Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1561851
MD5:a96c40d05014ad3737c638dd279b0563
SHA1:ee419cd267f0c30581c345e059d470b8f8d28b1b
SHA256:78cc68031e9149107111dd62528bcda1aff60c7422ab7fab3ed98aecc12e4f9a
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to detect virtual machines (SIDT)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 2648 cmdline: "C:\Users\user\Desktop\file.exe" MD5: A96C40D05014AD3737C638DD279B0563)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DBDB9 CryptVerifySignatureA,0_2_005DBDB9
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.1262442843.0000000004700000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmp

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059B3780_2_0059B378
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059B3800_2_0059B380
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059B3B50_2_0059B3B5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FA4C10_2_005FA4C1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006487E40_2_006487E4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00405A560_2_00405A56
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00405B470_2_00405B47
Source: C:\Users\user\Desktop\file.exeCode function: String function: 005D6DAE appears 35 times
Source: file.exe, 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 2814976 > 1048576
Source: file.exeStatic PE information: Raw size of tcknjbhw is bigger than: 0x100000 < 0x2a9400
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.1262442843.0000000004700000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.3f0000.0.unpack :EW;.rsrc:W;.idata :W;tcknjbhw:EW;pazbjnlm:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x2bcc45 should be: 0x2bc394
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name: tcknjbhw
Source: file.exeStatic PE information: section name: pazbjnlm
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00581283 push ebp; mov dword ptr [esp], 47F4D31Dh0_2_005812B3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00581283 push eax; mov dword ptr [esp], 3BFDECA2h0_2_005812DF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00581283 push eax; mov dword ptr [esp], ebx0_2_00581329
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F9540 push 4A0EA7C7h; mov dword ptr [esp], ebp0_2_005F9573
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F9540 push ebx; mov dword ptr [esp], edx0_2_005F95A4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F9540 push eax; mov dword ptr [esp], 677F8D00h0_2_005F95EF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0058E041 push ebp; mov dword ptr [esp], eax0_2_00591C01
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00590044 push ebp; mov dword ptr [esp], edx0_2_0058ECA5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00590044 push ebx; mov dword ptr [esp], 575FB864h0_2_0059004E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00590044 push edx; mov dword ptr [esp], ecx0_2_00590536
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401070 push 210134A4h; mov dword ptr [esp], ecx0_2_0040170D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401070 push ecx; mov dword ptr [esp], 76FFFEF6h0_2_00401714
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0058E06F push esi; mov dword ptr [esp], eax0_2_0058ECE4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059701F push ecx; mov dword ptr [esp], 7FFD9C18h0_2_00597020
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003FD075 push 0BCE4D62h; mov dword ptr [esp], esi0_2_003FD37D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040100F push 4E1A2900h; mov dword ptr [esp], eax0_2_004044D6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00592001 push eax; mov dword ptr [esp], esi0_2_0059200D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00592001 push ecx; mov dword ptr [esp], 43D19027h0_2_00592011
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0058E007 push edx; mov dword ptr [esp], esi0_2_00590128
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00666003 push edi; mov dword ptr [esp], ebx0_2_00666023
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00666003 push ebx; mov dword ptr [esp], eax0_2_006660B7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003FC053 push eax; mov dword ptr [esp], 7FBC6005h0_2_003FC066
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F30D5 push edx; mov dword ptr [esp], ecx0_2_005F30F9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003FC0A3 push esi; mov dword ptr [esp], ebp0_2_003FCBDA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0058F0C6 push 39E916D2h; mov dword ptr [esp], edx0_2_0059076E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005970EC push 68DFD722h; mov dword ptr [esp], edx0_2_005970FA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0058E0E2 push 767EC845h; mov dword ptr [esp], ecx0_2_0058F03A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0058E091 push ecx; mov dword ptr [esp], eax0_2_00592071
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005A508E push 0A4B04C2h; mov dword ptr [esp], ecx0_2_005A50AF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005A508E push edi; mov dword ptr [esp], ebx0_2_005A50D8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0058E085 push eax; mov dword ptr [esp], ecx0_2_0058E35F
Source: file.exeStatic PE information: section name: entropy: 7.752728161506336

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FE353 second address: 3FE359 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FE359 second address: 3FE35F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5810F2 second address: 581101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007F553536C8E6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 581101 second address: 581105 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 581105 second address: 58112E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F553536C8F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007F553536C8E8h 0x00000012 push eax 0x00000013 pop eax 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58112E second address: 581135 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5813CD second address: 5813F8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F553536C8F2h 0x0000000d popad 0x0000000e pushad 0x0000000f pushad 0x00000010 jnl 00007F553536C8E6h 0x00000016 pushad 0x00000017 popad 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a popad 0x0000001b push edi 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5813F8 second address: 581419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007F5534F5B206h 0x0000000d jmp 00007F5534F5B214h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5816E0 second address: 5816F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F553536C8EDh 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5816F8 second address: 5816FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5816FC second address: 581702 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 581702 second address: 581708 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 581708 second address: 58170C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58185D second address: 581861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583CA6 second address: 583CAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583CAB second address: 583CB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F5534F5B206h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583CB5 second address: 583CD3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jo 00007F553536C8EAh 0x00000012 push ecx 0x00000013 pushad 0x00000014 popad 0x00000015 pop ecx 0x00000016 mov eax, dword ptr [eax] 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583CD3 second address: 583CD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583CD7 second address: 583CDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583CDD second address: 583CE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583CE3 second address: 583CE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583CE7 second address: 583D04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5534F5B20Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583D04 second address: 583D08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583D08 second address: 583D0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583D0C second address: 583D12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583D79 second address: 583D7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583D7E second address: 583DD4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F553536C8F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+122D36D5h], edi 0x00000012 push 00000000h 0x00000014 mov cx, dx 0x00000017 call 00007F553536C8E9h 0x0000001c pushad 0x0000001d jmp 00007F553536C8EFh 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F553536C8F1h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583DD4 second address: 583E10 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5534F5B206h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push ebx 0x0000000d jbe 00007F5534F5B208h 0x00000013 pushad 0x00000014 popad 0x00000015 pop ebx 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a push eax 0x0000001b jmp 00007F5534F5B212h 0x00000020 pop eax 0x00000021 mov eax, dword ptr [eax] 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F5534F5B20Ah 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583E10 second address: 583E1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F553536C8E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583E1B second address: 583E3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F5534F5B214h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583E3E second address: 