Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1561815
MD5:c5c5dfb5a92ee653b1a4c8b1590f62b3
SHA1:24db11344adb4edae49f7251fb09ee8b8d1be3fe
SHA256:802283ac30947219df587580814ba6c717ab76c240e54804b2f9ef0612df5469
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 4580 cmdline: "C:\Users\user\Desktop\file.exe" MD5: C5C5DFB5A92EE653B1A4C8B1590F62B3)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F46912 CryptVerifySignatureA,0_2_00F46912
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.2226193536.0000000005370000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2359568733.0000000000D62000.00000040.00000001.01000000.00000003.sdmp

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE20000_2_00EE2000
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE22D00_2_00EE22D0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE6BAE0_2_00EE6BAE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE6BA00_2_00EE6BA0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE6BB00_2_00EE6BB0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6DC610_2_00D6DC61
Source: file.exe, 00000000.00000002.2360770817.00000000015AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000000.2213706623.0000000000D66000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exeString found in binary or memory: 1#IRtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNeh
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 2781696 > 1048576
Source: file.exeStatic PE information: Raw size of yfiarvre is bigger than: 0x100000 < 0x2a1200
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.2226193536.0000000005370000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2359568733.0000000000D62000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.d60000.0.unpack :EW;.rsrc:W;.idata :W;yfiarvre:EW;kcckixnl:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x2aec83 should be: 0x2ad51f
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name: yfiarvre
Source: file.exeStatic PE information: section name: kcckixnl
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE6310 push edi; mov dword ptr [esp], 7F8F5FF4h0_2_00EE633E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE6310 push edi; mov dword ptr [esp], eax0_2_00EE6427
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE6461 push ebx; mov dword ptr [esp], esi0_2_00EE6498
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE6461 push 5B324DACh; mov dword ptr [esp], edx0_2_00EE64D2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6E5C4 push esi; mov dword ptr [esp], edx0_2_00D6EBC2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6E5C4 push edx; mov dword ptr [esp], ebp0_2_00D6EBD4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6E5C4 push ebx; mov dword ptr [esp], ebp0_2_00D6F3D4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6E5C4 push ebp; mov dword ptr [esp], edx0_2_00D6F3D8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE78FA push eax; mov dword ptr [esp], ecx0_2_00EE78FC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D720CC push ecx; mov dword ptr [esp], ebx0_2_00D7406F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE68CE push 1C56BCBCh; mov dword ptr [esp], ebp0_2_00EE68FE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE68CE push 3B2C5534h; mov dword ptr [esp], edi0_2_00EE6957
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D720F2 push 572084A6h; mov dword ptr [esp], esi0_2_00D74B1A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE68DE push 1C56BCBCh; mov dword ptr [esp], ebp0_2_00EE68FE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE68DE push 3B2C5534h; mov dword ptr [esp], edi0_2_00EE6957
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE78DC push 3CD49549h; mov dword ptr [esp], ecx0_2_00EE7C6C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D710EB push ecx; mov dword ptr [esp], ebp0_2_00D756BF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D74094 push eax; mov dword ptr [esp], ebx0_2_00D74121
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D71081 push edx; mov dword ptr [esp], 3EB9DD00h0_2_00D71082
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D71081 push 54B96291h; mov dword ptr [esp], edi0_2_00D7216A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1F091 push esi; mov dword ptr [esp], 00000004h0_2_00F1F168
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6E8A2 push ecx; mov dword ptr [esp], esi0_2_00D6EA01
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE987A push esi; ret 0_2_00EE9889
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6F049 push ebp; mov dword ptr [esp], ecx0_2_00D6F257
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D7307A push ecx; mov dword ptr [esp], ebp0_2_00D74870
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE3052 push 513F58F9h; mov dword ptr [esp], ebp0_2_00EE3074
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6C013 push edx; mov dword ptr [esp], ebx0_2_00D6C28B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D7201D push eax; mov dword ptr [esp], ebx0_2_00D742E2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D7201D push ecx; mov dword ptr [esp], esi0_2_00D750F9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D73818 push ebp; mov dword ptr [esp], eax0_2_00D7382A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE3032 push 1124B3DDh; mov dword ptr [esp], ebx0_2_00EE35CF
Source: file.exeStatic PE information: section name: entropy: 7.802799345548783

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6E43F second address: D6E443 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6E443 second address: D6DCD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 sub dword ptr [ebp+122D2FCFh], edx 0x0000000f mov dword ptr [ebp+122D1C28h], edi 0x00000015 push dword ptr [ebp+122D1141h] 0x0000001b pushad 0x0000001c jmp 00007FB1D0D637FFh 0x00000021 mov esi, ecx 0x00000023 popad 0x00000024 jmp 00007FB1D0D637FBh 0x00000029 call dword ptr [ebp+122D2E74h] 0x0000002f pushad 0x00000030 mov dword ptr [ebp+122D1D65h], ecx 0x00000036 xor eax, eax 0x00000038 stc 0x00000039 mov edx, dword ptr [esp+28h] 0x0000003d cld 0x0000003e cld 0x0000003f mov dword ptr [ebp+122D2C32h], eax 0x00000045 jmp 00007FB1D0D63800h 0x0000004a mov esi, 0000003Ch 0x0000004f sub dword ptr [ebp+122D292Ah], edx 0x00000055 add esi, dword ptr [esp+24h] 0x00000059 sub dword ptr [ebp+122D2886h], edx 0x0000005f lodsw 0x00000061 mov dword ptr [ebp+122D28A0h], ebx 0x00000067 add eax, dword ptr [esp+24h] 0x0000006b jmp 00007FB1D0D637FBh 0x00000070 mov ebx, dword ptr [esp+24h] 0x00000074 xor dword ptr [ebp+122D28A0h], edi 0x0000007a nop 0x0000007b push eax 0x0000007c push edx 0x0000007d push ebx 0x0000007e jmp 00007FB1D0D637FBh 0x00000083 pop ebx 0x00000084 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6DCD6 second address: D6DCFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FB1D05185F6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FB1D0518603h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE717B second address: EE718B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB1D0D637FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE631C second address: EE6320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE65D7 second address: EE65DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE65DD second address: EE65EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnp 00007FB1D05185FCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE673B second address: EE673F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE673F second address: EE6745 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE6745 second address: EE6761 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 js 00007FB1D0D637F6h 0x0000000f jmp 00007FB1D0D637FCh 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE6A64 second address: EE6A6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE6A6A second address: EE6A97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB1D0D637FFh 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007FB1D0D63808h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE97A4 second address: EE97A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE97A8 second address: EE97AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE97AC second address: EE9840 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FB1D05185F8h 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 xor dword ptr [ebp+122D1E17h], ebx 0x00000016 push 00000000h 0x00000018 js 00007FB1D05185FAh 0x0000001e mov cx, E2D9h 0x00000022 push B29DB7C1h 0x00000027 jmp 00007FB1D05185FCh 0x0000002c add dword ptr [esp], 4D6248BFh 0x00000033 jc 00007FB1D05185FCh 0x00000039 push 00000003h 0x0000003b push 00000000h 0x0000003d push ecx 0x0000003e call 00007FB1D05185F8h 0x00000043 pop ecx 0x00000044 mov dword ptr [esp+04h], ecx 0x00000048 add dword ptr [esp+04h], 00000015h 0x00000050 inc ecx 0x00000051 push ecx 0x00000052 ret 0x00000053 pop ecx 0x00000054 ret 0x00000055 jbe 00007FB1D05185F8h 0x0000005b mov ecx, eax 0x0000005d jmp 00007FB1D05185FDh 0x00000062 push 00000000h 0x00000064 mov edx, dword ptr [ebp+122D1C28h] 0x0000006a push 00000003h 0x0000006c mov dx, B419h 0x00000070 push 7F7E657Dh 0x00000075 pushad 0x00000076 push eax 0x00000077 push edx 0x00000078 pushad 0x00000079 popad 0x0000007a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE9840 second address: EE984E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FB1D0D637FCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE984E second address: EE98AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 add dword ptr [esp], 40819A83h 0x0000000c call 00007FB1D05185FCh 0x00000011 mov esi, edx 0x00000013 pop edx 0x00000014 lea ebx, dword ptr [ebp+1244F6BBh] 0x0000001a push 00000000h 0x0000001c push esi 0x0000001d call 00007FB1D05185F8h 0x00000022 pop esi 0x00000023 mov dword ptr [esp+04h], esi 0x00000027 add dword ptr [esp+04h], 0000001Dh 0x0000002f inc esi 0x00000030 push esi 0x00000031 ret 0x00000032 pop esi 0x00000033 ret 0x00000034 mov edx, dword ptr [ebp+122D2CA6h] 0x0000003a push eax 0x0000003b pushad 0x0000003c jmp 00007FB1D05185FFh 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 pop eax 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE9911 second address: EE9916 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE9916 second address: EE996C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jng 00007FB1D0518604h 0x0000000e nop 0x0000000f xor dword ptr [ebp+122D2906h], edi 0x00000015 push eax 0x00000016 pop edi 0x00000017 push 00000000h 0x00000019 call 00007FB1D05185FDh 0x0000001e mov esi, 4CE7F7C9h 0x00000023 pop edi 0x00000024 sub di, 6DFBh 0x00000029 push 698B2AA0h 0x0000002e pushad 0x0000002f js 00007FB1D05185FCh 0x00000035 jo 00007FB1D05185F6h 0x0000003b pushad 0x0000003c push ebx 0x0000003d pop ebx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE996C second address: EE99E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xor dword ptr [esp], 698B2A20h 0x0000000d mov edx, dword ptr [ebp+122D2DEEh] 0x00000013 push 00000003h 0x00000015 mov cl, 13h 0x00000017 push 00000000h 0x00000019 jmp 00007FB1D0D63809h 0x0000001e push 00000003h 0x00000020 call 00007FB1D0D637F9h 0x00000025 jnc 00007FB1D0D6380Ch 0x0000002b push eax 0x0000002c jmp 00007FB1D0D63804h 0x00000031 mov eax, dword ptr [esp+04h] 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE99E3 second address: EE9A0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007FB1D0518607h 0x0000000c pop ecx 0x0000000d popad 0x0000000e mov eax, dword ptr [eax] 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jbe 00007FB1D05185F6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE9A0E second address: EE9A25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jc 00007FB1D0D637F6h 0x00000014 push eax 0x00000015 pop eax 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE9A25 second address: EE9A99 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB1D05185FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007FB1D05185F8h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 0000001Ah 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 mov esi, ecx 0x00000027 lea ebx, dword ptr [ebp+1244F6C4h] 0x0000002d call 00007FB1D0518606h 0x00000032 add dword ptr [ebp+122D2A02h], eax 0x00000038 pop edx 0x00000039 jno 00007FB1D05185FCh 0x0000003f mov dword ptr [ebp+122D2475h], edi 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007FB1D05185FDh 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE9B0F second address: EE9B7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB1D0D637FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a mov dword ptr [esp], eax 0x0000000d mov ecx, dword ptr [ebp+122D2D72h] 0x00000013 push 00000000h 0x00000015 movsx edx, dx 0x00000018 mov edi, 659AB0DBh 0x0000001d push 2ABC08CFh 0x00000022 jp 00007FB1D0D637FAh 0x00000028 push edi 0x00000029 pushad 0x0000002a popad 0x0000002b pop edi 0x0000002c xor dword ptr [esp], 2ABC084Fh 0x00000033 xor edx, dword ptr [ebp+122D2BCAh] 0x00000039 push 00000003h 0x0000003b push 00000000h 0x0000003d jmp 00007FB1D0D63808h 0x00000042 push 00000003h 0x00000044 mov edi, 4656D93Ah 0x00000049 push B5366A5Eh 0x0000004e pushad 0x0000004f pushad 0x00000050 push edx 0x00000051 pop edx 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F09A58 second address: F09A88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 je 00007FB1D05185F6h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f jmp 00007FB1D0518607h 0x00000014 jnc 00007FB1D05185F6h 0x0000001a push edx 0x0000001b pop edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F07CE6 second address: F07D01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB1D0D637FEh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007FB1D0D637F6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F07FC1 second address: F07FC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F07FC5 second address: F07FDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB1D0D63800h 0x00000007 jnc 00007FB1D0D637F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F085FB second address: F08606 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FB1D05185F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F08606 second address: F0861D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB1D0D637FCh 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F088AB second address: F088B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB1D05185F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F088B5 second address: F088CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB1D0D637FFh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F088CE second address: F08928 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB1D0518604h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FB1D0518602h 0x0000000f jmp 00007FB1D05185FFh 0x00000014 popad 0x00000015 popad 0x00000016 pushad 0x00000017 pushad 0x00000018 jmp 00007FB1D0518606h 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 push ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F08928 second address: F08944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FB1D0D63804h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F08944 second address: F0894A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0934F second address: F09355 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F09355 second address: F0935F instructions: 0x00000000 rdtsc 0x00000002 js 00007FB1D0518609h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0935F second address: F09379 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB1D0D637FDh 0x00000009 push edx 0x0000000a jnc 00007FB1D0D637F6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0D35E second address: F0D379 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB1D0518607h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0D379 second address: F0D383 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB1D0D637F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECCC51 second address: ECCC55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F10891 second address: F10896 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F10AAA second address: F10AAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F10AAE second address: F10AB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F10AB2 second address: F10AF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 jng 00007FB1D051860Fh 0x0000000e jmp 00007FB1D0518609h 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FB1D0518609h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F10AF8 second address: F10B25 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB1D0D637FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FB1D0D63808h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F10B25 second address: F10B3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jc 00007FB1D051860Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1400A second address: F1401B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 js 00007FB1D0D637FEh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1401B second address: F1402B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007FB1D05185F6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1402B second address: F1402F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1402F second address: F1404D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB1D0518600h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007FB1D05185FEh 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1419D second address: F141A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F141A3 second address: F141A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F141A7 second address: F141AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F141AD second address: F141CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB1D0518609h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F141CB second address: F141D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1447E second address: F144BB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnl 00007FB1D05185F6h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop edi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jbe 00007FB1D0518629h 0x00000014 pushad 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 jmp 00007FB1D0518605h 0x0000001c push esi 0x0000001d pop esi 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 jg 00007FB1D05185F6h 0x00000027 jnl 00007FB1D05185F6h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F17A9C second address: F17AA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F17AA0 second address: F17AE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB1D0518604h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007FB1D05185F8h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 xor dword ptr [esp], 44C7C70Ah 0x00000019 jnl 00007FB1D05185F6h 0x0000001f push 47115836h 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FB1D05185FEh 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F17AE5 second address: F17AF3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB1D0D637FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F17F60 second address: F17F64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F17F64 second address: F17F6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F188F8 second address: F18909 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 pop edx 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F18909 second address: F1890F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F18A04 second address: F18A08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F18A08 second address: F18A1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB1D0D63800h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F18A1C second address: F18A35 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB1D05185FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push edi 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F18C47 second address: F18C75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB1D0D63805h 0x00000009 popad 0x0000000a pop edi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB1D0D63800h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1B6E6 second address: F1B6EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1B6EB second address: F1B6F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1D72E second address: F1D77E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB1D05185FBh 0x0000000b popad 0x0000000c nop 0x0000000d movsx esi, di 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007FB1D05185F8h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000018h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c push 00000000h 0x0000002e mov edi, 21698408h 0x00000033 xchg eax, ebx 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 jno 00007FB1D05185F6h 0x0000003d jp 00007FB1D05185F6h 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1E246 second address: F1E24C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F237D1 second address: F237D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F23C75 second address: F23C8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB1D0D63806h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F23C8F second address: F23CAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB1D0518609h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F24CE0 second address: F24CE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F24CE4 second address: F24CE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F24CE8 second address: F24CEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1EAB9 second address: F1EABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1EABD second address: