43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267040415.0000000000C5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267056563.0000000000C5C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267072822.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267106159.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267121518.0000000000C73000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267140969.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267156681.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267172413.0000000000C85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267187122.0000000000C86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267201282.0000000000C87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267216188.0000000000C88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267232857.0000000000C97000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267247208.0000000000C98000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267262898.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267278421.0000000000CA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267293808.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267309983.0000000000CAB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267326685.0000000000CB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267341631.0000000000CB6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267356545.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267372247.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267391108.0000000000CC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267406269.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267424200.0000000000CDC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267439810.0000000000CE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267455305.0000000000CE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267470309.0000000000CE7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267485660.0000000000CEF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267500280.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267516171.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267533084.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267552778.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267569173.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267588086.0000000000D06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267604394.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267658035.0000000000D64000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267699705.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267789026.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267803984.0000000000D7E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ad0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 1587821261e1f447aef870b1487085b81637e1a071b0fbd89892cb93af243842
    • Instruction ID: ba3c77c768ffb0d840b09c7ca6e572bff8fe388260937f4d5cc3a3c0bb993414
    • Opcode Fuzzy Hash: 1587821261e1f447aef870b1487085b81637e1a071b0fbd89892cb93af243842
    • Instruction Fuzzy Hash: A1110272648295AED3219F219864BFB7FF9DB8A332F3E446BE881D7183D2644C458720
    Function 00CBB847 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 284 cbb847-cbb856 285 cbb85c 284->285 286 cbb862-cbb876 284->286 285->286 288 cbb87c-cbb886 286->288 289 cbb934-cbb936 286->289 290 cbb88c-cbb896 288->290 291 cbb923-cbb92f 288->291 290->291 292 cbb89c-cbb8a6 290->292 291->286 292->291 293 cbb8ac-cbb8bb 292->293 295 cbb8c1 293->295 296 cbb8c6-cbb8cb 293->296 295->291 296->291 297 cbb8d1-cbb8e0 296->297 297->291 298 cbb8e6-cbb8fd GetModuleFileNameA 297->298 298->291 299 cbb903-cbb911 call cbb7a3 298->299 302 cbb91c-cbb91e 299->302 303 cbb917 299->303 302->289 303->291
    APIs
    • GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,00000000), ref: 00CBB8F4
    Memory Dump Source
    • Source File: 00000000.00000002.2267372247.0000000000CB9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
    • Associated: 00000000.00000002.2266798076.0000000000AD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266812792.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266828872.0000000000AD6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266844511.0000000000ADA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266861371.0000000000AE6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266968832.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267016378.0000000000C43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267040415.0000000000C5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267056563.0000000000C5C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267072822.0000000000C5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267072822.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267106159.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267121518.0000000000C73000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267140969.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267156681.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267172413.0000000000C85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267187122.0000000000C86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267201282.0000000000C87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267216188.0000000000C88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267232857.0000000000C97000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267247208.0000000000C98000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267262898.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267278421.0000000000CA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267293808.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267309983.0000000000CAB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267326685.0000000000CB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267341631.0000000000CB6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267356545.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267391108.0000000000CC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267406269.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267424200.0000000000CDC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267439810.0000000000CE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267455305.0000000000CE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267470309.0000000000CE7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267485660.0000000000CEF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267500280.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267516171.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267533084.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267552778.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267569173.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267588086.0000000000D06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267604394.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267658035.0000000000D64000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267699705.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267789026.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267803984.0000000000D7E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ad0000_file.jbxd
    Similarity
    • API ID: FileModuleName
    • String ID:
    • API String ID: 514040917-0