583E44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583E44 second address: 583E4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F5534F5B206h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583E4E second address: 583EBC instructions: 0x00000000 rdtsc 0x00000002 jp 00007F553536C8E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d add ecx, dword ptr [ebp+122D1C77h] 0x00000013 push 00000003h 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007F553536C8E8h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 0000001Bh 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f mov edx, dword ptr [ebp+122D3868h] 0x00000035 movsx esi, ax 0x00000038 push 00000000h 0x0000003a call 00007F553536C8F3h 0x0000003f mov edx, dword ptr [ebp+122D371Ah] 0x00000045 pop edi 0x00000046 push 00000003h 0x00000048 and dx, FEE4h 0x0000004d push BE64B733h 0x00000052 push ecx 0x00000053 push eax 0x00000054 push edx 0x00000055 push ebx 0x00000056 pop ebx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583EBC second address: 583EC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583EC0 second address: 583EE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 add dword ptr [esp], 019B48CDh 0x0000000e movzx ecx, dx 0x00000011 lea ebx, dword ptr [ebp+12459BF2h] 0x00000017 mov cx, DD8Bh 0x0000001b xchg eax, ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e je 00007F553536C8E8h 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583EE6 second address: 583EF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5534F5B20Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583F68 second address: 583F85 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F553536C8ECh 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jnc 00007F553536C8E6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58408E second address: 584094 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 584094 second address: 584098 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 584159 second address: 584213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F5534F5B217h 0x0000000a popad 0x0000000b xor dword ptr [esp], 185B562Ah 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F5534F5B208h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 00000016h 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c add edx, dword ptr [ebp+122D1C5Eh] 0x00000032 lea ebx, dword ptr [ebp+12459C06h] 0x00000038 push 00000000h 0x0000003a push edi 0x0000003b call 00007F5534F5B208h 0x00000040 pop edi 0x00000041 mov dword ptr [esp+04h], edi 0x00000045 add dword ptr [esp+04h], 0000001Dh 0x0000004d inc edi 0x0000004e push edi 0x0000004f ret 0x00000050 pop edi 0x00000051 ret 0x00000052 pushad 0x00000053 call 00007F5534F5B20Eh 0x00000058 mov edx, dword ptr [ebp+122D1DCDh] 0x0000005e pop ecx 0x0000005f add dword ptr [ebp+122D2F65h], esi 0x00000065 popad 0x00000066 js 00007F5534F5B208h 0x0000006c xchg eax, ebx 0x0000006d push eax 0x0000006e push edx 0x0000006f pushad 0x00000070 jmp 00007F5534F5B217h 0x00000075 jno 00007F5534F5B206h 0x0000007b popad 0x0000007c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 584213 second address: 584218 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A5C85 second address: 5A5C91 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A5C91 second address: 5A5C95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A5C95 second address: 5A5CB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5534F5B217h 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 576131 second address: 576135 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 576135 second address: 576153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5534F5B218h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 576153 second address: 576158 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A3F9E second address: 5A3FA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A3FA4 second address: 5A3FC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push edi 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edi 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007F553536C8F3h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A3FC8 second address: 5A3FCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A3FCC second address: 5A3FDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F553536C8EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A3FDF second address: 5A3FE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A468C second address: 5A4696 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F553536C8E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A4696 second address: 5A46A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007F5534F5B206h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A46A2 second address: 5A46C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F553536C8F1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c jg 00007F553536C8E6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A4CA8 second address: 5A4CC6 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5534F5B219h 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A4CC6 second address: 5A4CCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A4CCC second address: 5A4CDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F5534F5B20Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A4CDD second address: 5A4CE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A4CE1 second address: 5A4CE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57CBF6 second address: 57CBFB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A53A8 second address: 5A53B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A53B3 second address: 5A53B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A53B9 second address: 5A53BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A53BD second address: 5A53E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F553536C8F9h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c ja 00007F553536C8ECh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A557B second address: 5A5581 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A5581 second address: 5A5587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A56A5 second address: 5A56A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A56A9 second address: 5A56B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A56B3 second address: 5A56B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A56B7 second address: 5A56C1 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F553536C8E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A56C1 second address: 5A56EF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jc 00007F5534F5B206h 0x0000000b pop edx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F5534F5B20Dh 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007F5534F5B20Bh 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A5840 second address: 5A5844 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A5B29 second address: 5A5B32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A5B32 second address: 5A5B4A instructions: 0x00000000 rdtsc 0x00000002 jns 00007F553536C8E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e popad 0x0000000f jne 00007F553536C90Ch 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A5B4A second address: 5A5B57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A5B57 second address: 5A5B5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A8108 second address: 5A8113 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F5534F5B206h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A8474 second address: 5A847E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F553536C8E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B0F1A second address: 5B0F1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B0F1E second address: 5B0F2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B0F2B second address: 5B0F2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B0F2F second address: 5B0F3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B0294 second address: 5B02AD instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5534F5B206h 0x00000008 jmp 00007F5534F5B20Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B02AD second address: 5B02B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B040A second address: 5B040F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B09CF second address: 5B09EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F553536C8F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c jo 00007F553536C8E6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B09EF second address: 5B0A07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F5534F5B20Fh 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B0A07 second address: 5B0A0D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B0D43 second address: 5B0D47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B0D47 second address: 5B0D55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F553536C8E6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B1DD1 second address: 5B1DD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B1DD5 second address: 5B1DDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B1DDB second address: 5B1DF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5534F5B216h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B1DF5 second address: 5B1E4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F553536C8F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor dword ptr [esp], 4C566FD4h 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 call 00007F553536C8E8h 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], ecx 0x0000001f add dword ptr [esp+04h], 00000015h 0x00000027 inc ecx 0x00000028 push ecx 0x00000029 ret 