F1EAC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F25C08 second address: F25C0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F23E11 second address: F23E1B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F23E1B second address: F23E1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F27ECA second address: F27ED0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F27ED0 second address: F27EE7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jo 00007FB1D0518608h 0x0000000f push eax 0x00000010 push edx 0x00000011 jns 00007FB1D05185F6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F25E26 second address: F25E2B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F27003 second address: F27007 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F27EE7 second address: F27F60 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB1D0D637F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007FB1D0D637F8h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 00000014h 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 mov ebx, dword ptr [ebp+122D2D76h] 0x0000002b adc ebx, 546E4A27h 0x00000031 push 00000000h 0x00000033 mov edi, dword ptr [ebp+1246906Bh] 0x00000039 mov edi, dword ptr [ebp+122D2AA8h] 0x0000003f push 00000000h 0x00000041 push 00000000h 0x00000043 push ebx 0x00000044 call 00007FB1D0D637F8h 0x00000049 pop ebx 0x0000004a mov dword ptr [esp+04h], ebx 0x0000004e add dword ptr [esp+04h], 0000001Bh 0x00000056 inc ebx 0x00000057 push ebx 0x00000058 ret 0x00000059 pop ebx 0x0000005a ret 0x0000005b push eax 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007FB1D0D637FEh 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F27007 second address: F27010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F27F60 second address: F27F66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F27010 second address: F27021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FB1D05185F6h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push esi 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F28F0D second address: F28F32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov dword ptr [ebp+122D383Dh], esi 0x0000000f push 00000000h 0x00000011 mov dword ptr [ebp+122D28FDh], eax 0x00000017 push 00000000h 0x00000019 clc 0x0000001a xchg eax, esi 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jnl 00007FB1D0D637F6h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F28F32 second address: F28F38 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F28F38 second address: F28F48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F29E6D second address: F29E7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007FB1D05185F6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F29E7B second address: F29E93 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB1D0D637F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB1D0D637FAh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2A03F second address: F2A04A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2AF12 second address: F2AF98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov dword ptr [esp], eax 0x00000008 mov edi, dword ptr [ebp+1247017Dh] 0x0000000e push dword ptr fs:[00000000h] 0x00000015 mov di, si 0x00000018 mov edi, esi 0x0000001a mov dword ptr fs:[00000000h], esp 0x00000021 push 00000000h 0x00000023 push ebx 0x00000024 call 00007FB1D0D637F8h 0x00000029 pop ebx 0x0000002a mov dword ptr [esp+04h], ebx 0x0000002e add dword ptr [esp+04h], 0000001Dh 0x00000036 inc ebx 0x00000037 push ebx 0x00000038 ret 0x00000039 pop ebx 0x0000003a ret 0x0000003b mov edi, 5EE088E8h 0x00000040 mov eax, dword ptr [ebp+122D12E1h] 0x00000046 jmp 00007FB1D0D637FFh 0x0000004b or bx, 41F6h 0x00000050 push FFFFFFFFh 0x00000052 mov edi, dword ptr [ebp+122D2934h] 0x00000058 nop 0x00000059 jns 00007FB1D0D637FEh 0x0000005f push eax 0x00000060 push ebx 0x00000061 push eax 0x00000062 push edx 0x00000063 jc 00007FB1D0D637F6h 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2DC63 second address: F2DC70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2DC70 second address: F2DC7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2CE6C second address: F2CE72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2BF99 second address: F2BF9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2C08C second address: F2C091 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2FD06 second address: F2FD0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2FD0A second address: F2FD10 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F30CA6 second address: F30D3E instructions: 0x00000000 rdtsc 0x00000002 je 00007FB1D0D637F8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jnc 00007FB1D0D6380Ah 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007FB1D0D637F8h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e mov ebx, 2406ACD7h 0x00000033 sbb di, 9BB4h 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push ebp 0x0000003d call 00007FB1D0D637F8h 0x00000042 pop ebp 0x00000043 mov dword ptr [esp+04h], ebp 0x00000047 add dword ptr [esp+04h], 00000019h 0x0000004f inc ebp 0x00000050 push ebp 0x00000051 ret 0x00000052 pop ebp 0x00000053 ret 0x00000054 mov di, si 0x00000057 push 00000000h 0x00000059 mov ebx, dword ptr [ebp+122D26A1h] 0x0000005f xchg eax, esi 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007FB1D0D63805h 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F30D3E second address: F30D42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F30D42 second address: F30D48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F334CD second address: F334D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F334D1 second address: F334EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB1D0D63806h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED35FA second address: ED35FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED35FE second address: ED3615 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FB1D0D637F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f push edi 0x00000010 pop edi 0x00000011 pop esi 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F30EF5 second address: F30EFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F30EFB second address: F30EFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F35B00 second address: F35B04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F35B04 second address: F35B1A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jc 00007FB1D0D63804h 0x0000000d pushad 0x0000000e jnp 00007FB1D0D637F6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3CC5F second address: F3CC6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007FB1D05185F6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDA2BA second address: EDA2C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDA2C0 second address: EDA2C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED015D second address: ED0161 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED0161 second address: ED0167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ED0167 second address: ED0177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FB1D0D637FEh 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3FD5A second address: F3FD63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3FD63 second address: F3FD69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3FD69 second address: F3FD6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3FD6D second address: F3FD7C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jg 00007FB1D0D637F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3FD7C second address: F3FD82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3FEBD second address: F3FEC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3FEC5 second address: F3FECC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3FECC second address: F3FEE5 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB1D0D6380Bh 0x00000008 jmp 00007FB1D0D637FFh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4003D second address: F40041 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F50795 second address: F507C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB1D0D63802h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e push ebx 0x0000000f jmp 00007FB1D0D63800h 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F507C6 second address: F507CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F507CA second address: D6DCD6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 cld 0x00000009 push dword ptr [ebp+122D1141h] 0x0000000f pushad 0x00000010 jbe 00007FB1D0D637F9h 0x00000016 jmp 00007FB1D0D63809h 0x0000001b popad 0x0000001c jns 00007FB1D0D637F7h 0x00000022 call dword ptr [ebp+122D2E74h] 0x00000028 pushad 0x00000029 mov dword ptr [ebp+122D1D65h], ecx 0x0000002f xor eax, eax 0x00000031 stc 0x00000032 mov edx, dword ptr [esp+28h] 0x00000036 cld 0x00000037 cld 0x00000038 mov dword ptr [ebp+122D2C32h], eax 0x0000003e jmp 00007FB1D0D63800h 0x00000043 mov esi, 0000003Ch 0x00000048 sub dword ptr [ebp+122D292Ah], edx 0x0000004e add esi, dword ptr [esp+24h] 0x00000052 sub dword ptr [ebp+122D2886h], edx 0x00000058 lodsw 0x0000005a mov dword ptr [ebp+122D28A0h], ebx 0x00000060 add eax, dword ptr [esp+24h] 0x00000064 jmp 00007FB1D0D637FBh 0x00000069 mov ebx, dword ptr [esp+24h] 0x0000006d xor dword ptr [ebp+122D28A0h], edi 0x00000073 nop 0x00000074 push eax 0x00000075 push edx 0x00000076 push ebx 0x00000077 jmp 00007FB1D0D637FBh 0x0000007c pop ebx 0x0000007d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F54237 second address: F54254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB1D0518605h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F54B22 second address: F54B2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5507C second address: F5508B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB1D05185FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5508B second address: F55091 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F55091 second address: F55095 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F59F54 second address: F59F58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5F229 second address: F5F22F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5F22F second address: F5F247 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB1D0D637FEh 0x00000009 jns 00007FB1D0D637F6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5F247 second address: F5F24B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5E0E9 second address: F5E0EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F165AA second address: F16601 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB1D0518601h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+122D286Dh], ebx 0x00000012 lea eax, dword ptr [ebp+1247C398h] 0x00000018 jmp 00007FB1D0518605h 0x0000001d nop 0x0000001e pushad 0x0000001f jl 00007FB1D05185F8h 0x00000025 push edx 0x00000026 pop edx 0x00000027 jmp 00007FB1D05185FDh 0x0000002c popad 0x0000002d push eax 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F16601 second address: F16605 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F16605 second address: F16613 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FB1D05185F6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F16613 second address: EFCD69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB1D0D637FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b xor dx, 64A1h 0x00000010 call dword ptr [ebp+12453D79h] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FB1D0D63801h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1666C second address: F16670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F16670 second address: F16676 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F16934 second address: F16958 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB1D0518608h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F16958 second address: D6DCD6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB1D0D637FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov ecx, dword ptr [ebp+122D2C4Eh] 0x00000010 push dword ptr [ebp+122D1141h] 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 call 00007FB1D0D637F8h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], esi 0x00000023 add dword ptr [esp+04h], 00000019h 0x0000002b inc esi 0x0000002c push esi 0x0000002d ret 0x0000002e pop esi 0x0000002f ret 0x00000030 mov dx, si 0x00000033 call dword ptr [ebp+122D2E74h] 0x00000039 pushad 0x0000003a mov dword ptr [ebp+122D1D65h], ecx 0x00000040 xor eax, eax 0x00000042 stc 0x00000043 mov edx, dword ptr [esp+28h] 0x00000047 cld 0x00000048 cld 0x00000049 mov dword ptr [ebp+122D2C32h], eax 0x0000004f jmp 00007FB1D0D63800h 0x00000054 mov esi, 0000003Ch 0x00000059 sub dword ptr [ebp+122D292Ah], edx 0x0000005f add esi, dword ptr [esp+24h] 0x00000063 sub dword ptr [ebp+122D2886h], edx 0x00000069 lodsw 0x0000006b mov dword ptr [ebp+122D28A0h], ebx 0x00000071 add eax, dword ptr [esp+24h] 0x00000075 jmp 00007FB1D0D637FBh 0x0000007a mov ebx, dword ptr [esp+24h] 0x0000007e xor dword ptr [ebp+122D28A0h], edi 0x00000084 nop 0x00000085 push eax 0x00000086 push edx 0x00000087 push ebx 0x00000088 jmp 00007FB1D0D637FBh 0x0000008d pop ebx 0x0000008e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F16B24 second address: F16B28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F16B28 second address: F16B45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB1D0D637FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jns 00007FB1D0D63816h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F16B45 second address: F16B80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB1D0518608h 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007FB1D05185FBh 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FB1D05185FBh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F16CE7 second address: F16D27 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB1D0D6380Dh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FB1D0D63805h 0x00000010 xchg eax, esi 0x00000011 mov dl, 12h 0x00000013 nop 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F16D27 second address: F16D35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F16D35 second address: F16D39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F16D39 second address: F16D3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F16DE9 second address: F16DEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1770E second address: F1774E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007FB1D05185F8h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 lea eax, dword ptr [ebp+1247C3DCh] 0x0000002b je 00007FB1D05185F6h 0x00000031 push eax 0x00000032 push esi 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1774E second address: F17752 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F17752 second address: F177AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D2709h], eax 0x00000010 lea eax, dword ptr [ebp+1247C398h] 0x00000016 push 00000000h 0x00000018 push eax 0x00000019 call 00007FB1D05185F8h 0x0000001e pop eax 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 add dword ptr [esp+04h], 0000001Ah 0x0000002b inc eax 0x0000002c push eax 0x0000002d ret 0x0000002e pop eax 0x0000002f ret 0x00000030 nop 0x00000031 pushad 0x00000032 jl 00007FB1D0518601h 0x00000038 jmp 00007FB1D05185FBh 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007FB1D05185FBh 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F177AA second address: F177C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB1D0D637FFh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F177C3 second address: F177CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FB1D05185F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F177CD second address: EFD922 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB1D0D63802h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov edx, dword ptr [ebp+122D2B82h] 0x00000012 call dword ptr [ebp+122D2EABh] 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b push eax 0x0000001c pop eax 0x0000001d pushad 0x0000001e popad 0x0000001f push esi 0x00000020 pop esi 0x00000021 popad 0x00000022 pushad 0x00000023 pushad 0x00000024 popad 0x00000025 push ebx 0x00000026 pop ebx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD922 second address: EFD927 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD927 second address: EFD943 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB1D0D63807h 0x00000008 jmp 00007FB1D0D63801h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD943 second address: EFD95F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FB1D05185F6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 pop eax 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 jng 00007FB1D05185F6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFD95F second address: EFD963 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECE6B2 second address: ECE6B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5E531 second address: F5E535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5E535 second address: F5E53C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F620FA second address: F620FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F620FF second address: F62104 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F66B30 second address: F66B51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB1D0D637FAh 0x00000007 jnp 00007FB1D0D637F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FB1D0D637FBh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F66B51 second address: F66B55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F66B55 second address: F66B5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F66B5B second address: F66B72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FB1D05185FEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F66F91 second address: F66F95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F66F95 second address: F66F9F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F66F9F second address: F66FA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FB1D0D637F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F66FA9 second address: F66FAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F67248 second address: F67250 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F67250 second address: F67256 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6753E second address: F6755F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB1D0D63809h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6DEED second address: F6DEFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FB1D05185F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007FB1D05185F6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6C8F0 second address: F6C8F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6C8F4 second address: F6C90E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FB1D05185F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007FB1D05185F6h 0x00000014 jo 00007FB1D05185F6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6CA75 second address: F6CA8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007FB1D0D637F6h 0x0000000d jmp 00007FB1D0D637FDh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6CA8F second address: F6CAB1 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB1D05185F6h 0x00000008 jmp 00007FB1D05185FEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 jo 00007FB1D05185F6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6CAB1 second address: F6CAB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6CAB7 second address: F6CAFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jns 00007FB1D05185F6h 0x0000000d jng 00007FB1D05185F6h 0x00000013 popad 0x00000014 popad 0x00000015 pushad 0x00000016 jmp 00007FB1D0518606h 0x0000001b jnl 00007FB1D0518602h 0x00000021 push eax 0x00000022 push edx 0x00000023 push ebx 0x00000024 pop ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6CAFB second address: F6CAFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6CC4A second address: F6CC50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6CC50 second address: F6CC54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6CC54 second address: F6CC5A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6CC5A second address: F6CC66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6CC66 second address: F6CC6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6CC6A second address: F6CC77 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6CD8D second address: F6CD97 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB1D05185F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6CEDB second address: F6CEE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6CEE1 second address: F6CEE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6D033 second address: F6D042 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB1D0D637F6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6D333 second address: F6D33D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FB1D05185F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6D33D second address: F6D341 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6D341 second address: F6D390 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB1D0518608h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c jmp 00007FB1D05185FBh 0x00000011 jmp 00007FB1D0518608h 0x00000016 pop edx 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pushad 0x0000001a pushad 0x0000001b jns 00007FB1D05185F6h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6D390 second address: F6D3B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FB1D0D637F6h 