    • Opcode ID: 278a0e1f57c5a2ae2f6941765a6dc4da007fa746f1f44a0512ccb8891db00da4
    • Instruction ID: 97b2e2fc15777b10500f2e7f0a8ff3415a884577003ca7d73fbd6546f4390503
    • Opcode Fuzzy Hash: 278a0e1f57c5a2ae2f6941765a6dc4da007fa746f1f44a0512ccb8891db00da4
    • Instruction Fuzzy Hash: 35110871E05625EFEB308A05CC48BFFB77CEF14720F1080A1EA45A6181D7F4DE808AA0
    Function 00C61807 Relevance: 1.6, APIs: 1, Instructions: 62fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 304 c61807-c61809 305 c61837-c6185b CreateFileA 304->305 306 c6180b-c6180c 304->306 309 c61861-c61894 305->309 310 c61c19-c61c2a call c61c2d 305->310 306->305 315 c6189a 309->315 316 c6189b-c618b9 309->316 315->316 318 c618c5-c618d6 call c618d9 316->318 319 c618bf 316->319 319->318
    APIs
    • CreateFileA.KERNELBASE(?,8C39F7D2,00000003), ref: 00C6184D
    Memory Dump Source
    • Source File: 00000000.00000002.2267072822.0000000000C5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
    • Associated: 00000000.00000002.2266798076.0000000000AD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266812792.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266828872.0000000000AD6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266844511.0000000000ADA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266861371.0000000000AE6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266968832.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267016378.0000000000C43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267040415.0000000000C5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267056563.0000000000C5C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267072822.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267106159.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267121518.0000000000C73000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267140969.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267156681.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267172413.0000000000C85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267187122.0000000000C86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267201282.0000000000C87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267216188.0000000000C88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267232857.0000000000C97000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267247208.0000000000C98000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267262898.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267278421.0000000000CA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267293808.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267309983.0000000000CAB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267326685.0000000000CB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267341631.0000000000CB6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267356545.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267372247.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267391108.0000000000CC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267406269.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267424200.0000000000CDC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267439810.0000000000CE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267455305.0000000000CE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267470309.0000000000CE7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267485660.0000000000CEF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267500280.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267516171.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267533084.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267552778.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267569173.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267588086.0000000000D06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267604394.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267658035.0000000000D64000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267699705.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267789026.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267803984.0000000000D7E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ad0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: b054ef188df496b73d291636a605c3ee78c3a206ab91ede5d873b13ebf4715e2
    • Instruction ID: e69fb860201370950d6e86ed82c4d82e71f0c4f557059d4b14352d5b3de36ad5
    • Opcode Fuzzy Hash: b054ef188df496b73d291636a605c3ee78c3a206ab91ede5d873b13ebf4715e2
    • Instruction Fuzzy Hash: FD01D676248255AED3209F259864BFBBFEDDBCA771F3A402AF885D7183C2644C458724
    Function 04AF0D41 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 322 4af0d41-4af0d97 324 4af0d9f-4af0da3 322->324 325 4af0d99-4af0d9c 322->325 326 4af0dab-4af0dda OpenSCManagerW 324->326 327 4af0da5-4af0da8 324->327 325->324 328 4af0ddc-4af0de2 326->328 329 4af0de3-4af0df7 326->329 327->326 328->329
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04AF0DCD
    Memory Dump Source
    • Source File: 00000000.00000002.2269539883.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4af0000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: e38d3609fa57c3bc1673de1672ef2b16d313208645c4f9a4da476aab8fe0bbe9
    • Instruction ID: 45799f0bf24f7d36402a2747449164d9b13c8c436afa7a27c12d7ad34cc1f9a8
    • Opcode Fuzzy Hash: e38d3609fa57c3bc1673de1672ef2b16d313208645c4f9a4da476aab8fe0bbe9
    • Instruction Fuzzy Hash: A62134B6C012199FCB50CF99D884ADEFBB0FF88720F14811AE918AB205D774A544CFA5
    Function 04AF0D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 331 4af0d48-4af0d97 333 4af0d9f-4af0da3 331->333 334 4af0d99-4af0d9c 331->334 335 4af0dab-4af0dda OpenSCManagerW 333->335 336 4af0da5-4af0da8 333->336 334->333 337 4af0ddc-4af0de2 335->337 338 4af0de3-4af0df7 335->338 336->335 337->338
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04AF0DCD
    Memory Dump Source
    • Source File: 00000000.00000002.2269539883.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4af0000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: a9ce302281fd912605ff0ab5df9fa0375e06ed37a318156f361381b59a67c64d
    • Instruction ID: 707e813d76ba0f7efb26e4c2ea51f745e5665eaea97ba64f117856fc24981e4e
    • Opcode Fuzzy Hash: a9ce302281fd912605ff0ab5df9fa0375e06ed37a318156f361381b59a67c64d
    • Instruction Fuzzy Hash: 112133B6C012099FCB50CF99D884BDEFBF4EF88720F14821AE908AB205D774A544CBA4
    Function 04AF1509 Relevance: 1.6, APIs: 1, Instructions: 56serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 04AF1580
    Memory Dump Source
    • Source File: 00000000.00000002.2269539883.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4af0000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: d2aeb8e24686392b915ed308cf4696f564eec6d8b3e31946fa6c4522a5c16989
    • Instruction ID: 7f3e3f61ade65d8780872ebce828fcab13586ccaa43afff14fe339e22e6609c2
    • Opcode Fuzzy Hash: d2aeb8e24686392b915ed308cf4696f564eec6d8b3e31946fa6c4522a5c16989
    • Instruction Fuzzy Hash: C221D3B1900649DFDB10CF9AC584BDEFBF4EB48320F108429E959A7250D778AA45CFA5
    Function 04AF1510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 04AF1580
    Memory Dump Source
    • Source File: 00000000.00000002.2269539883.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4af0000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 1df95b37bd00c86c097950c61d4f89a05f5b9a086f6e77dda0c45ddcbcec7f24