0x0000002a pop ecx 0x0000002b ret 0x0000002c mov dword ptr [ebp+122D2F1Ah], edx 0x00000032 push 32A3855Fh 0x00000037 je 00007F553536C8F4h 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B1E4B second address: 5B1E4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B2983 second address: 5B2988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B2A5C second address: 5B2A61 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B2CD8 second address: 5B2CDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B2CDE second address: 5B2CF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5534F5B20Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B2E93 second address: 5B2E98 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B2F7B second address: 5B2F7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B3CEA second address: 5B3D02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F553536C8F3h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B3D02 second address: 5B3D07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B3BAB second address: 5B3BAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B3DC8 second address: 5B3DD7 instructions: 0x00000000 rdtsc 0x00000002 js 00007F5534F5B206h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B3BAF second address: 5B3BE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F553536C8F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F553536C8F6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B4E41 second address: 5B4E45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B457D second address: 5B4581 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B4581 second address: 5B4587 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B6D82 second address: 5B6DEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F553536C8E8h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 mov edi, 5A7105ADh 0x00000028 push 00000000h 0x0000002a mov edi, dword ptr [ebp+122D38F4h] 0x00000030 push 00000000h 0x00000032 or di, 7C07h 0x00000037 xchg eax, ebx 0x00000038 jmp 00007F553536C8EDh 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 jmp 00007F553536C8F9h 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B6DEF second address: 5B6DF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B6DF4 second address: 5B6DF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B7830 second address: 5B783E instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5534F5B206h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B783E second address: 5B78A8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F553536C8E8h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 jns 00007F553536C8EBh 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push ebx 0x0000002f call 00007F553536C8E8h 0x00000034 pop ebx 0x00000035 mov dword ptr [esp+04h], ebx 0x00000039 add dword ptr [esp+04h], 00000014h 0x00000041 inc ebx 0x00000042 push ebx 0x00000043 ret 0x00000044 pop ebx 0x00000045 ret 0x00000046 jg 00007F553536C8ECh 0x0000004c xchg eax, ebx 0x0000004d pushad 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B78A8 second address: 5B78AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B78AC second address: 5B78DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F553536C8F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F553536C8EEh 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 pushad 0x00000012 push esi 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B78DD second address: 5B78EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F5534F5B20Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BB58C second address: 5BB621 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F553536C8ECh 0x00000008 jns 00007F553536C8E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 jmp 00007F553536C8F6h 0x00000017 push edi 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a pop edi 0x0000001b popad 0x0000001c nop 0x0000001d push 00000000h 0x0000001f push ebp 0x00000020 call 00007F553536C8E8h 0x00000025 pop ebp 0x00000026 mov dword ptr [esp+04h], ebp 0x0000002a add dword ptr [esp+04h], 0000001Ch 0x00000032 inc ebp 0x00000033 push ebp 0x00000034 ret 0x00000035 pop ebp 0x00000036 ret 0x00000037 mov dword ptr [ebp+12461549h], edi 0x0000003d push 00000000h 0x0000003f jmp 00007F553536C8EAh 0x00000044 push 00000000h 0x00000046 push 00000000h 0x00000048 push ebx 0x00000049 call 00007F553536C8E8h 0x0000004e pop ebx 0x0000004f mov dword ptr [esp+04h], ebx 0x00000053 add dword ptr [esp+04h], 00000016h 0x0000005b inc ebx 0x0000005c push ebx 0x0000005d ret 0x0000005e pop ebx 0x0000005f ret 0x00000060 or dword ptr [ebp+122D2C38h], eax 0x00000066 push eax 0x00000067 jo 00007F553536C8F0h 0x0000006d push eax 0x0000006e push edx 0x0000006f push eax 0x00000070 pop eax 0x00000071 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BC61E second address: 5BC623 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BC623 second address: 5BC629 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BC629 second address: 5BC62D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BD7B0 second address: 5BD7C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jbe 00007F553536C8E6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BD7C2 second address: 5BD7C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BE825 second address: 5BE866 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F553536C8F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F553536C8ECh 0x0000000f popad 0x00000010 push eax 0x00000011 jl 00007F553536C904h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F553536C8F6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BF7CB second address: 5BF7DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5534F5B20Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BF7DB second address: 5BF7ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F553536C8E8h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C0880 second address: 5C088D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C1781 second address: 5C1787 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C1787 second address: 5C178D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C178D second address: 5C1791 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C1791 second address: 5C17C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b pushad 0x0000000c clc 0x0000000d mov dx, bx 0x00000010 popad 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 xor bx, 99ACh 0x0000001a xchg eax, esi 0x0000001b jmp 00007F5534F5B212h 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 jng 00007F5534F5B206h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C17C9 second address: 5C17CF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C2899 second address: 5C290C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov edi, dword ptr [ebp+122D3A04h] 0x00000010 sub di, F851h 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push edx 0x0000001a call 00007F5534F5B208h 0x0000001f pop edx 0x00000020 mov dword ptr [esp+04h], edx 0x00000024 add dword ptr [esp+04h], 0000001Bh 0x0000002c inc edx 0x0000002d push edx 0x0000002e ret 0x0000002f pop edx 0x00000030 ret 0x00000031 or dword ptr [ebp+122D3724h], ebx 0x00000037 push 00000000h 0x00000039 jmp 00007F5534F5B212h 0x0000003e xchg eax, esi 0x0000003f jmp 00007F5534F5B219h 0x00000044 push eax 0x00000045 pushad 0x00000046 pushad 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B804F second address: 5B8053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B8053 second address: 5B805D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5534F5B206h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C3839 second address: 5C383F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B805D second address: 5B8062 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C383F second address: 5C38BD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F553536C8F5h 0x0000000e nop 0x0000000f mov edi, dword ptr [ebp+122D2F65h] 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ecx 0x0000001a call 00007F553536C8E8h 0x0000001f pop ecx 0x00000020 mov dword ptr [esp+04h], ecx 0x00000024 add dword ptr [esp+04h], 00000016h 0x0000002c inc ecx 0x0000002d push ecx 0x0000002e ret 0x0000002f pop ecx 0x00000030 ret 0x00000031 add dword ptr [ebp+122D2B21h], eax 0x00000037 mov edi, 50A0114Fh 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push esi 0x00000041 call 00007F553536C8E8h 0x00000046 pop esi 0x00000047 mov dword ptr [esp+04h], esi 0x0000004b add dword ptr [esp+04h], 00000017h 0x00000053 inc esi 0x00000054 push esi 0x00000055 ret 0x00000056 pop esi 0x00000057 ret 0x00000058 mov di, A259h 0x0000005c xchg eax, esi 0x0000005d push eax 0x0000005e push edx 0x0000005f pushad 0x00000060 push edx 0x00000061 pop edx 0x00000062 push edi 0x00000063 pop edi 0x00000064 popad 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B8062 second address: 5B8073 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007F5534F5B206h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C38BD second address: 5C38DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F553536C8F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C38DA second address: 5C38E0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C38E0 second address: 5C38EA instructions: 0x00000000 rdtsc 0x00000002 jo 00007F553536C8ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C4A04 second address: 5C4A08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C5CA4 second address: 5C5CC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F553536C8F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C5CC2 second address: 5C5CC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C5CC6 second address: 