0x0000000a jmp 00007FB1D0D63804h 0x0000000f popad 0x00000010 push edi 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6D3B4 second address: F6D3C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jc 00007FB1D05185F6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6D51F second address: F6D523 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6D523 second address: F6D52C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6D653 second address: F6D657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6D657 second address: F6D663 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jc 00007FB1D05185F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6D933 second address: F6D951 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FB1D0D63808h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6D951 second address: F6D958 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6DD8C second address: F6DD92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F71354 second address: F71363 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 pushad 0x00000009 popad 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F71363 second address: F71369 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F71369 second address: F7136D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F70BEE second address: F70BF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7381F second address: F73838 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop esi 0x00000006 push ecx 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jnp 00007FB1D05185F6h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jp 00007FB1D05185F6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F799EC second address: F799F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F799F2 second address: F79A23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB1D0518606h 0x00000007 jmp 00007FB1D05185FCh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jp 00007FB1D05185F6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F79A23 second address: F79A3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB1D0D63803h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7D96B second address: F7D99B instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB1D05185F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b je 00007FB1D051860Fh 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007FB1D0518607h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c push esi 0x0000001d pop esi 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7CC55 second address: F7CC6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FB1D0D637F6h 0x0000000a jmp 00007FB1D0D637FDh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7CC6C second address: F7CC7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FB1D05185FEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7CE19 second address: F7CE1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7CE1D second address: F7CE26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F81D79 second address: F81D86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jng 00007FB1D0D637F6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F81D86 second address: F81D8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F81D8F second address: F81D95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F81EBB second address: F81EBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F81EBF second address: F81EE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB1D0D63808h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F81EE5 second address: F81F08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB1D0518609h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8209F second address: F820B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB1D0D637FDh 0x00000007 js 00007FB1D0D637F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F820B6 second address: F820C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FB1D05185F6h 0x0000000a jc 00007FB1D05185F6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F823A7 second address: F823BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB1D0D637FDh 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F823BA second address: F823BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F823BE second address: F823C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F171C8 second address: F17267 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007FB1D05185F8h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 mov ebx, dword ptr [ebp+1247C3D7h] 0x00000029 push 00000000h 0x0000002b push esi 0x0000002c call 00007FB1D05185F8h 0x00000031 pop esi 0x00000032 mov dword ptr [esp+04h], esi 0x00000036 add dword ptr [esp+04h], 00000018h 0x0000003e inc esi 0x0000003f push esi 0x00000040 ret 0x00000041 pop esi 0x00000042 ret 0x00000043 mov dx, FF23h 0x00000047 mov dword ptr [ebp+122D2475h], edx 0x0000004d add eax, ebx 0x0000004f mov edi, dword ptr [ebp+122D2AD6h] 0x00000055 push eax 0x00000056 jmp 00007FB1D0518609h 0x0000005b mov dword ptr [esp], eax 0x0000005e mov edx, 0F5CD91Dh 0x00000063 push 00000004h 0x00000065 sub edi, 67AE4DCAh 0x0000006b push eax 0x0000006c push eax 0x0000006d push edx 0x0000006e jmp 00007FB1D05185FEh 0x00000073 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F826AC second address: F826B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F826B0 second address: F826E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB1D0518601h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007FB1D05185F6h 0x00000013 jmp 00007FB1D0518608h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F826E7 second address: F826EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F826EB second address: F826F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F826F1 second address: F826F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F82866 second address: F82875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB1D05185FBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F82875 second address: F828A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB1D0D63800h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FB1D0D63807h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F828A2 second address: F828A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F89BC8 second address: F89BFA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FB1D0D63800h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FB1D0D63809h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F89BFA second address: F89C00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8A3E2 second address: F8A405 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB1D0D637F6h 0x00000008 jmp 00007FB1D0D63809h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8A405 second address: F8A42F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB1D0518604h 0x00000008 jmp 00007FB1D05185FBh 0x0000000d push edx 0x0000000e pop edx 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8A6D2 second address: F8A6DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8ACB5 second address: F8ACB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8ACB9 second address: F8ACD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB1D0D637FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jbe 00007FB1D0D637F6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8E9EC second address: F8EA00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jng 00007FB1D0518602h 0x0000000c jne 00007FB1D05185F6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8EA00 second address: F8EA07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8EA07 second address: F8EA17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 js 00007FB1D051861Ah 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8EA17 second address: F8EA31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB1D0D63806h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8ECCC second address: F8ECD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8ECD0 second address: F8ECD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8ECD4 second address: F8ECF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edx 0x00000008 pushad 0x00000009 jmp 00007FB1D0518607h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8ECF6 second address: F8ED03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8F0C8 second address: F8F0D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FB1D05185F6h 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9BB5C second address: F9BB6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 pop ecx 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9BB6A second address: F9BB93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 jmp 00007FB1D0518605h 0x0000000e jl 00007FB1D05185F8h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9A227 second address: F9A22D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9A22D second address: F9A247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop ebx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB1D05185FFh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9A247 second address: F9A267 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FB1D0D637FCh 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007FB1D0D637F6h 0x00000014 jnc 00007FB1D0D637F6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9A4FD second address: F9A501 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9A65C second address: F9A662 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9A662 second address: F9A666 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9A7AB second address: F9A7B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9A7B1 second address: F9A7B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9A7B6 second address: F9A7BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9A7BC second address: F9A7C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9A7C0 second address: F9A7CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007FB1D0D637F6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9A929 second address: F9A92F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9BA0A second address: F9BA10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA43A5 second address: FA43AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA43AE second address: FA43C0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a ja 00007FB1D0D637F6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA43C0 second address: FA43CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jl 00007FB1D05185F6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA43CF second address: FA43D9 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB1D0D637F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA43D9 second address: FA43E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 js 00007FB1D05185F6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB107B second address: FB1099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007FB1D0D63801h 0x0000000b jnp 00007FB1D0D637F6h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB1099 second address: FB109F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB109F second address: FB10A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FB1D0D637F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB10A9 second address: FB10AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB0CA9 second address: FB0CAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB5699 second address: FB56C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push edi 0x00000008 jmp 00007FB1D05185FAh 0x0000000d jmp 00007FB1D05185FBh 0x00000012 pop edi 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 jmp 00007FB1D05185FAh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB56C7 second address: FB56E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB1D0D637FFh 0x00000009 popad 0x0000000a push edx 0x0000000b jne 00007FB1D0D637F6h 0x00000011 jno 00007FB1D0D637F6h 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBCABC second address: FBCAC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBCAC2 second address: FBCACD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FBCACD second address: FBCAD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC0223 second address: FC022D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB1D0D637FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC022D second address: FC0234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC0234 second address: FC024D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB1D0D63803h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC725E second address: FC728F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB1D0518609h 0x00000009 jl 00007FB1D05185F6h 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jc 00007FB1D05185F6h 0x00000019 popad 0x0000001a push ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCFF50 second address: FCFF5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jbe 00007FB1D0D637FEh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCFF5D second address: FCFF67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCE986 second address: FCE9DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB1D0D637FBh 0x00000008 jnp 00007FB1D0D637F6h 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 jmp 00007FB1D0D63802h 0x00000018 pop edx 0x00000019 pop eax 0x0000001a jc 00007FB1D0D6382Ah 0x00000020 jp 00007FB1D0D63802h 0x00000026 jne 00007FB1D0D637F6h 0x0000002c jne 00007FB1D0D637F6h 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007FB1D0D637FEh 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCED8A second address: FCED8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCF020 second address: FCF03C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FB1D0D637FCh 0x0000000b popad 0x0000000c pushad 0x0000000d jng 00007FB1D0D637F6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCF03C second address: FCF05D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push ecx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop ecx 0x0000000c push ebx 0x0000000d jmp 00007FB1D05185FCh 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pop ebx 0x00000015 pushad 0x00000016 push esi 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FCFCC1 second address: FCFCE2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB1D0D637FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007FB1D0D63812h 0x0000000f pushad 0x00000010 jno 00007FB1D0D637F6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD2DE7 second address: FD2E0A instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB1D05185F6h 0x00000008 jc 00007FB1D05185F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007FB1D0518603h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD2E0A second address: FD2E59 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB1D0D6380Fh 0x00000008 jmp 00007FB1D0D63807h 0x0000000d pushad 0x0000000e popad 0x0000000f jp 00007FB1D0D637FEh 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jg 00007FB1D0D6380Ch 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD29CE second address: FD29D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDD855 second address: EDD882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB1D0D63809h 0x00000009 jmp 00007FB1D0D637FEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDD882 second address: EDD88A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FECFBA second address: FECFD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB1D0D63803h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FECFD1 second address: FECFF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007FB1D05185F6h 0x00000013 jmp 00007FB1D05185FCh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF3FC0 second address: FF3FD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FB1D0D637FDh 0x0000000d popad 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF42E5 second address: FF42F8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FB1D05185FAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF42F8 second address: FF4345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB1D0D63803h 0x00000009 jmp 00007FB1D0D637FEh 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pushad 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pushad 0x00000015 popad 0x00000016 push edi 0x00000017 pop edi 0x00000018 jmp 00007FB1D0D63803h 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 jc 00007FB1D0D637F6h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF4345 second address: FF4349 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF806B second address: FF807C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop eax 0x00000007 je 00007FB1D0D637FEh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFE774 second address: FFE787 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jp 00007FB1D05185F6h 0x0000000c je 00007FB1D05185F6h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFE787 second address: FFE7BD instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB1D0D63802h 0x00000008 jc 00007FB1D0D6380Bh 0x0000000e jmp 00007FB1D0D637FAh 0x00000013 jmp 00007FB1D0D637FBh 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFE7BD second address: FFE7C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1000496 second address: 100049C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100049C second address: 10004BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB1D0518609h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10004BB second address: 10004E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB1D0D637FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB1D0D63809h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1000060 second address: 1000064 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ECB0D1 second address: ECB0D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF7EC9 second address: FF7EF8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB1D05185FBh 0x00000007 jmp 00007FB1D0518606h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 jc 00007FB1D05185F6h 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1A8BB second address: F1A8D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB1D0D637FEh 0x0000000c rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D6DD62 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: F1091E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: F16703 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: FA9617 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 5420000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 56E0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 76E0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE988A rdtsc 0_2_00EE988A
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3440Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.2359801940.0000000000EED000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2359801940.0000000000EED000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE988A rdtsc 0_2_00EE988A
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, 00000000.00000002.2360104245.0000000000F37000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 6ADProgram Manager

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping641
Security Software Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		41
Disable or Modify Tools		LSASS Memory2
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Bypass User Account Control		261
Virtualization/Sandbox Evasion		Security Account Manager261
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS22
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
Obfuscated Files or Information		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
Software Packing		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
Bypass User Account Control		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1561815
Start date and time:2024-11-24 11:32:07 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 36s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.evad.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
  • Excluded IPs from analysis (whitelisted): 20.190.147.12, 20.190.177.23, 20.190.177.82, 20.190.147.8, 20.190.177.146, 20.190.147.4, 20.190.177.19, 20.190.177.148
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, ocsp.digicert.com, otelrules.azureedge.net, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, login.msa.msidentity.com, www.tm.lg.prod.aadmsa.trafficmanager.net
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • VT rate limit hit for: file.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File
Process:C:\Users\user\Desktop\file.exe
File Type:CSV text
Category:dropped
Size (bytes):226
Entropy (8bit):5.360398796477698
Encrypted:false
SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:3A8957C6382192B71471BD14359D0B12
SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:true
Reputation:high, very likely benign file
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.497547553808381
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:2'781'696 bytes
MD5:c5c5dfb5a92ee653b1a4c8b1590f62b3
SHA1:24db11344adb4edae49f7251fb09ee8b8d1be3fe
SHA256:802283ac30947219df587580814ba6c717ab76c240e54804b2f9ef0612df5469
SHA512:cecc92d0c41f02bed9d66da06b3012ec1769b30ef03e78f69d692480f888a581fa1de7e87ab1b4fce2b3730dfa610208704b25c5ce3c5820f3ecdd24fb0da204
SSDEEP:49152:BDce6EquCC2NHrM9CrD34j6Bky6finWQy/Uj:BDce6Eqe2VY9pj6BV6tT
TLSH:D5D55B62B44575EFD48E13B89D27CE839D5D03F95B2008D7A82D74BABEA3CC119B6C18
File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............*.. ...`....@.. ....................... +.......*...`................................