    • Instruction ID: 70e8bf9e1cb9d2c2208c2411f902d3d015e999ceb2377649330e4599ee6a4559
    • Opcode Fuzzy Hash: 1df95b37bd00c86c097950c61d4f89a05f5b9a086f6e77dda0c45ddcbcec7f24
    • Instruction Fuzzy Hash: 5211D3B1900249DFDB10CF9AC984BDEFBF4EB48320F108429E959A3250D778AA44CFA5
    Function 04AF1301 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 04AF1367
    Memory Dump Source
    • Source File: 00000000.00000002.2269539883.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4af0000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 22319135a85d0d7ff25e11ba1cbc7073b72cefeb07d315565aa98dc9359cad65
    • Instruction ID: 37581633923a239fbd860bd82e0becc588bf7f48186db0002c525ab14430d352
    • Opcode Fuzzy Hash: 22319135a85d0d7ff25e11ba1cbc7073b72cefeb07d315565aa98dc9359cad65
    • Instruction Fuzzy Hash: 3B1125B1800249CFDB10DF9AC545BDEFBF4EF48324F20841AE568A3640D778A994CFA5
    Function 04AF1308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 04AF1367
    Memory Dump Source
    • Source File: 00000000.00000002.2269539883.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4af0000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 45f4789669116ac88fc3826149af365092a3bee345ef0b20e7f7b51363aae95d
    • Instruction ID: aed25dd49329a6f4eb8fde1d2c3dfebd06bfa24112704c31d75b89a01bf61ca2
    • Opcode Fuzzy Hash: 45f4789669116ac88fc3826149af365092a3bee345ef0b20e7f7b51363aae95d
    • Instruction Fuzzy Hash: E611F2B1800249CFDB10CF9AC945BDEFBF8AF48724F24846AE558A3650D778A944CBA5
    Function 00C61B67 Relevance: 1.5, APIs: 1, Instructions: 41fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2267072822.0000000000C5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
    • Associated: 00000000.00000002.2266798076.0000000000AD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266812792.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266828872.0000000000AD6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266844511.0000000000ADA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266861371.0000000000AE6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266968832.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267016378.0000000000C43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267040415.0000000000C5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267056563.0000000000C5C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267072822.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267106159.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267121518.0000000000C73000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267140969.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267156681.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267172413.0000000000C85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267187122.0000000000C86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267201282.0000000000C87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267216188.0000000000C88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267232857.0000000000C97000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267247208.0000000000C98000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267262898.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267278421.0000000000CA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267293808.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267309983.0000000000CAB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267326685.0000000000CB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267341631.0000000000CB6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267356545.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267372247.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267391108.0000000000CC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267406269.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267424200.0000000000CDC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267439810.0000000000CE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267455305.0000000000CE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267470309.0000000000CE7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267485660.0000000000CEF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267500280.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267516171.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267533084.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267552778.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267569173.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267588086.0000000000D06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267604394.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267658035.0000000000D64000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267699705.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267789026.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267803984.0000000000D7E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ad0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 846c71d97a4b7483a6c90fbb7e7963ed50f0219a643d0b642f76fc72e22a8917
    • Instruction ID: 78f5c0e0db97f28e71ac8c36affcf6ebe763e6f25a964501145b4e3b1739e4bf
    • Opcode Fuzzy Hash: 846c71d97a4b7483a6c90fbb7e7963ed50f0219a643d0b642f76fc72e22a8917
    • Instruction Fuzzy Hash: 0201F272809B985BD7629F318CD43AEBBA4EF42325F5D059EE88247482E2601D45CB19
    Function 00C619DA Relevance: 1.5, APIs: 1, Instructions: 25fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(00000000), ref: 00C61A04
    Memory Dump Source
    • Source File: 00000000.00000002.2267072822.0000000000C5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
    • Associated: 00000000.00000002.2266798076.0000000000AD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266812792.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266828872.0000000000AD6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266844511.0000000000ADA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266861371.0000000000AE6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266968832.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267016378.0000000000C43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267040415.0000000000C5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267056563.0000000000C5C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267072822.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267106159.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267121518.0000000000C73000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267140969.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267156681.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267172413.0000000000C85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267187122.0000000000C86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267201282.0000000000C87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267216188.0000000000C88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267232857.0000000000C97000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267247208.0000000000C98000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267262898.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267278421.0000000000CA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267293808.