5C5CD8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F553536C8EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C6D20 second address: 5C6D26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C7C0E second address: 5C7C72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007F553536C8E8h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 push 00000000h 0x00000024 mov dword ptr [ebp+122D1ED6h], esi 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edx 0x0000002f call 00007F553536C8E8h 0x00000034 pop edx 0x00000035 mov dword ptr [esp+04h], edx 0x00000039 add dword ptr [esp+04h], 0000001Ch 0x00000041 inc edx 0x00000042 push edx 0x00000043 ret 0x00000044 pop edx 0x00000045 ret 0x00000046 mov di, 0AB5h 0x0000004a push eax 0x0000004b pushad 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C7C72 second address: 5C7C76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C7C76 second address: 5C7C96 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F553536C8F8h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BB789 second address: 5BB78D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BB78D second address: 5BB793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BB793 second address: 5BB79D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5534F5B20Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C8DD5 second address: 5C8DD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C8DD9 second address: 5C8DDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BB79D second address: 5BB7A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C8DDF second address: 5C8DE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BC8CB second address: 5BC8D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BD9B4 second address: 5BD9D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F5534F5B206h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5534F5B20Fh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CC2E1 second address: 5CC2E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CC2E6 second address: 5CC302 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5534F5B212h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CC302 second address: 5CC306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CC306 second address: 5CC314 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5534F5B206h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BD9D0 second address: 5BD9DC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BD9DC second address: 5BD9FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5534F5B216h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BD9FA second address: 5BDA64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 popad 0x00000008 nop 0x00000009 call 00007F553536C8F1h 0x0000000e jmp 00007F553536C8EDh 0x00000013 pop edi 0x00000014 push dword ptr fs:[00000000h] 0x0000001b mov ebx, 49021CF2h 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 movzx edi, ax 0x0000002a mov eax, dword ptr [ebp+122D0EF9h] 0x00000030 add bl, 00000062h 0x00000033 call 00007F553536C8EDh 0x00000038 or ebx, 1B19E24Dh 0x0000003e pop ebx 0x0000003f push FFFFFFFFh 0x00000041 mov dword ptr [ebp+12458BEAh], eax 0x00000047 nop 0x00000048 push eax 0x00000049 push edx 0x0000004a push ecx 0x0000004b pushad 0x0000004c popad 0x0000004d pop ecx 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BDA64 second address: 5BDA6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F5534F5B206h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BDA6E second address: 5BDA72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C0AB4 second address: 5C0ABF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F5534F5B206h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C3A53 second address: 5C3A5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C4C39 second address: 5C4C46 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C6F0A second address: 5C6F1C instructions: 0x00000000 rdtsc 0x00000002 ja 00007F553536C8E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnp 00007F553536C8ECh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C7F35 second address: 5C7F3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C7F3B second address: 5C7F40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C7F40 second address: 5C7F46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C7F46 second address: 5C7F4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C7F4A second address: 5C7F68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007F5534F5B213h 0x00000011 jmp 00007F5534F5B20Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D42E5 second address: 5D431E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F553536C8EEh 0x0000000b jmp 00007F553536C8F4h 0x00000010 jmp 00007F553536C8EDh 0x00000015 popad 0x00000016 push ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D431E second address: 5D433F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F5534F5B218h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D44B3 second address: 5D44B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D44B9 second address: 5D44BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E6CCC second address: 5E6CFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F553536C8F3h 0x0000000c pop ebx 0x0000000d popad 0x0000000e push eax 0x0000000f jmp 00007F553536C8EDh 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c pop eax 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E6DF2 second address: 5E6E20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F5534F5B20Fh 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5534F5B216h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E6ED4 second address: 5E6ED8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E6F80 second address: 5E6FAA instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5534F5B206h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F5534F5B219h 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E6FAA second address: 5E6FAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E6FAE second address: 5E6FCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5534F5B212h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E6FCE second address: 5E6FDB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F553536C8E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E6FDB second address: 5E6FEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007F5534F5B20Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E6FEF second address: 5E6FF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57455F second address: 5745A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 pushad 0x0000000a pushad 0x0000000b jmp 00007F5534F5B213h 0x00000010 jng 00007F5534F5B206h 0x00000016 jng 00007F5534F5B206h 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F5534F5B212h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5745A0 second address: 5745A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5745A4 second address: 5745B8 instructions: 0x00000000 rdtsc 0x00000002 js 00007F5534F5B206h 0x00000008 jp 00007F5534F5B206h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 598699 second address: 59869D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EC54B second address: 5EC55D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5534F5B20Dh 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EC55D second address: 5EC562 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EC562 second address: 5EC570 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jbe 00007F5534F5B206h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EC829 second address: 5EC839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F553536C8E6h 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EC839 second address: 5EC83D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EC9C5 second address: 5EC9CA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EC9CA second address: 5EC9D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F5534F5B206h 0x0000000a pop ebx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EC9D8 second address: 5EC9E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F553536C8E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ECB46 second address: 5ECB4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ECB4A second address: 5ECB58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F553536C8F2h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ECB58 second address: 5ECB62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F5534F5B206h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ECB62 second address: 5ECB8E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F553536C8F2h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F553536C8F6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ECB8E second address: 5ECB94 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ECCF9 second address: 5ECD0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F553536C8EDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ECE65 second address: 5ECE6B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ECE6B second address: 5ECE9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F553536C8F9h 0x00000009 jmp 00007F553536C8F6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ECE9E second address: 5ECEA4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ED11B second address: 5ED120 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5ED120 second address: 5ED126 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F39E5 second address: 5F39EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F2B4A second address: 5F2B4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F2B4E second address: 5F2B56 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F2B56 second address: 5F2B5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F2B5E