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x6ae000
Entrypoint Section:.taggant
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FB1D12F3F0Ah

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x20000x40000x1200dcdc4758af77dd8dd58ef1309cd8102eFalse0.9340277777777778data7.802799345548783IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
yfiarvre0xa0000x2a20000x2a120059cfa48afff5054f512a4e9b82370788unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
kcckixnl0x2ac0000x20000x400b446ca90f05dd5846e23a747cf8b51d6False0.8134765625data6.336100813088872IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant0x2ae0000x40000x22002b997d1770faa5bc779f56af8b1e512eFalse0.06904871323529412DOS executable (COM)0.7243510591714154IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x60900x30cdata0.42948717948717946
RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

Imports

DLLImport
kernel32.dlllstrcpy

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:05:33:16
Start date:24/11/2024
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\file.exe"
Imagebase:0xd60000
File size:2'781'696 bytes
MD5 hash:C5C5DFB5A92EE653B1A4C8B1590F62B3
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:4.6%
    Dynamic/Decrypted Code Coverage:11%
    Signature Coverage:0%
    Total number of Nodes:109
    Total number of Limit Nodes:4
    execution_graph 6670 f43476 6672 f43482 6670->6672 6674 f43496 6672->6674 6675 f434be 6674->6675 6676 f434d7 6674->6676 6678 f434e0 6676->6678 6681 f434ef 6678->6681 6679 f435a8 GetModuleHandleA 6682 f4352f 6679->6682 6680 f4359a GetModuleHandleW 6680->6682 6681->6682 6683 f434f7 6681->6683 6683->6679 6683->6680 6760 f45ed7 6762 f45ee3 6760->6762 6763 f45eef 6762->6763 6765 f45f0f 6763->6765 6766 f45e2e 6763->6766 6768 f45e3a 6766->6768 6770 f45e4e 6768->6770 6769 f45e91 6770->6769 6771 f45ead GetFileAttributesW 6770->6771 6772 f45ebe GetFileAttributesA 6770->6772 6771->6769 6772->6769 6684 f46a30 6686 f46a3c 6684->6686 6687 f46a54 6686->6687 6689 f46a7e 6687->6689 6690 f4696a 6687->6690 6692 f46976 6690->6692 6693 f46989 6692->6693 6694 f469c7 6693->6694 6695 f46a02 CreateFileMappingA 6693->6695 6696 f469a3 6693->6696 6694->6696 6699 f44041 6694->6699 6695->6696 6702 f44058 6699->6702 6700 f440c1 CreateFileA 6703 f44106 6700->6703 6701 f44155 6701->6696 6702->6700 6702->6701 6703->6701 6705 f43720 CloseHandle 6703->6705 6706 f43734 6705->6706 6706->6701 6773 f46251 6775 f4625a 6773->6775 6776 f46266 6775->6776 6777 f462b6 ReadFile 6776->6777 6778 f4627f 6776->6778 6777->6778 6707 5420d48 6708 5420d93 OpenSCManagerW 6707->6708 6710 5420ddc 6708->6710 6711 5421308 6712 5421349 ImpersonateLoggedOnUser 6711->6712 6713 5421376 6712->6713 6714 f4613e 6716 f4614a 6714->6716 6717 f46156 6716->6717 6719 f46176 6717->6719 6720 f4604a 6717->6720 6722 f46056 6720->6722 6724 f4606a 6722->6724 6723 f46097 6728 f4609f 6723->6728 6734 f46008 IsBadWritePtr 6723->6734 6724->6723 6742 f45f63 6724->6742 6729 f460f0 CreateFileW 6728->6729 6730 f46113 CreateFileA 6728->6730 6732 f460e0 6729->6732 6730->6732 6731 f460da 6736 f4385d 6731->6736 6735 f4602a 6734->6735 6735->6728 6735->6731 6739 f4386a 6736->6739 6737 f43965 6737->6732 6738 f438a3 CreateFileA 6740 f438ef 6738->6740 6739->6737 6739->6738 6740->6737 6741 f43720 CloseHandle 6740->6741 6741->6737 6744 f45f72 GetWindowsDirectoryA 6742->6744 6745 f45f9c 6744->6745 6779 ee9ac2 CreateFileA 6780 ee9ada 6779->6780 6746 ee6461 LoadLibraryA 6747 ee646a 6746->6747 6747->6747 6748 ee98a1 6749 ee98a5 CreateFileA 6748->6749 6751 ee98d8 6749->6751 6752 d6e5c4 6753 d6e72e VirtualAlloc 6752->6753 6755 5421510 6756 5421558 ControlService 6755->6756 6757 542158f 6756->6757 6781 54210f0 6782 5421131 6781->6782 6785 f4465b 6782->6785 6783 5421151 6786 f44667 6785->6786 6787 f44695 CloseHandle 6786->6787 6788 f44680 6786->6788 6787->6788 6788->6783 6791 f459c2 6792 f459ce GetCurrentProcess 6791->6792 6793 f459de 6792->6793 6794 f45a1f DuplicateHandle 6793->6794 6795 f45a09 6793->6795 6794->6795 6796 f46b8e 6797 f46b9a 6796->6797 6798 f46c02 MapViewOfFileEx 6797->6798 6799 f46bb3 6797->6799 6798->6799 6758 d6eb8d VirtualAlloc 6759 d6eb9f 6758->6759 6800 f435c9 6801 f435d5 6800->6801 6802 f43624 GetModuleHandleExA 6801->6802 6803 f435fb 6801->6803 6802->6803 6804 ee6310 LoadLibraryA 6805 ee6318 6804->6805

    Executed Functions

    Function 00EE988A Relevance: 1.6, APIs: 1, Instructions: 97fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 169 ee988a-ee9892 170 ee9895-ee98eb CreateFileA call ee98e7 169->170 171 ee9820-ee9846 169->171 181 ee9c0e-ee9c37 call ee9c3a 170->181 182 ee98f1-ee991e 170->182 173 ee984c-ee9851 171->173 174 ee9852-ee9877 call ee9866 171->174 173->174 174->169 187 ee9924-ee9931 182->187 188 ee9932-ee993d call ee994a 182->188 187->188 191 ee9942 188->191 191->191
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2359801940.0000000000EE2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.2359530180.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359568733.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359596679.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359623108.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359648330.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359752637.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359773890.0000000000ECA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EED000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359845840.0000000000EF9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359862912.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359881009.0000000000F04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359903465.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359923329.0000000000F13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359942305.0000000000F14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359963629.0000000000F20000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359984615.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360003170.0000000000F23000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360024058.0000000000F32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360046381.0000000000F33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360066602.0000000000F34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360084417.0000000000F35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360104245.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360123972.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360144225.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360165917.0000000000F57000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360188665.0000000000F5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360210092.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360229996.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360254578.0000000000F70000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360279667.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360312787.0000000000F7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360332141.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360354826.0000000000F7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360376910.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360400445.0000000000F8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360422160.0000000000F8C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360445040.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360465291.0000000000F94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360481152.0000000000F95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360595694.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360617455.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: c096cf080c040908a2417a03dcf41ca94660b49d9311b7a9611e5ea7a1f7ebc7
    • Instruction ID: 2368d375725c855750860b75d6e084977b7935aa7f62e06938b1910705bd0c63
    • Opcode Fuzzy Hash: c096cf080c040908a2417a03dcf41ca94660b49d9311b7a9611e5ea7a1f7ebc7
    • Instruction Fuzzy Hash: 6A214CB704C2C97EF356DA626E509FA7BECEAC3330B30581DF081EA453D39109499131
    Function 00EE9AC2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 ee9ac2-ee9ad4 CreateFileA 1 ee9c0e-ee9c37 call ee9c3a 0->1 2 ee9ada-ee9ae1 0->2 4 ee9aed-ee9b3a 2->4 5 ee9ae7 2->5 10 ee9b44-ee9bae 4->10 11 ee9b40-ee9b43 4->11 5->4 13 ee9bba-ee9bc4 call ee9bc7 10->13 14 ee9bb4 10->14 11->10 14->13
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2359801940.0000000000EE2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.2359530180.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359568733.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359596679.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359623108.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359648330.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359752637.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359773890.0000000000ECA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EED000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359845840.0000000000EF9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359862912.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359881009.0000000000F04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359903465.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359923329.0000000000F13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359942305.0000000000F14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359963629.0000000000F20000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359984615.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360003170.0000000000F23000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360024058.0000000000F32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360046381.0000000000F33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360066602.0000000000F34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360084417.0000000000F35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360104245.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360123972.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360144225.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360165917.0000000000F57000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360188665.0000000000F5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360210092.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360229996.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360254578.0000000000F70000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360279667.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360312787.0000000000F7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360332141.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360354826.0000000000F7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360376910.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360400445.0000000000F8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360422160.0000000000F8C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360445040.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360465291.0000000000F94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360481152.0000000000F95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360595694.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360617455.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID: C$r@}
    • API String ID: 823142352-1140230695
    • Opcode ID: 814cb9558c84035032dea9fc9fc6a475f4f28078ff63b17e0707a07243ecf95a
    • Instruction ID: 46c07b45e063fae4f34e4f2b5cca3cbcf021528ae4fa0c3673556b5aced4279d
    • Opcode Fuzzy Hash: 814cb9558c84035032dea9fc9fc6a475f4f28078ff63b17e0707a07243ecf95a
    • Instruction Fuzzy Hash: A62107B714829D7DE701CE229954FBF7BE9EB83730F30513AE505A7983E2910E459178
    Function 00EE9BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 17 ee9bd8-ee9bea CreateFileA 18 ee9c0e-ee9c37 call ee9c3a 17->18 19 ee9bf0-ee9bf2 17->19 21 ee9bfe-ee9c03 19->21 22 ee9bf8 19->22 21->18 24 ee9d22-ee9d37 21->24 22->21 25 ee9d39-ee9d40 24->25 26 ee9d42-ee9d56 24->26 25->26 27 ee9d57-ee9d5f call ee9d62 25->27 26->27
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2359801940.0000000000EE2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.2359530180.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359568733.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359596679.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359623108.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359648330.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359752637.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359773890.0000000000ECA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EED000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359845840.0000000000EF9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359862912.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359881009.0000000000F04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359903465.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359923329.0000000000F13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359942305.0000000000F14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359963629.0000000000F20000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359984615.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360003170.0000000000F23000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360024058.0000000000F32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360046381.0000000000F33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360066602.0000000000F34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360084417.0000000000F35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360104245.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360123972.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360144225.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360165917.0000000000F57000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360188665.0000000000F5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360210092.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360229996.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360254578.0000000000F70000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360279667.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360312787.0000000000F7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360332141.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360354826.0000000000F7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360376910.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360400445.0000000000F8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360422160.0000000000F8C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360445040.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360465291.0000000000F94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360481152.0000000000F95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360595694.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360617455.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID: C$r@}
    • API String ID: 823142352-1140230695
    • Opcode ID: 89bf7a068c8f4119f26f8986e642519eb7d2f4047a0340d1ff8b0d1cffa33951
    • Instruction ID: e50be38250070dad38820423fc4d2ba4f5260345c4df31e1b57b1f9e9b50236f
    • Opcode Fuzzy Hash: 89bf7a068c8f4119f26f8986e642519eb7d2f4047a0340d1ff8b0d1cffa33951
    • Instruction Fuzzy Hash: 350124722482AD9EDB119E3898107AE77E0EF07330F3419B6E911E3A43D6A50E51872E
    Function 00F45E3A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 f45e3a-f45e48 32 f45e4e-f45e55 31->32 33 f45e5a 31->33 34 f45e61-f45e77 32->34 33->34 37 f45e96 34->37 38 f45e7d-f45e8b 34->38 39 f45e9a-f45e9d 37->39 42 f45e91 38->42 43 f45ea2-f45ea7 38->43 41 f45ecd-f45ed4 39->41 42->39 44 f45ead-f45eb9 GetFileAttributesW 43->44 45 f45ebe-f45ec1 GetFileAttributesA 43->45 47 f45ec7-f45ec8 44->47 45->47 47->41
    APIs
    • GetFileAttributesW.KERNELBASE(015DA294,-11565FEC), ref: 00F45EB3
    • GetFileAttributesA.KERNEL32(00000000,-11565FEC), ref: 00F45EC1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2360123972.0000000000F43000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.2359530180.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359568733.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359596679.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359623108.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359648330.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359752637.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359773890.0000000000ECA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EED000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359845840.0000000000EF9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359862912.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359881009.0000000000F04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359903465.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359923329.0000000000F13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359942305.0000000000F14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359963629.0000000000F20000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359984615.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360003170.0000000000F23000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360024058.0000000000F32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360046381.0000000000F33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360066602.0000000000F34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360084417.0000000000F35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360104245.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360144225.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360165917.0000000000F57000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360188665.0000000000F5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360210092.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360229996.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360254578.0000000000F70000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360279667.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360312787.0000000000F7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360332141.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360354826.0000000000F7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360376910.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360400445.0000000000F8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360422160.0000000000F8C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360445040.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360465291.0000000000F94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360481152.0000000000F95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360595694.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360617455.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: aac29772032e3bff9bb541f395636374db41ce4bb1ce80f7267f32ce2053476c
    • Instruction ID: 48e27d1f58dcb7016e7e2b04b20e0578bb4fe4e5b7b4ba5457457d8967ecfb06
    • Opcode Fuzzy Hash: aac29772032e3bff9bb541f395636374db41ce4bb1ce80f7267f32ce2053476c
    • Instruction Fuzzy Hash: E3016D72904A09FBEF25AF64C9097AE7EB0BF00B55F208125ED0665092D7759B90FA00
    Function 00EE6310 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 110libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 48 ee6310-ee6312 LoadLibraryA 49 ee633c-ee6459 48->49 50 ee6318-ee633b 48->50 50->49
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2359801940.0000000000EE2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.2359530180.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359568733.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359596679.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359623108.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359648330.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359752637.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359773890.0000000000ECA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EED000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359845840.0000000000EF9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359862912.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359881009.0000000000F04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359903465.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359923329.0000000000F13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359942305.0000000000F14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359963629.0000000000F20000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359984615.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360003170.0000000000F23000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360024058.0000000000F32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360046381.0000000000F33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360066602.0000000000F34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360084417.0000000000F35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360104245.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360123972.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360144225.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360165917.0000000000F57000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360188665.0000000000F5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360210092.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360229996.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360254578.0000000000F70000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360279667.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360312787.0000000000F7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360332141.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360354826.0000000000F7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360376910.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360400445.0000000000F8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360422160.0000000000F8C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360445040.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360465291.0000000000F94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360481152.0000000000F95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360595694.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360617455.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: PO^