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267309983.0000000000CAB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267326685.0000000000CB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267341631.0000000000CB6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267356545.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267372247.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267391108.0000000000CC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267406269.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267424200.0000000000CDC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267439810.0000000000CE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267455305.0000000000CE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267470309.0000000000CE7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267485660.0000000000CEF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267500280.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267516171.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267533084.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267552778.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267569173.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267588086.0000000000D06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267604394.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267658035.0000000000D64000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267699705.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267789026.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267803984.0000000000D7E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ad0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 11375f7bae2b9ef17938a9f16d59266dbd4a288cae4697cd9b62876c0b815389
    • Instruction ID: 6bfa5d962549b5604f0fb8b10e86c444947285d7ef40943cc0a92353e2360b76
    • Opcode Fuzzy Hash: 11375f7bae2b9ef17938a9f16d59266dbd4a288cae4697cd9b62876c0b815389
    • Instruction Fuzzy Hash: D2E07D920863C03CC92042F80EC6A7F1B0DCE5037773C9921ED41DA943E404C50D3230
    Function 00C61B96 Relevance: 1.5, APIs: 1, Instructions: 21fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2267072822.0000000000C5E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
    • Associated: 00000000.00000002.2266798076.0000000000AD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266812792.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266828872.0000000000AD6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266844511.0000000000ADA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266861371.0000000000AE6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266968832.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267016378.0000000000C43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267040415.0000000000C5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267056563.0000000000C5C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267072822.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267106159.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267121518.0000000000C73000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267140969.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267156681.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267172413.0000000000C85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267187122.0000000000C86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267201282.0000000000C87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267216188.0000000000C88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267232857.0000000000C97000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267247208.0000000000C98000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267262898.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267278421.0000000000CA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267293808.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267309983.0000000000CAB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267326685.0000000000CB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267341631.0000000000CB6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267356545.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267372247.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267391108.0000000000CC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267406269.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267424200.0000000000CDC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267439810.0000000000CE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267455305.0000000000CE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267470309.0000000000CE7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267485660.0000000000CEF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267500280.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267516171.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267533084.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267552778.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267569173.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267588086.0000000000D06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267604394.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267658035.0000000000D64000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267699705.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267789026.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267803984.0000000000D7E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ad0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 3223a982ceee0114ef63063e613863641ac91d8ea7b731bd1839035e4af69194
    • Instruction ID: ed64577d5928ef847fc30884840f1974ec80ab47d1190133ee0bd3e1994dfe77
    • Opcode Fuzzy Hash: 3223a982ceee0114ef63063e613863641ac91d8ea7b731bd1839035e4af69194
    • Instruction Fuzzy Hash: EDE0C235441614ABD7505F30EC843DE7BA4EF81729F294056F442C70C1D2350D439A9D
    Function 00C6BA4F Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2267072822.0000000000C69000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
    • Associated: 00000000.00000002.2266798076.0000000000AD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266812792.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266828872.0000000000AD6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266844511.0000000000ADA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266861371.0000000000AE6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266968832.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267016378.0000000000C43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267040415.0000000000C5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267056563.0000000000C5C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267072822.0000000000C5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267106159.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267121518.0000000000C73000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267140969.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267156681.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267172413.0000000000C85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267187122.0000000000C86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267201282.0000000000C87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267216188.0000000000C88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267232857.0000000000C97000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267247208.0000000000C98000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267262898.