second address: 5F2B62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F2B62 second address: 5F2B6C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F2B6C second address: 5F2B70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F2CD3 second address: 5F2CE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 ja 00007F5534F5B208h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F2E67 second address: 5F2E6D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F3173 second address: 5F3177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F331E second address: 5F3322 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F3322 second address: 5F3331 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F3331 second address: 5F3344 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F553536C8E6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F389F second address: 5F38A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F38A3 second address: 5F38BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F553536C8F3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FA185 second address: 5FA189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FA189 second address: 5FA18D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F8EB1 second address: 5F8ECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 jmp 00007F5534F5B216h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F8ECE second address: 5F8EDC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F8EDC second address: 5F8EE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F8EE0 second address: 5F8F03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F553536C8F9h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F91F5 second address: 5F9208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 ja 00007F5534F5B206h 0x0000000c jno 00007F5534F5B206h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F8BAB second address: 5F8BB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F8BB1 second address: 5F8BE5 instructions: 0x00000000 rdtsc 0x00000002 je 00007F5534F5B206h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jns 00007F5534F5B20Ch 0x00000010 pop edi 0x00000011 push esi 0x00000012 jmp 00007F5534F5B218h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F8BE5 second address: 5F8BF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F553536C8EBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FE595 second address: 5FE5A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jng 00007F5534F5B212h 0x0000000b jno 00007F5534F5B206h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FE5A8 second address: 5FE5BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F553536C8EAh 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FE5BE second address: 5FE5C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FE5C2 second address: 5FE5C8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FE5C8 second address: 5FE5DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5534F5B20Bh 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6017CD second address: 6017D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6017D5 second address: 6017DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6017DB second address: 6017F1 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F553536C8E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e ja 00007F553536C8E8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6017F1 second address: 6017F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6017F8 second address: 601816 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F553536C8F7h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B932E second address: 598699 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 jmp 00007F5534F5B20Ch 0x0000000c call dword ptr [ebp+122D2C50h] 0x00000012 jp 00007F5534F5B21Ah 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B9779 second address: 5B977D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B9944 second address: 5B9948 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B9AAE second address: 5B9AB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B9AB2 second address: 5B9ABC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F5534F5B206h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B9ABC second address: 5B9AC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B9B81 second address: 5B9B92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5534F5B20Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B9ECA second address: 5B9ECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B9ECE second address: 5B9ED4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B9ED4 second address: 5B9EDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BA651 second address: 5BA669 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5534F5B214h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BA669 second address: 5BA68E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F553536C8E8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push ebx 0x00000011 jnp 00007F553536C8ECh 0x00000017 jng 00007F553536C8E6h 0x0000001d pop ebx 0x0000001e mov eax, dword ptr [eax] 0x00000020 push ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BA768 second address: 5BA794 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5534F5B211h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F5534F5B214h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 604FEA second address: 604FF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6052B9 second address: 6052BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6052BD second address: 6052C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 605455 second address: 60545B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 605578 second address: 6055B0 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F553536C904h 0x00000008 jnc 00007F553536C8E6h 0x0000000e jmp 00007F553536C8F8h 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 jnl 00007F553536C8E6h 0x0000001c popad 0x0000001d pop edx 0x0000001e pop eax 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 pop edx 0x00000024 pop eax 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6055B0 second address: 6055C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5534F5B20Dh 0x00000007 jc 00007F5534F5B212h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60574F second address: 60575C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60575C second address: 605778 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5534F5B218h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6058B3 second address: 6058D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F553536C8F9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6080CA second address: 6080CF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 607C0F second address: 607C28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push esi 0x00000006 pop esi 0x00000007 push edi 0x00000008 pop edi 0x00000009 jmp 00007F553536C8ECh 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 607DEF second address: 607DF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 572B4A second address: 572B60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jnc 00007F553536C8E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jc 00007F553536C8EEh 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612BC1 second address: 612BCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 ja 00007F5534F5B206h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612BCD second address: 612BDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F553536C8EAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612D72 second address: 612D8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5534F5B20Dh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612D8A second address: 612D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 jnp 00007F553536C8E6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612EEA second address: 612F28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F5534F5B206h 0x0000000a pop eax 0x0000000b popad 0x0000000c push esi 0x0000000d pushad 0x0000000e jl 00007F5534F5B206h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 jp 00007F5534F5B206h 0x0000001c popad 0x0000001d pushad 0x0000001e jmp 00007F5534F5B20Dh 0x00000023 jmp 00007F5534F5B211h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6130AA second address: 6130B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6130B2 second address: 6130B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 613201 second address: 61320B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61320B second address: 613224 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5534F5B206h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F5534F5B20Ah 0x0000000f popad 0x00000010 push ecx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 613224 second address: 61322A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61600B second address: 616014 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6161A1 second address: 6161A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6162D8 second address: 6162DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6162DC second address: 6162E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6162E0 second address: 6162EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6162EA second address: 6162EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6162EE second address: 616309 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F5534F5B212h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61AB24 second address: 61AB42 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F553536C8E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F553536C8EFh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61AB42 