    • API String ID: 1029625771-4199096969
    • Opcode ID: cb1b8ef3a723f994e49bf9bb5d2228d403bc75d847d796e41ca6fa312849c35e
    • Instruction ID: d37a8e64a6af0e59edbd61d72e585c4445b7c8c240c4a243fc519bdb628d2eb8
    • Opcode Fuzzy Hash: cb1b8ef3a723f994e49bf9bb5d2228d403bc75d847d796e41ca6fa312849c35e
    • Instruction Fuzzy Hash: E2318FF250C200AFE709AF19D841ABEF7E5EFE4720F15892DE6D583350E63598148BA7
    Function 00F46056 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 52 f46056-f46064 53 f46076 52->53 54 f4606a-f46071 52->54 55 f4607d-f46089 53->55 54->55 57 f460a4-f460b4 call f46008 55->57 58 f4608f-f46099 call f45f63 55->58 64 f460c6-f460d4 57->64 65 f460ba-f460c1 57->65 58->57 63 f4609f 58->63 66 f460e5-f460ea 63->66 64->66 70 f460da-f460db call f4385d 64->70 65->66 68 f460f0-f4610e CreateFileW 66->68 69 f46113-f46128 CreateFileA 66->69 71 f4612e-f4612f 68->71 69->71 74 f460e0 70->74 73 f46134-f4613b 71->73 74->73
    APIs
    • CreateFileW.KERNELBASE(015DA294,?,-11565FEC,?,?,?,?,-11565FEC), ref: 00F46108
      • Part of subcall function 00F46008: IsBadWritePtr.KERNEL32(?,00000004), ref: 00F46016
    • CreateFileA.KERNEL32(?,?,-11565FEC,?,?,?,?,-11565FEC), ref: 00F46128
    Memory Dump Source
    • Source File: 00000000.00000002.2360123972.0000000000F43000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.2359530180.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359568733.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359596679.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359623108.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359648330.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359752637.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359773890.0000000000ECA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EED000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359845840.0000000000EF9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359862912.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359881009.0000000000F04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359903465.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359923329.0000000000F13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359942305.0000000000F14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359963629.0000000000F20000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359984615.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360003170.0000000000F23000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360024058.0000000000F32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360046381.0000000000F33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360066602.0000000000F34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360084417.0000000000F35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360104245.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360144225.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360165917.0000000000F57000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360188665.0000000000F5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360210092.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360229996.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360254578.0000000000F70000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360279667.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360312787.0000000000F7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360332141.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360354826.0000000000F7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360376910.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360400445.0000000000F8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360422160.0000000000F8C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360445040.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360465291.0000000000F94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360481152.0000000000F95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360595694.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360617455.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: CreateFile$Write
    • String ID:
    • API String ID: 1125675974-0
    • Opcode ID: a0ce0bafed4c423ff9fc619814a2d7beea92d1582e1f81ff2b08a2957dbef5fb
    • Instruction ID: cc30f77f55094253608e3716378a088d58913edc1a7350bcc684b6ced23a1b38
    • Opcode Fuzzy Hash: a0ce0bafed4c423ff9fc619814a2d7beea92d1582e1f81ff2b08a2957dbef5fb
    • Instruction Fuzzy Hash: 3611F93250410AFBDF229F98CD09B9D3E72BF56354F148015FD06A50A2D37AC9A5FB52
    Function 00D6E5C4 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 51memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 76 d6e5c4-d6f3e8 VirtualAlloc
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 00D6F3C7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2359623108.0000000000D6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.2359530180.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359568733.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359596679.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359648330.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359752637.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359773890.0000000000ECA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EED000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359845840.0000000000EF9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359862912.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359881009.0000000000F04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359903465.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359923329.0000000000F13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359942305.0000000000F14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359963629.0000000000F20000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359984615.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360003170.0000000000F23000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360024058.0000000000F32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360046381.0000000000F33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360066602.0000000000F34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360084417.0000000000F35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360104245.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360123972.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360144225.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360165917.0000000000F57000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360188665.0000000000F5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360210092.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360229996.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360254578.0000000000F70000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360279667.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360312787.0000000000F7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360332141.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360354826.0000000000F7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360376910.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360400445.0000000000F8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360422160.0000000000F8C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360445040.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360465291.0000000000F94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360481152.0000000000F95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360595694.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360617455.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID: Le
    • API String ID: 4275171209-4262842223
    • Opcode ID: da902f205d303a742b9027a37d108bb7bab72351d43721ace2c37308ede4a638
    • Instruction ID: 53b2d364cf33a8d4fd48c0595c9d43bb7157ebaf23e1f6156ae7a54e2129a4ac
    • Opcode Fuzzy Hash: da902f205d303a742b9027a37d108bb7bab72351d43721ace2c37308ede4a638
    • Instruction Fuzzy Hash: C011D2B510CB08DFC305AF2A944147AFBE4FF84710F12882EE4C58B290EB319981DB93
    Function 00F434E0 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 82 f434e0-f434f1 84 f434f7 82->84 85 f434fc-f43505 82->85 86 f43590-f43594 84->86 91 f43539-f43540 85->91 92 f4350b-f43514 85->92 87 f435a8-f435ab GetModuleHandleA 86->87 88 f4359a-f435a3 GetModuleHandleW 86->88 90 f435b1 87->90 88->90 93 f435bb-f435bd 90->93 94 f43546-f4354d 91->94 95 f4358b 91->95 96 f4351c-f4351e 92->96 94->95 97 f43553-f4355a 94->97 95->86 96->95 98 f43524-f43529 96->98 97->95 99 f43560-f43567 97->99 98->95 100 f4352f-f435b6 98->100 99->95 101 f4356d-f43581 99->101 100->93 101->95
    APIs
    • GetModuleHandleW.KERNEL32(?,?,?,00F43472,?,00000000,00000000), ref: 00F4359D
    • GetModuleHandleA.KERNEL32(00000000,?,?,00F43472,?,00000000,00000000), ref: 00F435AB
    Memory Dump Source
    • Source File: 00000000.00000002.2360123972.0000000000F43000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.2359530180.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359568733.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359596679.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359623108.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359648330.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359752637.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359773890.0000000000ECA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EED000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359845840.0000000000EF9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359862912.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359881009.0000000000F04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359903465.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359923329.0000000000F13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359942305.0000000000F14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359963629.0000000000F20000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359984615.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360003170.0000000000F23000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360024058.0000000000F32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360046381.0000000000F33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360066602.0000000000F34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360084417.0000000000F35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360104245.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360144225.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360165917.0000000000F57000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360188665.0000000000F5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360210092.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360229996.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360254578.0000000000F70000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360279667.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360312787.0000000000F7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360332141.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360354826.0000000000F7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360376910.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360400445.0000000000F8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360422160.0000000000F8C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360445040.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360465291.0000000000F94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360481152.0000000000F95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360595694.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360617455.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: HandleModule
    • String ID:
    • API String ID: 4139908857-0
    • Opcode ID: afc6879593d2bec283d780a98de86256cd885237a40dbdfc0af4a79438b0c9b7
    • Instruction ID: 890b1f062e09b53275aa0d2dfd5d1cb3d028e7861d3cff0a1b99939392f77502
    • Opcode Fuzzy Hash: afc6879593d2bec283d780a98de86256cd885237a40dbdfc0af4a79438b0c9b7
    • Instruction Fuzzy Hash: 02113C7050550BBEEB38DF14C80DBA97EB4BF00356F084225FD02444A1D7799BE4FA91
    Function 00F459C2 Relevance: 3.0, APIs: 2, Instructions: 41COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 104 f459c2-f459d8 GetCurrentProcess 106 f459de-f459e1 104->106 107 f45a1a-f45a3c DuplicateHandle 104->107 106->107 108 f459e7-f459ea 106->108 111 f45a46-f45a48 107->111 108->107 110 f459f0-f45a03 108->110 110->107 113 f45a09-f45a41 call f4375f 110->113 113->111
    APIs
    • GetCurrentProcess.KERNEL32(-11565FEC), ref: 00F459CF
    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F45A35
    Memory Dump Source
    • Source File: 00000000.00000002.2360123972.0000000000F43000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.2359530180.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359568733.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359596679.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359623108.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359648330.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359752637.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359773890.0000000000ECA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EED000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359845840.0000000000EF9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359862912.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359881009.0000000000F04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359903465.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359923329.0000000000F13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359942305.0000000000F14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359963629.0000000000F20000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359984615.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360003170.0000000000F23000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360024058.0000000000F32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360046381.0000000000F33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360066602.0000000000F34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360084417.0000000000F35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360104245.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360144225.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360165917.0000000000F57000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360188665.0000000000F5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360210092.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360229996.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360254578.0000000000F70000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360279667.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360312787.0000000000F7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360332141.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360354826.0000000000F7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360376910.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360400445.0000000000F8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360422160.0000000000F8C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360445040.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360465291.0000000000F94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360481152.0000000000F95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360595694.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360617455.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: CurrentDuplicateHandleProcess
    • String ID:
    • API String ID: 1009649615-0
    • Opcode ID: a94052a17940432f775bef3d993ba45711e936164b78ef7b8b944ee88d43e149
    • Instruction ID: d643a9266874fc04b204b005396612646bbcff18400e18f8ebe35835f127ff65
    • Opcode Fuzzy Hash: a94052a17940432f775bef3d993ba45711e936164b78ef7b8b944ee88d43e149
    • Instruction Fuzzy Hash: B701E47210040AFBCF22AFA4CC89C9E3F35BF98760B104215FD02A5012C73AD4A2FBA1
    Function 00EE6461 Relevance: 1.6, APIs: 1, Instructions: 119libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 133 ee6461-ee6464 LoadLibraryA 134 ee646c-ee65ba 133->134 135 ee646a-ee646b 133->135 138 ee65c0 134->138 135->134 138->138
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2359801940.0000000000EE2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.2359530180.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359568733.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359596679.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359623108.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359648330.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359752637.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359773890.0000000000ECA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EED000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359845840.0000000000EF9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359862912.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359881009.0000000000F04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359903465.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359923329.0000000000F13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359942305.0000000000F14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359963629.0000000000F20000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359984615.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360003170.0000000000F23000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360024058.0000000000F32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360046381.0000000000F33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360066602.0000000000F34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360084417.0000000000F35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360104245.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360123972.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360144225.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360165917.0000000000F57000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360188665.0000000000F5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360210092.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360229996.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360254578.0000000000F70000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360279667.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360312787.0000000000F7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360332141.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360354826.0000000000F7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360376910.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360400445.0000000000F8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360422160.0000000000F8C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360445040.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360465291.0000000000F94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360481152.0000000000F95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360595694.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360617455.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: ff551823536d00300db68bf549e3c30b295c1ad6ac07f07102458640e901ad55
    • Instruction ID: ae3e1be12d86e9c4d544b4f0d948e046ef991d3aff93b285263a75e3ff45ee78
    • Opcode Fuzzy Hash: ff551823536d00300db68bf549e3c30b295c1ad6ac07f07102458640e901ad55
    • Instruction Fuzzy Hash: 363182B250C210AFE305AF19DC41ABBFBE9EFD4760F16892DF6C493610D63598448BA3