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267278421.0000000000CA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267293808.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267309983.0000000000CAB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267326685.0000000000CB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267341631.0000000000CB6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267356545.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267372247.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267391108.0000000000CC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267406269.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267424200.0000000000CDC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267439810.0000000000CE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267455305.0000000000CE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267470309.0000000000CE7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267485660.0000000000CEF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267500280.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267516171.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267533084.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267552778.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267569173.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267588086.0000000000D06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267604394.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267658035.0000000000D64000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267699705.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267789026.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267803984.0000000000D7E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ad0000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 2d0ccf1068bf519ecccddbe9bb493869a72695be1dd42d6b6060b4a6864a6740
    • Instruction ID: 20a03fb9e9c7233dead3127a10b82b26fe0c549ee54e9e1b3845d339434ac877
    • Opcode Fuzzy Hash: 2d0ccf1068bf519ecccddbe9bb493869a72695be1dd42d6b6060b4a6864a6740
    • Instruction Fuzzy Hash: 5ED0C775A4C1608BCB165E9994A447DB7D09E49360F15083DFDC2C7300D164545197C6
    Function 00ADEF85 Relevance: 1.3, APIs: 1, Instructions: 42memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 00ADF025
    Memory Dump Source
    • Source File: 00000000.00000002.2266844511.0000000000ADA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
    • Associated: 00000000.00000002.2266798076.0000000000AD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266812792.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266828872.0000000000AD6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266861371.0000000000AE6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266968832.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267016378.0000000000C43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267040415.0000000000C5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267056563.0000000000C5C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267072822.0000000000C5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267072822.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267106159.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267121518.0000000000C73000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267140969.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267156681.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267172413.0000000000C85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267187122.0000000000C86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267201282.0000000000C87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267216188.0000000000C88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267232857.0000000000C97000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267247208.0000000000C98000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267262898.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267278421.0000000000CA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267293808.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267309983.0000000000CAB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267326685.0000000000CB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267341631.0000000000CB6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267356545.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267372247.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267391108.0000000000CC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267406269.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267424200.0000000000CDC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267439810.0000000000CE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267455305.0000000000CE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267470309.0000000000CE7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267485660.0000000000CEF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267500280.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267516171.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267533084.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267552778.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267569173.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267588086.0000000000D06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267604394.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267658035.0000000000D64000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267699705.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267789026.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267803984.0000000000D7E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ad0000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: c9ae4e5d28341f7ee5a5fab97f3c951bdb78549e52a2c6b75d03dd5d494083be
    • Instruction ID: 4f74e1fc7cbdddb4975dd9e4d2b71d9beb242f8dc89bcc6b5a1bfa13d256632e
    • Opcode Fuzzy Hash: c9ae4e5d28341f7ee5a5fab97f3c951bdb78549e52a2c6b75d03dd5d494083be
    • Instruction Fuzzy Hash: 7901D6B290C241DFE3106F28CD5577BB6E5EB44740F25082AEF8787300E5710C50A747
    Function 00CBB471 Relevance: 1.3, APIs: 1, Instructions: 37memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,?,00CBB46D,?,?,00CBB173,?,?,00CBB173,?,?,00CBB173), ref: 00CBB491
    Memory Dump Source
    • Source File: 00000000.00000002.2267372247.0000000000CB9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