second address: 61AB46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BA0F7 second address: 5BA110 instructions: 0x00000000 rdtsc 0x00000002 je 00007F553536C8E8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jo 00007F553536C8E8h 0x00000014 push esi 0x00000015 pop esi 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61B4AF second address: 61B4B5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62264D second address: 622653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622653 second address: 62265A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62294A second address: 62294E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 628C9F second address: 628CA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 628CA5 second address: 628CA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62BF0B second address: 62BF16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62C4C9 second address: 62C506 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F553536C8E6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d je 00007F553536C8FAh 0x00000013 push ebx 0x00000014 jmp 00007F553536C8F3h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62C649 second address: 62C662 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5534F5B208h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jnl 00007F5534F5B206h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62C662 second address: 62C667 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 633CC0 second address: 633CE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F5534F5B217h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6340D9 second address: 6340E5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F553536C8E6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63427B second address: 634281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6346E0 second address: 6346E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 634823 second address: 634828 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 634828 second address: 63483B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F553536C8EEh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 634959 second address: 63498D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5534F5B212h 0x00000008 push edi 0x00000009 jbe 00007F5534F5B206h 0x0000000f pop edi 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push ebx 0x00000013 jnl 00007F5534F5B212h 0x00000019 push edi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 634B0F second address: 634B14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 634B14 second address: 634B20 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 634B20 second address: 634B24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 634FE8 second address: 634FF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007F5534F5B206h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 634FF7 second address: 634FFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 634FFB second address: 635001 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 635001 second address: 63501C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 js 00007F553536C8E6h 0x0000000d jno 00007F553536C8E6h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63501C second address: 635037 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jo 00007F5534F5B206h 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F5534F5B20Ah 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6358B4 second address: 6358C0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6358C0 second address: 6358C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6358C4 second address: 6358CE instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F553536C8E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6358CE second address: 6358D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6358D3 second address: 6358E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F553536C8E6h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63CA6E second address: 63CA74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63C771 second address: 63C77D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F553536C8E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63C77D second address: 63C782 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 647EC9 second address: 647ECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 647ECD second address: 647EF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jns 00007F5534F5B206h 0x0000000d jmp 00007F5534F5B213h 0x00000012 pop edi 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 648010 second address: 648014 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 648014 second address: 648022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F5534F5B206h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64C61C second address: 64C62F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F553536C8E6h 0x0000000a pop esi 0x0000000b push edx 0x0000000c jc 00007F553536C8E6h 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64C77D second address: 64C796 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5534F5B212h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64C796 second address: 64C79E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 652811 second address: 65282D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F5534F5B20Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F5534F5B206h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6514DF second address: 6514E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F553536C8E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6514E9 second address: 6514ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6514ED second address: 651550 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F553536C8F1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007F553536C8E8h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 jmp 00007F553536C8F1h 0x00000019 pushad 0x0000001a jnl 00007F553536C8E6h 0x00000020 jmp 00007F553536C8F6h 0x00000025 popad 0x00000026 jmp 00007F553536C8EBh 0x0000002b pushad 0x0000002c pushad 0x0000002d popad 0x0000002e push edx 0x0000002f pop edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65B5C5 second address: 65B5F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F5534F5B206h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007F5534F5B211h 0x00000016 push edi 0x00000017 pop edi 0x00000018 ja 00007F5534F5B206h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65D73D second address: 65D745 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65D745 second address: 65D780 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5534F5B20Ah 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F5534F5B214h 0x00000016 jmp 00007F5534F5B216h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65D780 second address: 65D79D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F553536C8F3h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65D79D second address: 65D7A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65D7A3 second address: 65D7A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 660645 second address: 6606A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F5534F5B208h 0x0000000c jmp 00007F5534F5B217h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007F5534F5B210h 0x0000001c jmp 00007F5534F5B218h 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 jne 00007F5534F5B206h 0x0000002a pushad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6606A3 second address: 6606A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6606A7 second address: 6606AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6606AD second address: 6606B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 665B2E second address: 665B32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 665B32 second address: 665B5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a push edx 0x0000000b pop edx 0x0000000c pop ecx 0x0000000d jng 00007F553536C8FEh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 665B5D second address: 665B69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jnc 00007F5534F5B206h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 665B69 second address: 665B81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F553536C8F4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 665B81 second address: 665B8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 665B8B second address: 665B9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F553536C8EDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 665CD3 second address: 665CDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 665CDB second address: 665CFC instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F553536C8E6h 0x00000008 jmp 00007F553536C8F3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 665CFC second address: 665D02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 665E42 second address: 665E47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 665FA9 second address: 665FC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnp 00007F5534F5B20Ch 0x0000000b ja 00007F5534F5B206h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 665FC0 second address: 665FCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jg 00007F553536C8E6h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 665FCD second address: 665FD6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6662B0 second address: 6662B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6662B6 second address: 6662BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6662BC second address: 6662C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F553536C8E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66641E