    Function 00F44041 Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 139 f44041-f44052 140 f44081-f4408a 139->140 141 f44058-f4406c 139->141 144 f44167 140->144 145 f44090-f440a1 call f43823 140->145 149 f4416f 141->149 150 f44072-f44080 141->150 144->149 151 f440a7-f440ab 145->151 152 f440c1-f44100 CreateFileA 145->152 153 f44176-f4417a 149->153 150->140 154 f440b1-f440bd 151->154 155 f440be 151->155 156 f44124-f44127 152->156 157 f44106-f44123 152->157 154->155 155->152 159 f4412d-f44144 156->159 160 f4415a-f44162 call f436b2 156->160 157->156 159->153 166 f4414a-f44155 call f43720 159->166 160->149 166->149
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 00F440F6
    Memory Dump Source
    • Source File: 00000000.00000002.2360123972.0000000000F43000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.2359530180.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359568733.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359596679.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359623108.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359648330.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359752637.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359773890.0000000000ECA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EED000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359845840.0000000000EF9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359862912.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359881009.0000000000F04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359903465.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359923329.0000000000F13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359942305.0000000000F14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359963629.0000000000F20000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359984615.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360003170.0000000000F23000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360024058.0000000000F32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360046381.0000000000F33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360066602.0000000000F34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360084417.0000000000F35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360104245.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360144225.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360165917.0000000000F57000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360188665.0000000000F5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360210092.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360229996.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360254578.0000000000F70000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360279667.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360312787.0000000000F7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360332141.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360354826.0000000000F7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360376910.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360400445.0000000000F8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360422160.0000000000F8C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360445040.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360465291.0000000000F94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360481152.0000000000F95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360595694.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360617455.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 76975f1a8e8ac6e0a122b32718bffa2bc077e56a9b88b363971a6f8c81741898
    • Instruction ID: 4b255c5b58bce11bd3497c3134a7e9cd3cc8fd582186ff165fbbe0ef3b01e4cc
    • Opcode Fuzzy Hash: 76975f1a8e8ac6e0a122b32718bffa2bc077e56a9b88b363971a6f8c81741898
    • Instruction Fuzzy Hash: E3319E71900204BFEF219F64DC85F9EBFB8FF84724F208125F915AA191C775A992EB10
    Function 00F4385D Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 192 f4385d-f4386c 194 f43972 192->194 195 f43872-f43883 call f43823 192->195 196 f43979-f4397d 194->196 199 f438a3-f438e9 CreateFileA 195->199 200 f43889-f4388d 195->200 201 f43934-f43937 199->201 202 f438ef-f43910 199->202 203 f438a0 200->203 204 f43893-f4389f 200->204 205 f4393d-f43954 201->205 206 f4396a-f4396d call f436b2 201->206 202->201 210 f43916-f43933 202->210 203->199 204->203 205->196 212 f4395a-f43965 call f43720 205->212 206->194 210->201 212->194
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F438DF
    Memory Dump Source
    • Source File: 00000000.00000002.2360123972.0000000000F43000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.2359530180.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359568733.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359596679.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359623108.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359648330.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359752637.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359773890.0000000000ECA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EED000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359845840.0000000000EF9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359862912.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359881009.0000000000F04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359903465.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359923329.0000000000F13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359942305.0000000000F14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359963629.0000000000F20000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359984615.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360003170.0000000000F23000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360024058.0000000000F32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360046381.0000000000F33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360066602.0000000000F34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360084417.0000000000F35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360104245.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360144225.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360165917.0000000000F57000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360188665.0000000000F5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360210092.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360229996.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360254578.0000000000F70000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360279667.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360312787.0000000000F7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360332141.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360354826.0000000000F7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360376910.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360400445.0000000000F8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360422160.0000000000F8C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360445040.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360465291.0000000000F94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360481152.0000000000F95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360595694.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360617455.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 4eed6e17f7f7cf2c19d4df99f220a89f4c572b35f3fed86fa7aea6fa2f67390c
    • Instruction ID: e6f10a5d2b6f47985d2f9f1d05a2a30496dd7a57e726a32969548083f4de78de
    • Opcode Fuzzy Hash: 4eed6e17f7f7cf2c19d4df99f220a89f4c572b35f3fed86fa7aea6fa2f67390c
    • Instruction Fuzzy Hash: EE31A2B1A00204BFEB209F64DC45F99BBB8FF44724F208265FA11AA1D1D7B5A682DB54
    Function 00EE98A1 Relevance: 1.6, APIs: 1, Instructions: 61fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 216 ee98a1-ee98a3 217 ee98a8-ee98c6 CreateFileA 216->217 218 ee98a5-ee98a7 216->218 220 ee98d8-ee98eb call ee98e7 217->220 218->217 223 ee9c0e-ee9c37 call ee9c3a 220->223 224 ee98f1-ee991e 220->224 229 ee9924-ee9931 224->229 230 ee9932-ee993d call ee994a 224->230 229->230 233 ee9942 230->233 233->233
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2359801940.0000000000EE2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.2359530180.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359568733.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359596679.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359623108.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359648330.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359752637.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359773890.0000000000ECA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EED000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359845840.0000000000EF9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359862912.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359881009.0000000000F04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359903465.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359923329.0000000000F13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359942305.0000000000F14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359963629.0000000000F20000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359984615.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360003170.0000000000F23000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360024058.0000000000F32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360046381.0000000000F33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360066602.0000000000F34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360084417.0000000000F35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360104245.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360123972.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360144225.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360165917.0000000000F57000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360188665.0000000000F5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360210092.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360229996.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360254578.0000000000F70000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360279667.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360312787.0000000000F7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360332141.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360354826.0000000000F7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360376910.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360400445.0000000000F8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360422160.0000000000F8C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360445040.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360465291.0000000000F94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360481152.0000000000F95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360595694.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360617455.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 17974d93bcc264267e97223a251feac7c1b27862bc22f2e6293724c29d37cabd
    • Instruction ID: 5a15f8e37a25a81658c349b5de48cc79a2a967943b513aa58f0c02e3618d9f65
    • Opcode Fuzzy Hash: 17974d93bcc264267e97223a251feac7c1b27862bc22f2e6293724c29d37cabd
    • Instruction Fuzzy Hash: DAF08CF714C6D96DB26599633E529FB27CCC5E3370B30A82EF492EA493D38248469139
    Function 05420D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 05420DCD
    Memory Dump Source
    • Source File: 00000000.00000002.2362251227.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5420000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 6579f74a0b2dd3b1b6617d9259405cc63007142df10baf78552c69911f42c234
    • Instruction ID: fff99145a02366ef0377c044dbb03481daeade869e64bbcc194cc5f3009f8447
    • Opcode Fuzzy Hash: 6579f74a0b2dd3b1b6617d9259405cc63007142df10baf78552c69911f42c234
    • Instruction Fuzzy Hash: 522124B6C112289FCB50DF99D888ADEFBF4FF89310F14815AE909AB304D734A540CBA4
    Function 05420D42 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 05420DCD
    Memory Dump Source
    • Source File: 00000000.00000002.2362251227.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5420000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 5b2c127e3d7d4d172ec7cf8e805286473ed75ab6d70d6743d50db2a38dc54be5
    • Instruction ID: 8949e53a9a1e2b99dc6b517db73cc208838a1e03302c6da46dfa933b2096a1b8
    • Opcode Fuzzy Hash: 5b2c127e3d7d4d172ec7cf8e805286473ed75ab6d70d6743d50db2a38dc54be5
    • Instruction Fuzzy Hash: E42102BAC112289FCB50CF99D988ADEBBF4FF88310F14855AD909AB244D734A540CBA4
    Function 05421509 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 05421580
    Memory Dump Source
    • Source File: 00000000.00000002.2362251227.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5420000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: c3f69f66732377df41bf1df81eb92a250f8f85c69df63ce162bbc4b631ca7b04
    • Instruction ID: 35b809930cd793a42c893a2424b4087f8f2afdceda7cc190a932daa3a845d733
    • Opcode Fuzzy Hash: c3f69f66732377df41bf1df81eb92a250f8f85c69df63ce162bbc4b631ca7b04
    • Instruction Fuzzy Hash: A32114B59002598FCB10CF9AC984BDEFBF4FB48310F10842AE559A3250D338A684CFA5
    Function 05421510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 05421580
    Memory Dump Source
    • Source File: 00000000.00000002.2362251227.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5420000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 76d0c2fa46bb7f9ccf44c7364caee82223e7d4dcfb3454f44e7f90c5325f6f3a
    • Instruction ID: e4a8a809a5dd02365c637d1e69b7d2e098a026ae0676966908bd5fda162a2cbd
    • Opcode Fuzzy Hash: 76d0c2fa46bb7f9ccf44c7364caee82223e7d4dcfb3454f44e7f90c5325f6f3a
    • Instruction Fuzzy Hash: D81117B19002598FCB10CF9AC844BDEFBF4FB48310F10802AE519A3240D378A644CFA5
    Function 00F46B8E Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
    Download Yara Rule
    APIs
    • MapViewOfFileEx.KERNELBASE(?,?,?,?,?,?), ref: 00F46C15
    Memory Dump Source
    • Source File: 00000000.00000002.2360123972.0000000000F43000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.2359530180.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359568733.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359596679.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359623108.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359648330.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359752637.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359773890.0000000000ECA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EED000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359845840.0000000000EF9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359862912.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359881009.0000000000F04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359903465.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359923329.0000000000F13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359942305.0000000000F14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359963629.0000000000F20000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359984615.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360003170.0000000000F23000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360024058.0000000000F32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360046381.0000000000F33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360066602.0000000000F34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360084417.0000000000F35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360104245.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360144225.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360165917.0000000000F57000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360188665.0000000000F5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360210092.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360229996.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360254578.0000000000F70000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360279667.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360312787.0000000000F7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360332141.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360354826.0000000000F7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360376910.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360400445.0000000000F8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360422160.0000000000F8C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360445040.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360465291.0000000000F94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360481152.0000000000F95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360595694.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360617455.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: FileView
    • String ID:
    • API String ID: 3314676101-0
    • Opcode ID: e233f53ba80daac61ca576e24a28e95ccdd8811f40bec0524f2cd14dd5a64583
    • Instruction ID: 5ad5ccab73eb389aa21b1eb1ce6632c75e7549a668eff45cb4a6a971075bbab5
    • Opcode Fuzzy Hash: e233f53ba80daac61ca576e24a28e95ccdd8811f40bec0524f2cd14dd5a64583
    • Instruction Fuzzy Hash: C311B33250120AFECF226FA8DD49D9A3F66FF9A355B048511FE5195021C73AC8B1FB62
    Function 00F46976 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2360123972.0000000000F43000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.2359530180.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359568733.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359596679.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359623108.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359648330.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359752637.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359773890.0000000000ECA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EED000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359845840.0000000000EF9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359862912.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359881009.0000000000F04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359903465.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359923329.0000000000F13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359942305.0000000000F14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359963629.0000000000F20000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359984615.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360003170.0000000000F23000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360024058.0000000000F32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360046381.0000000000F33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360066602.0000000000F34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360084417.0000000000F35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360104245.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360144225.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360165917.0000000000F57000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360188665.0000000000F5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360210092.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360229996.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360254578.0000000000F70000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360279667.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360312787.0000000000F7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360332141.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360354826.0000000000F7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360376910.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360400445.0000000000F8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360422160.0000000000F8C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360445040.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360465291.0000000000F94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360481152.0000000000F95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360595694.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360617455.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 13c759ef1678dedc0f4653706fe8a9dac57750c7825af15d676e2cc613fdc0e1
    • Instruction ID: 8ad7e8abf05132536059df2ad51afcb8c316f282da0a39e5bf40beb76f8534ad
    • Opcode Fuzzy Hash: 13c759ef1678dedc0f4653706fe8a9dac57750c7825af15d676e2cc613fdc0e1
    • Instruction Fuzzy Hash: 3F11093250060AEFCF12AFA4CD09A9E7FB5BF45354F148111FD01A6161C779D9A1FB52
    Function 05421308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 05421367
    Memory Dump Source
    • Source File: 00000000.00000002.2362251227.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5420000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 25a68b6c9fe53c703664da89c959c9f4cbd03be71e1173a5558b1dc60ff2c2b0
    • Instruction ID: d59274977614bb9c0874f46cf9e5cfc1dd286747b9f0cf417dba5bd78f2e1b6a