    • Associated: 00000000.00000002.2266798076.0000000000AD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266812792.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266828872.0000000000AD6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266844511.0000000000ADA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266861371.0000000000AE6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266968832.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267016378.0000000000C43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267040415.0000000000C5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267056563.0000000000C5C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267072822.0000000000C5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267072822.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267106159.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267121518.0000000000C73000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267140969.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267156681.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267172413.0000000000C85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267187122.0000000000C86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267201282.0000000000C87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267216188.0000000000C88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267232857.0000000000C97000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267247208.0000000000C98000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267262898.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267278421.0000000000CA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267293808.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267309983.0000000000CAB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267326685.0000000000CB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267341631.0000000000CB6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267356545.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267391108.0000000000CC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267406269.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267424200.0000000000CDC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267439810.0000000000CE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267455305.0000000000CE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267470309.0000000000CE7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267485660.0000000000CEF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267500280.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267516171.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267533084.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267552778.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267569173.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267588086.0000000000D06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267604394.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267658035.0000000000D64000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267699705.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267789026.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267803984.0000000000D7E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ad0000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: ca53710c2aac686382132e1db1cbf3ca1488dbe9df4af163f2b94c3450c0a181
    • Instruction ID: 03956f3f780419d0628b7fd38e25414a93f46636faf51ff67b18d96174f851de
    • Opcode Fuzzy Hash: ca53710c2aac686382132e1db1cbf3ca1488dbe9df4af163f2b94c3450c0a181
    • Instruction Fuzzy Hash: B6F031B1900205EFE725CF14C905B9ABBB4FF59762F208469F55AAB592D3F19CC08B90
    Function 00ADED1E Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 00ADF96B
    Memory Dump Source
    • Source File: 00000000.00000002.2266844511.0000000000ADA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
    • Associated: 00000000.00000002.2266798076.0000000000AD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266812792.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266828872.0000000000AD6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266861371.0000000000AE6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266968832.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267016378.0000000000C43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267040415.0000000000C5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267056563.0000000000C5C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267072822.0000000000C5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267072822.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267106159.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267121518.0000000000C73000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267140969.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267156681.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267172413.0000000000C85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267187122.0000000000C86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267201282.0000000000C87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267216188.0000000000C88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267232857.0000000000C97000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267247208.0000000000C98000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267262898.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267278421.0000000000CA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267293808.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267309983.0000000000CAB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267326685.0000000000CB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267341631.0000000000CB6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267356545.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267372247.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267391108.0000000000CC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267406269.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267424200.0000000000CDC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267439810.0000000000CE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267455305.0000000000CE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267470309.0000000000CE7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267485660.0000000000CEF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267500280.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267516171.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267533084.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267552778.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267569173.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267588086.0000000000D06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267604394.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267658035.0000000000D64000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267699705.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267789026.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267803984.0000000000D7E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ad0000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 0d25bdf9b40eb4965fd3cbf6e7991920ea745cc6314e57b57a54dbc6edec0665
    • Instruction ID: c33144f8b92277396b5ed7b4d866940311b87e840adef1a5511108b1b5734984
    • Opcode Fuzzy Hash: 0d25bdf9b40eb4965fd3cbf6e7991920ea745cc6314e57b57a54dbc6edec0665
    • Instruction Fuzzy Hash: 59E0B63580C559CFEB006F78844865E7AF0EF04361F110A2AEDA6D3780D7714C608B96

    Non-executed Functions

    Function 00ADE123 Relevance: 1.5, Strings: 1, Instructions: 257COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2266844511.0000000000ADA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