second address: 666431 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5534F5B20Dh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 666431 second address: 66643C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jns 00007F553536C8E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66643C second address: 66644C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push esi 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66644C second address: 666450 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 666DD9 second address: 666E13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5534F5B215h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c jg 00007F5534F5B229h 0x00000012 pushad 0x00000013 jmp 00007F5534F5B213h 0x00000018 push edx 0x00000019 pop edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B5E1 second address: 66B5EB instructions: 0x00000000 rdtsc 0x00000002 jng 00007F553536C8E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B5EB second address: 66B5F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B5F7 second address: 66B601 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F553536C8E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B601 second address: 66B61D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F5534F5B206h 0x00000009 jo 00007F5534F5B206h 0x0000000f jl 00007F5534F5B206h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6748B8 second address: 6748BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 683EA5 second address: 683EA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 683EA9 second address: 683EC8 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F553536C8E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F553536C8F3h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 683EC8 second address: 683ECC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6839CC second address: 6839D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6839D0 second address: 6839E9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jnl 00007F5534F5B206h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F5534F5B20Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6839E9 second address: 6839EE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 683BB9 second address: 683BCB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5534F5B20Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 683BCB second address: 683BD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6856EF second address: 6856F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6856F3 second address: 685724 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F553536C8E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F553536C8F3h 0x00000012 jne 00007F553536C8E6h 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a popad 0x0000001b pop edi 0x0000001c push ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f push edi 0x00000020 pop edi 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68C61B second address: 68C662 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F5534F5B216h 0x0000000a jmp 00007F5534F5B211h 0x0000000f js 00007F5534F5B206h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push esi 0x0000001a jmp 00007F5534F5B20Eh 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68CA23 second address: 68CA2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68CA2B second address: 68CA31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68CA31 second address: 68CA62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F553536C8F5h 0x0000000b jnl 00007F553536C8E6h 0x00000011 push edi 0x00000012 pop edi 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F553536C8EBh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68CBC7 second address: 68CBEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 js 00007F5534F5B222h 0x0000000b jmp 00007F5534F5B216h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68CD1E second address: 68CD3E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F553536C8F6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68CD3E second address: 68CD57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5534F5B20Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F5534F5B20Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68CD57 second address: 68CD5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68CD5B second address: 68CD61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68CD61 second address: 68CD65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 690494 second address: 690498 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 690498 second address: 6904A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6904A3 second address: 6904A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6904A8 second address: 6904CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F553536C8EFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a pushad 0x0000000b jmp 00007F553536C8ECh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6904CB second address: 6904D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 696BA6 second address: 696BAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 696BAB second address: 696BB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 696BB0 second address: 696BB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 696BB8 second address: 696BD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5534F5B211h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 696BD7 second address: 696BDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 696BDF second address: 696BE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 696BE4 second address: 696C00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F553536C8F8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 696C00 second address: 696C0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 698450 second address: 698456 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 691491 second address: 691496 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 691317 second address: 69132D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F553536C8E6h 0x00000008 js 00007F553536C8E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push esi 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69132D second address: 69134B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5534F5B219h 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B4C55 second address: 5B4C59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 3FDB83 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 5A7D82 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 5A8160 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 5A69BD instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 5B9455 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4900000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4B40000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 6B40000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F9540 rdtsc 0_2_005F9540
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00597361 sidt fword ptr [esp-02h]0_2_00597361
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1396Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DF22D GetSystemInfo,VirtualAlloc,0_2_005DF22D
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F9540 rdtsc 0_2_005F9540
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, file.exe, 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HiKProgram Manager
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DAEFB GetSystemTime,GetFileTime,0_2_005DAEFB

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		41
Disable or Modify Tools		LSASS Memory641
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Bypass User Account Control		271
Virtualization/Sandbox Evasion		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS271
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets24
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
Obfuscated Files or Information		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
Software Packing		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
Bypass User Account Control		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1561851
Start date and time:2024-11-24 13:39:05 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 16s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:12
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.evad.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, ctldl.windowsupdate.com, time.windows.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • VT rate limit hit for: file.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File
Process:C:\Users\user\Desktop\file.exe
File Type:CSV text
Category:dropped
Size (bytes):226
Entropy (8bit):5.360398796477698
Encrypted:false
SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:3A8957C6382192B71471BD14359D0B12
SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:true
Reputation:high, very likely benign file
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.480373695942265
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:2'814'976 bytes
MD5:a96c40d05014ad3737c638dd279b0563
SHA1:ee419cd267f0c30581c345e059d470b8f8d28b1b
SHA256:78cc68031e9149107111dd62528bcda1aff60c7422ab7fab3ed98aecc12e4f9a
SHA512:02ebdc8d6b72ffa5c4a83700b98508de871bad5fc06a935a982e39d7bfc96cffd20f57530fc051a87100e38ae81469e3bc74231f2d3201f22c26c72d8c45919f
SSDEEP:49152:DFaTmm4PDmoBqgrSh9M2/HPmX2YOymgt+KOFkGjEc:Q69PDmabrSJHumut+KckGjD
TLSH:6DD54C92B505F2CBD8AE17B88027CDC2692D43F94B5505D3AC7C64BEBE63DC116B6C28
File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$...........`+.. ...`....@.. ........................+.....E.+...`................................