    • Opcode Fuzzy Hash: 25a68b6c9fe53c703664da89c959c9f4cbd03be71e1173a5558b1dc60ff2c2b0
    • Instruction Fuzzy Hash: 5A1115B1800259CFDB10DF9AC945BEEFBF8EF49320F24846AD518A3650D778A944CFA5
    Function 05421301 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 05421367
    Memory Dump Source
    • Source File: 00000000.00000002.2362251227.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5420000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 987eb6490f2f9b4f700aa88f5618634009e6bf8b4aefcbef035c9f5599de679a
    • Instruction ID: 1c83dc32f9960912d5c2895f7432b81c02dacb365abd01c5f7fa15896c8f3d62
    • Opcode Fuzzy Hash: 987eb6490f2f9b4f700aa88f5618634009e6bf8b4aefcbef035c9f5599de679a
    • Instruction Fuzzy Hash: 811125B5800259CFDB10CF99C945BEEBBF4EF48320F14845AD518B3640C378A544CFA5
    Function 00F4625A Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
    Download Yara Rule
    APIs
    • ReadFile.KERNELBASE(?,00000000,?,00000400,?,?,?,00F43F89,?,?,00000400,?,00000000,?,00000000), ref: 00F462C6
    Memory Dump Source
    • Source File: 00000000.00000002.2360123972.0000000000F43000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.2359530180.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359568733.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359596679.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359623108.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359648330.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359752637.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359773890.0000000000ECA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EED000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359845840.0000000000EF9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359862912.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359881009.0000000000F04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359903465.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359923329.0000000000F13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359942305.0000000000F14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359963629.0000000000F20000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359984615.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360003170.0000000000F23000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360024058.0000000000F32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360046381.0000000000F33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360066602.0000000000F34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360084417.0000000000F35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360104245.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360144225.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360165917.0000000000F57000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360188665.0000000000F5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360210092.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360229996.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360254578.0000000000F70000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360279667.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360312787.0000000000F7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360332141.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360354826.0000000000F7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360376910.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360400445.0000000000F8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360422160.0000000000F8C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360445040.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360465291.0000000000F94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360481152.0000000000F95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360595694.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360617455.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: FileRead
    • String ID:
    • API String ID: 2738559852-0
    • Opcode ID: 889873700ecea4f6a7a7bdce2f98440a19534aaf047217dfd2dfd6cd1421e639
    • Instruction ID: bac610ef002730f157a46bb30948ed0e76f21e9893c23d814a09ff055e5d9b3b
    • Opcode Fuzzy Hash: 889873700ecea4f6a7a7bdce2f98440a19534aaf047217dfd2dfd6cd1421e639
    • Instruction Fuzzy Hash: 64F0C43220010ABBDF126F98CC09E9A3F66FF9A350B008111FE0199125C776D9B1FB62
    Function 00F435C9 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
    Download Yara Rule
    APIs
    • GetModuleHandleExA.KERNELBASE(?,?,?), ref: 00F4362D
    Memory Dump Source
    • Source File: 00000000.00000002.2360123972.0000000000F43000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.2359530180.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359568733.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359596679.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359623108.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359648330.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359752637.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359773890.0000000000ECA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EED000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359845840.0000000000EF9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359862912.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359881009.0000000000F04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359903465.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359923329.0000000000F13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359942305.0000000000F14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359963629.0000000000F20000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359984615.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360003170.0000000000F23000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360024058.0000000000F32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360046381.0000000000F33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360066602.0000000000F34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360084417.0000000000F35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360104245.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360144225.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360165917.0000000000F57000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360188665.0000000000F5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360210092.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360229996.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360254578.0000000000F70000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360279667.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360312787.0000000000F7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360332141.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360354826.0000000000F7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360376910.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360400445.0000000000F8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360422160.0000000000F8C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360445040.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360465291.0000000000F94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360481152.0000000000F95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360595694.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360617455.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: HandleModule
    • String ID:
    • API String ID: 4139908857-0
    • Opcode ID: f3b42e359f2f67722de42e79a100ed6de10ee2434c0706d702aa6527fc9efbf3
    • Instruction ID: 9833797211a777fd54eebc9fbd8788deb5b2787d5a186e0abce6985f034bfc5c
    • Opcode Fuzzy Hash: f3b42e359f2f67722de42e79a100ed6de10ee2434c0706d702aa6527fc9efbf3
    • Instruction Fuzzy Hash: 33F0177610020ABFDF24DF58C84AEA97FB5FF58310F518125FE098A252D735DAA1FA21
    Function 00F4465B Relevance: 1.3, APIs: 1, Instructions: 25COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNELBASE(00F4401E,?,?,00F4401E,?), ref: 00F44699
    Memory Dump Source
    • Source File: 00000000.00000002.2360123972.0000000000F43000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.2359530180.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359568733.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359596679.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359623108.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359648330.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359752637.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359773890.0000000000ECA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EED000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359845840.0000000000EF9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359862912.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359881009.0000000000F04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359903465.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359923329.0000000000F13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359942305.0000000000F14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359963629.0000000000F20000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359984615.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360003170.0000000000F23000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360024058.0000000000F32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360046381.0000000000F33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360066602.0000000000F34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360084417.0000000000F35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360104245.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360144225.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360165917.0000000000F57000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360188665.0000000000F5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360210092.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360229996.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360254578.0000000000F70000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360279667.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360312787.0000000000F7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360332141.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360354826.0000000000F7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360376910.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360400445.0000000000F8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360422160.0000000000F8C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360445040.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360465291.0000000000F94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360481152.0000000000F95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360595694.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360617455.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: e3df4b148fc0b683ea96d667f2536cfb155383401a5af063ec5d938781053cce
    • Instruction ID: 869f921be861bcce671d1959e47ccf44846dca39c9e673a748c9eae5e0fab077
    • Opcode Fuzzy Hash: e3df4b148fc0b683ea96d667f2536cfb155383401a5af063ec5d938781053cce
    • Instruction Fuzzy Hash: 37E04FB2601545A6CE20BB78DC0DE4E7F28BFD27547114222FC02A5101DA79E0D2FA31
    Function 00D6EB8D Relevance: 1.3, APIs: 1, Instructions: 16memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2359623108.0000000000D6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.2359530180.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359568733.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359596679.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359648330.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359752637.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359773890.0000000000ECA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EED000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359845840.0000000000EF9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359862912.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359881009.0000000000F04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359903465.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359923329.0000000000F13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359942305.0000000000F14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359963629.0000000000F20000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359984615.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360003170.0000000000F23000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360024058.0000000000F32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360046381.0000000000F33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360066602.0000000000F34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360084417.0000000000F35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360104245.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360123972.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360144225.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360165917.0000000000F57000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360188665.0000000000F5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360210092.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360229996.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360254578.0000000000F70000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360279667.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360312787.0000000000F7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360332141.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360354826.0000000000F7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360376910.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360400445.0000000000F8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360422160.0000000000F8C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360445040.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360465291.0000000000F94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360481152.0000000000F95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360595694.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360617455.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 232635363c751d0f5f6f6aaff79ee703498eaffaa99a27119922023500e310b6
    • Instruction ID: 61383c2fb986f2968c7b64b053a6dbcfe6a335fcb3df6e93d22f32dbc7c74556
    • Opcode Fuzzy Hash: 232635363c751d0f5f6f6aaff79ee703498eaffaa99a27119922023500e310b6
    • Instruction Fuzzy Hash: 4AE092B591C64ACBD7186F74E40807E7BB0EF01320F600A2AA89686A84DB364D94DA5A
    Function 00F43720 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNELBASE(?), ref: 00F43726
    Memory Dump Source
    • Source File: 00000000.00000002.2360123972.0000000000F43000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.2359530180.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359568733.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359596679.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359623108.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359648330.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359752637.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359773890.0000000000ECA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EED000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359845840.0000000000EF9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359862912.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359881009.0000000000F04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359903465.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359923329.0000000000F13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359942305.0000000000F14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359963629.0000000000F20000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359984615.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360003170.0000000000F23000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360024058.0000000000F32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360046381.0000000000F33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360066602.0000000000F34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360084417.0000000000F35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360104245.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360144225.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360165917.0000000000F57000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360188665.0000000000F5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360210092.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360229996.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360254578.0000000000F70000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360279667.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360312787.0000000000F7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360332141.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360354826.0000000000F7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360376910.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360400445.0000000000F8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360422160.0000000000F8C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360445040.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360465291.0000000000F94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360481152.0000000000F95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360595694.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360617455.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: c57303ecac70298540dfe118af0c3ddebdec6fa2ff4a3dc36b50b8df26452f3d
    • Instruction ID: 70e0ec15becea6ddd435384c3867a93d20073c20321ded7362c62868e43724d8
    • Opcode Fuzzy Hash: c57303ecac70298540dfe118af0c3ddebdec6fa2ff4a3dc36b50b8df26452f3d
    • Instruction Fuzzy Hash: B8B09231002519BFCF01BFA5DC06C4DBFB9BF51399B00C520F90644121DBB6EAA5EB91

    Non-executed Functions

    Function 00EE2000 Relevance: 4.3, Strings: 3, Instructions: 549COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2359801940.0000000000EE2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.2359530180.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359568733.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359596679.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359623108.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359648330.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359752637.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359773890.0000000000ECA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EED000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359845840.0000000000EF9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359862912.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359881009.0000000000F04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359903465.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359923329.0000000000F13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359942305.0000000000F14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359963629.0000000000F20000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359984615.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360003170.0000000000F23000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360024058.0000000000F32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360046381.0000000000F33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360066602.0000000000F34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360084417.0000000000F35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360104245.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360123972.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360144225.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360165917.0000000000F57000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360188665.0000000000F5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360210092.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360229996.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360254578.0000000000F70000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360279667.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360312787.0000000000F7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360332141.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360354826.0000000000F7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360376910.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360400445.0000000000F8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360422160.0000000000F8C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360445040.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360465291.0000000000F94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360481152.0000000000F95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360595694.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360617455.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID:
    • String ID: #ss?$54Gi$W}.