    • Associated: 00000000.00000002.2266798076.0000000000AD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266812792.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266828872.0000000000AD6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266861371.0000000000AE6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266968832.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267016378.0000000000C43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267040415.0000000000C5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267056563.0000000000C5C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267072822.0000000000C5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267072822.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267106159.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267121518.0000000000C73000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267140969.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267156681.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267172413.0000000000C85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267187122.0000000000C86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267201282.0000000000C87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267216188.0000000000C88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267232857.0000000000C97000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267247208.0000000000C98000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267262898.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267278421.0000000000CA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267293808.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267309983.0000000000CAB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267326685.0000000000CB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267341631.0000000000CB6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267356545.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267372247.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267391108.0000000000CC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267406269.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267424200.0000000000CDC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267439810.0000000000CE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267455305.0000000000CE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267470309.0000000000CE7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267485660.0000000000CEF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267500280.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267516171.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267533084.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267552778.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267569173.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267588086.0000000000D06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267604394.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267658035.0000000000D64000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267699705.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267789026.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267803984.0000000000D7E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ad0000_file.jbxd
    Similarity
    • API ID:
    • String ID: NTDL
    • API String ID: 0-3662016964
    • Opcode ID: f2f2079599715d91fc54f4b833781ba284d11b67ad04d97be1b4f1cab1d945d4
    • Instruction ID: 3dc7fcc47c16eab7ddb87be2497e2f11f79a08af0a56b3af690d0b58d14460d4
    • Opcode Fuzzy Hash: f2f2079599715d91fc54f4b833781ba284d11b67ad04d97be1b4f1cab1d945d4
    • Instruction Fuzzy Hash: 5471C0B250420E9FDF01EF26C5402EF77A4EF66321F14462BE8438FB42C6B65E529B59
    Function 00C74679 Relevance: .0, Instructions: 21COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2267121518.0000000000C73000.00000040.00000001.01000000.00000003.sdmp, Offset: 00AD0000, based on PE: true
    • Associated: 00000000.00000002.2266798076.0000000000AD0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266812792.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266828872.0000000000AD6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266844511.0000000000ADA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266861371.0000000000AE6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2266968832.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267016378.0000000000C43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267040415.0000000000C5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267056563.0000000000C5C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267072822.0000000000C5E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267072822.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267106159.0000000000C71000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267140969.0000000000C82000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267156681.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267172413.0000000000C85000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267187122.0000000000C86000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267201282.0000000000C87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267216188.0000000000C88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267232857.0000000000C97000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267247208.0000000000C98000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267262898.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267278421.0000000000CA3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267293808.0000000000CA4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267309983.0000000000CAB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267326685.0000000000CB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267341631.0000000000CB6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267356545.0000000000CB7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267372247.0000000000CB9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267391108.0000000000CC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267406269.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267424200.0000000000CDC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267439810.0000000000CE3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267455305.0000000000CE4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267470309.0000000000CE7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267485660.0000000000CEF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267500280.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267516171.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267533084.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267552778.0000000000D02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267569173.0000000000D05000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267588086.0000000000D06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267604394.0000000000D0D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267658035.0000000000D64000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267699705.0000000000D66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D67000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267732637.0000000000D6E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267789026.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2267803984.0000000000D7E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ad0000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 41122f4f34e9e37423f857fd589d26d1e1d5bd9e39ce889cff4640677c075c2b
    • Instruction ID: 6c78883acac991ea90d5dc7446f876bd9c4016a7fe791f49eb78f5df371cd992
    • Opcode Fuzzy Hash: 41122f4f34e9e37423f857fd589d26d1e1d5bd9e39ce889cff4640677c075c2b
    • Instruction Fuzzy Hash: F3E04F760041019EC7019F54C85599FFBF8FF19320F648455F484CB722C3354D51CB29