    • API String ID: 0-1439465691
    • Opcode ID: 4f2200e3a91a3ad57da0079d62f4624a4d0fc8e665590539891ecbdab9965587
    • Instruction ID: 40a1fc63b7e57c93e5cc9a53d12d1ccc4f151779092d90ab167e913fb793f597
    • Opcode Fuzzy Hash: 4f2200e3a91a3ad57da0079d62f4624a4d0fc8e665590539891ecbdab9965587
    • Instruction Fuzzy Hash: 68F1F3F3A086009FE304AE2DEC8577AB7E5EFD4760F1A893DE6C4C3744EA3558058696
    Function 00EE22D0 Relevance: 3.0, Strings: 2, Instructions: 469COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2359801940.0000000000EE2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.2359530180.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359568733.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359596679.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359623108.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359648330.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359752637.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359773890.0000000000ECA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EED000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359845840.0000000000EF9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359862912.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359881009.0000000000F04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359903465.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359923329.0000000000F13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359942305.0000000000F14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359963629.0000000000F20000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359984615.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360003170.0000000000F23000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360024058.0000000000F32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360046381.0000000000F33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360066602.0000000000F34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360084417.0000000000F35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360104245.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360123972.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360144225.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360165917.0000000000F57000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360188665.0000000000F5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360210092.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360229996.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360254578.0000000000F70000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360279667.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360312787.0000000000F7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360332141.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360354826.0000000000F7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360376910.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360400445.0000000000F8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360422160.0000000000F8C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360445040.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360465291.0000000000F94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360481152.0000000000F95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360595694.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360617455.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID:
    • String ID: #ss?$W}.
    • API String ID: 0-13399339
    • Opcode ID: 7c4469cebaec1a2ea1e6810b2680bceee71c39a678d9bf07585efd4212e0346d
    • Instruction ID: c299b69b5252fdc483cf252b85f96a193e9911bcf79b04a3f1bb71c8d42563eb
    • Opcode Fuzzy Hash: 7c4469cebaec1a2ea1e6810b2680bceee71c39a678d9bf07585efd4212e0346d
    • Instruction Fuzzy Hash: 7CE116F360C200AFE3146E1DEC85BBAB7E9EFD4720F1A453DEAC493740E63658058696
    Function 00D6DC61 Relevance: 1.6, Strings: 1, Instructions: 343COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2359623108.0000000000D6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.2359530180.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359568733.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359596679.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359648330.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359752637.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359773890.0000000000ECA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EED000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359845840.0000000000EF9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359862912.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359881009.0000000000F04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359903465.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359923329.0000000000F13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359942305.0000000000F14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359963629.0000000000F20000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359984615.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360003170.0000000000F23000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360024058.0000000000F32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360046381.0000000000F33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360066602.0000000000F34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360084417.0000000000F35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360104245.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360123972.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360144225.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360165917.0000000000F57000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360188665.0000000000F5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360210092.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360229996.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360254578.0000000000F70000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360279667.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360312787.0000000000F7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360332141.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360354826.0000000000F7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360376910.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360400445.0000000000F8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360422160.0000000000F8C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360445040.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360465291.0000000000F94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360481152.0000000000F95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360595694.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360617455.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID:
    • String ID: NTDL
    • API String ID: 0-3662016964
    • Opcode ID: e5a09f50f7fbdae1371ffd52f899d01e206962d2ba0ce8d848e7fc0fcea11ec2
    • Instruction ID: 19ba0809038e15326b274825f3c63278734c13708127ed397d3958290c7dcbf1
    • Opcode Fuzzy Hash: e5a09f50f7fbdae1371ffd52f899d01e206962d2ba0ce8d848e7fc0fcea11ec2
    • Instruction Fuzzy Hash: E8A1E576A0820E8FDB15CF15D5001EF77E2EF5A330F34856AE84287A02D7B29D15EA79
    Function 00F46912 Relevance: 1.5, APIs: 1, Instructions: 24encryptionCOMMON
    Download Yara Rule
    APIs
    • CryptVerifySignatureA.ADVAPI32(?,?,?,?,?,?), ref: 00F46959
    Memory Dump Source
    • Source File: 00000000.00000002.2360123972.0000000000F43000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.2359530180.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359568733.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359596679.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359623108.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359648330.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359752637.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359773890.0000000000ECA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EED000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359845840.0000000000EF9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359862912.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359881009.0000000000F04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359903465.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359923329.0000000000F13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359942305.0000000000F14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359963629.0000000000F20000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359984615.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360003170.0000000000F23000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360024058.0000000000F32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360046381.0000000000F33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360066602.0000000000F34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360084417.0000000000F35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360104245.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360144225.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360165917.0000000000F57000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360188665.0000000000F5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360210092.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360229996.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360254578.0000000000F70000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360279667.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360312787.0000000000F7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360332141.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360354826.0000000000F7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360376910.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360400445.0000000000F8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360422160.0000000000F8C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360445040.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360465291.0000000000F94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360481152.0000000000F95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360595694.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360617455.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: CryptSignatureVerify
    • String ID:
    • API String ID: 1015439381-0
    • Opcode ID: 844ee9b1728a9ea6c04b2f2365e60092e2871ac188603f18c592575295ac5310
    • Instruction ID: 983aae53cc046ae2f4fe12e0a32d6803f677e84b0180181cb7d6601a47d4fb0c
    • Opcode Fuzzy Hash: 844ee9b1728a9ea6c04b2f2365e60092e2871ac188603f18c592575295ac5310
    • Instruction Fuzzy Hash: 47F0F87260620EEFCF11CF94C904A8C7FB2FF05314B108129F91596210D7B59AA0FF41
    Function 00EE6BB0 Relevance: .1, Instructions: 132COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2359801940.0000000000EE2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.2359530180.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359568733.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359596679.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359623108.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359648330.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359752637.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359773890.0000000000ECA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EED000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359845840.0000000000EF9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359862912.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359881009.0000000000F04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359903465.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359923329.0000000000F13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359942305.0000000000F14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359963629.0000000000F20000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359984615.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360003170.0000000000F23000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360024058.0000000000F32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360046381.0000000000F33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360066602.0000000000F34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360084417.0000000000F35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360104245.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360123972.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360144225.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360165917.0000000000F57000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360188665.0000000000F5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360210092.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360229996.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360254578.0000000000F70000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360279667.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360312787.0000000000F7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360332141.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360354826.0000000000F7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360376910.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360400445.0000000000F8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360422160.0000000000F8C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360445040.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360465291.0000000000F94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360481152.0000000000F95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360595694.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360617455.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 580605fe0b9223fed7a29c1b23488360f0623212ead3dabe8fd52e6fa7ee7268
    • Instruction ID: 0f2e1d6c6e4bc5905a90a6d096d8fd97645bd5edae317f21e160dc958a3a8605
    • Opcode Fuzzy Hash: 580605fe0b9223fed7a29c1b23488360f0623212ead3dabe8fd52e6fa7ee7268
    • Instruction Fuzzy Hash: D34164B240C310AFE345BF29E8469AEFBE4EF95361F168C2DE5C482610D7355894CB97
    Function 00EE6BA0 Relevance: .1, Instructions: 127COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2359801940.0000000000EE2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.2359530180.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359568733.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359596679.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359623108.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359648330.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359752637.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359773890.0000000000ECA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EED000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359845840.0000000000EF9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359862912.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359881009.0000000000F04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359903465.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359923329.0000000000F13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359942305.0000000000F14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359963629.0000000000F20000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359984615.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360003170.0000000000F23000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360024058.0000000000F32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360046381.0000000000F33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360066602.0000000000F34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360084417.0000000000F35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360104245.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360123972.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360144225.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360165917.0000000000F57000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360188665.0000000000F5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360210092.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360229996.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360254578.0000000000F70000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360279667.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360312787.0000000000F7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360332141.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360354826.0000000000F7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360376910.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360400445.0000000000F8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360422160.0000000000F8C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360445040.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360465291.0000000000F94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360481152.0000000000F95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360595694.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360617455.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9d1951315ca977893b7c0cec9cf1c0274eb73468295ceae19d194e9da26606dc
    • Instruction ID: 21c7c0910839b78a17c85241573b632b586bf2a9d929a998ac3ad071dd35f6b1
    • Opcode Fuzzy Hash: 9d1951315ca977893b7c0cec9cf1c0274eb73468295ceae19d194e9da26606dc
    • Instruction Fuzzy Hash: 0F4136B240C214AFE345BF2AE8469BEFBE4EF94361F168C2DE5C582210D7355894CB97
    Function 00EE6BAE Relevance: .1, Instructions: 92COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2359801940.0000000000EE2000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.2359530180.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359568733.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359596679.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359623108.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359648330.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359752637.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359773890.0000000000ECA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EED000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359845840.0000000000EF9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359862912.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359881009.0000000000F04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359903465.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359923329.0000000000F13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359942305.0000000000F14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359963629.0000000000F20000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359984615.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360003170.0000000000F23000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360024058.0000000000F32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360046381.0000000000F33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360066602.0000000000F34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360084417.0000000000F35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360104245.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360123972.0000000000F43000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360144225.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360165917.0000000000F57000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360188665.0000000000F5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360210092.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360229996.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360254578.0000000000F70000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360279667.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360312787.0000000000F7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360332141.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360354826.0000000000F7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360376910.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360400445.0000000000F8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360422160.0000000000F8C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360445040.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360465291.0000000000F94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360481152.0000000000F95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360595694.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360617455.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5455f6696a0960af7839bd4a3927838207f6ad0a2850c426113509cc4c295faa
    • Instruction ID: e141bbc95e23353cba6cc5740fcaafdded79f96de40c17be020037d0a5ecd167
    • Opcode Fuzzy Hash: 5455f6696a0960af7839bd4a3927838207f6ad0a2850c426113509cc4c295faa
    • Instruction Fuzzy Hash: F331FCB240C204EFD34ABF29E88666EFBE0EF54361F064C2DE6D582220D7395494CB87
    Function 00F44F8A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00F46008: IsBadWritePtr.KERNEL32(?,00000004), ref: 00F46016
    • wsprintfA.USER32 ref: 00F44FD0
    • LoadImageA.USER32(?,?,?,?,?,?), ref: 00F45094
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2360123972.0000000000F43000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.2359530180.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359568733.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359596679.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359623108.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359648330.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359752637.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359773890.0000000000ECA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EED000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359845840.0000000000EF9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359862912.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359881009.0000000000F04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359903465.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359923329.0000000000F13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359942305.0000000000F14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359963629.0000000000F20000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359984615.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360003170.0000000000F23000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360024058.0000000000F32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360046381.0000000000F33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360066602.0000000000F34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360084417.0000000000F35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360104245.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360144225.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360165917.0000000000F57000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360188665.0000000000F5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360210092.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360229996.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360254578.0000000000F70000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360279667.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360312787.0000000000F7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360332141.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360354826.0000000000F7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360376910.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360400445.0000000000F8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360422160.0000000000F8C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360445040.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360465291.0000000000F94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360481152.0000000000F95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360595694.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360617455.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: ImageLoadWritewsprintf
    • String ID: %8x$%8x
    • API String ID: 416453052-2046107164
    • Opcode ID: 6ec8aa1f8964f85a47f4e2bfb0e57b5064bfc85052ae1d35f5b9cc606cae882d
    • Instruction ID: cc51a1b8926717654760ca912a0da0b39f8f56e475cf3fa57742ab65b1f3b64a
    • Opcode Fuzzy Hash: 6ec8aa1f8964f85a47f4e2bfb0e57b5064bfc85052ae1d35f5b9cc606cae882d
    • Instruction Fuzzy Hash: 7531D47690010ABFDF119F98DC49EAEBF75FF88710F108125F911A61A1C7359A61EB90
    Function 00F45B5B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesExW.KERNEL32(015DA294,00004020,00000000,-11565FEC), ref: 00F45C48
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2360123972.0000000000F43000.00000080.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.2359530180.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359568733.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359596679.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359623108.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359648330.0000000000D76000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359752637.0000000000EC8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359773890.0000000000ECA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359801940.0000000000EED000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359845840.0000000000EF9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359862912.0000000000EFB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359881009.0000000000F04000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359903465.0000000000F0A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359923329.0000000000F13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359942305.0000000000F14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359963629.0000000000F20000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2359984615.0000000000F22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360003170.0000000000F23000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360024058.0000000000F32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360046381.0000000000F33000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360066602.0000000000F34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360084417.0000000000F35000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360104245.0000000000F37000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360144225.0000000000F48000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360165917.0000000000F57000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360188665.0000000000F5B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360210092.0000000000F63000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360229996.0000000000F68000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360254578.0000000000F70000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360279667.0000000000F74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360312787.0000000000F7D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360332141.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360354826.0000000000F7F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360376910.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360400445.0000000000F8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360422160.0000000000F8C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360445040.0000000000F8D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360465291.0000000000F94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360481152.0000000000F95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360496174.0000000000FF0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FF6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360563296.0000000000FFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360595694.000000000100C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2360617455.000000000100E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: defcca41834b7c6f7c50ea0a7f146d17b2efef190c96422b5c249870f473fb78
    • Instruction ID: ba218519dd7354428a171ef03ed4f37cb4b8eafffdeea1abc2b792e1debe25ff
    • Opcode Fuzzy Hash: defcca41834b7c6f7c50ea0a7f146d17b2efef190c96422b5c249870f473fb78
    • Instruction Fuzzy Hash: B1319EB1904B09EFDB259F54C884B9EBFB0FF04310F108529FA5667651C374A6A0EF90