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x6b6000
Entrypoint Section:.taggant
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F553469E18Ah
psrld mm5, qword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx], cl
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], bh
add eax, 66943F00h
insd
add byte ptr [eax+1Eh], bh
sar byte ptr [3E026028h], cl
pop es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], bh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x20000x40000x1200567efbf008dc083835bfcd41de8840a8False0.9301215277777778data7.752728161506336IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
tcknjbhw0xa0000x2aa0000x2a94009e26292c20f19ae5e99f8ef76efb4b92unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
pazbjnlm0x2b40000x20000x400e67f811bb419ec8426ac982f3e6feb2bFalse0.787109375data6.1640433650128985IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant0x2b60000x40000x2200ef84566619c2c3d70d7400f229b8dabfFalse0.09363511029411764DOS executable (COM)1.1587563509570062IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x60900x30cdata0.42948717948717946
RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

Imports

DLLImport
kernel32.dlllstrcpy

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:07:39:58
Start date:24/11/2024
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\file.exe"
Imagebase:0x3f0000
File size:2'814'976 bytes
MD5 hash:A96C40D05014AD3737C638DD279B0563
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:5.6%
    Dynamic/Decrypted Code Coverage:3.4%
    Signature Coverage:3.9%
    Total number of Nodes:356
    Total number of Limit Nodes:19
    execution_graph 8453 5d891d 8455 5d8929 8453->8455 8456 5d893d 8455->8456 8458 5d8965 8456->8458 8459 5d897e 8456->8459 8461 5d8987 8459->8461 8462 5d8996 8461->8462 8463 5d899e 8462->8463 8471 5d6dae GetCurrentThreadId 8462->8471 8465 5d8a4f GetModuleHandleA 8463->8465 8466 5d8a41 GetModuleHandleW 8463->8466 8470 5d89d6 8465->8470 8466->8470 8469 5d89c3 8469->8463 8469->8470 8472 5d6dc6 8471->8472 8472->8469 8473 5d74c0 8472->8473 8474 5d750e 8473->8474 8475 5d74d1 8473->8475 8474->8469 8475->8474 8477 5d7361 8475->8477 8479 5d738e 8477->8479 8478 5d7494 8478->8475 8479->8478 8480 5d73bc PathAddExtensionA 8479->8480 8481 5d73d7 8479->8481 8480->8481 8485 5d73f9 8481->8485 8489 5d7002 8481->8489 8482 5d7442 8482->8478 8484 5d746b 8482->8484 8487 5d7002 lstrcmpiA 8482->8487 8484->8478 8488 5d7002 lstrcmpiA 8484->8488 8485->8478 8485->8482 8486 5d7002 lstrcmpiA 8485->8486 8486->8482 8487->8484 8488->8478 8490 5d7020 8489->8490 8491 5d7037 8490->8491 8493 5d6f7f 8490->8493 8491->8485 8495 5d6faa 8493->8495 8494 5d6ff2 8494->8491 8495->8494 8496 5d6fdc lstrcmpiA 8495->8496 8496->8494 8497 5d5b9e 8498 5d5ebc LoadLibraryA 8497->8498 8500 5dc4ba 8498->8500 8719 5e027d 8721 5e0289 8719->8721 8722 5e029b 8721->8722 8727 5d8426 8722->8727 8724 5e02aa 8725 5e02c3 8724->8725 8726 5dfdee GetModuleFileNameA VirtualProtect 8724->8726 8726->8725 8729 5d8432 8727->8729 8731 5d8447 8729->8731 8730 5d8465 8731->8730 8732 5d8474 17 API calls 8731->8732 8732->8730 8733 5db37e 8735 5db38a 8733->8735 8736 5d6dae GetCurrentThreadId 8735->8736 8737 5db396 8736->8737 8739 5db3b6 8737->8739 8740 5db2d5 8737->8740 8742 5db2e1 8740->8742 8743 5db2f5 8742->8743 8744 5d6dae GetCurrentThreadId 8743->8744 8745 5db30d 8744->8745 8753 5d7512 8745->8753 8748 5db338 8749 5d74c0 2 API calls 8750 5db330 8749->8750 8750->8748 8751 5db365 GetFileAttributesA 8750->8751 8752 5db354 GetFileAttributesW 8750->8752 8751->8748 8752->8748 8754 5d75c6 8753->8754 8755 5d7526 8753->8755 8754->8748 8754->8749 8755->8754 8756 5d7361 2 API calls 8755->8756 8756->8755 8501 4941510 8502 4941514 ControlService 8501->8502 8504 494158f 8502->8504 8757 49410f0 8758 49410f4 8757->8758 8761 5d9b02 8758->8761 8759 4941151 8762 5d6dae GetCurrentThreadId 8761->8762 8763 5d9b0e 8762->8763 8764 5d9b37 8763->8764 8765 5d9b27 8763->8765 8767 5d9b3c CloseHandle 8764->8767 8769 5d8bee 8765->8769 8768 5d9b2d 8767->8768 8768->8759 8772 5d6c59 8769->8772 8773 5d6c6f 8772->8773 8775 5d6c89 8773->8775 8776 5d6c3d 8773->8776 8775->8768 8777 5d8bc7 CloseHandle 8776->8777 8778 5d6c4d 8777->8778 8778->8775 8779 5db6f8 8781 5db701 8779->8781 8782 5d6dae GetCurrentThreadId 8781->8782 8783 5db70d 8782->8783 8784 5db726 8783->8784 8785 5db75d ReadFile 8783->8785 8785->8784 8505 400587 8507 400a58 8505->8507 8506 4031f6 8507->8506 8509 5df3ce 8507->8509 8510 5df3dc 8509->8510 8511 5df3fc 8510->8511 8513 5df69e 8510->8513 8511->8506 8514 5df6d1 8513->8514 8515 5df6ae 8513->8515 8514->8510 8515->8514 8517 5dfa98 8515->8517 8520 5dfa9f 8517->8520 8519 5dfae9 8519->8514 8520->8519 8522 5df9a6 8520->8522 8526 5dfc59 8520->8526 8525 5df9bb 8522->8525 8523 5dfa7b 8523->8520 8524 5dfa45 GetModuleFileNameA 8524->8525 8525->8523 8525->8524 8529 5dfc6d 8526->8529 8527 5dfc85 8527->8520 8528 5dfda8 VirtualProtect 8528->8529 8529->8527 8529->8528 8786 5dc035 8787 5d6dae GetCurrentThreadId 8786->8787 8788 5dc041 8787->8788 8789 5dc0a9 MapViewOfFileEx 8788->8789 8790 5dc05a 8788->8790 8789->8790 8530 5dbed7 8532 5dbee3 8530->8532 8535 5dbefb 8532->8535 8534 5dbf25 8535->8534 8536 5dbe11 8535->8536 8538 5dbe1d 8536->8538 8539 5d6dae GetCurrentThreadId 8538->8539 8540 5dbe30 8539->8540 8541 5dbea9 8540->8541 8542 5dbe6e 8540->8542 8545 5dbe4a 8540->8545 8543 5dbeae CreateFileMappingA 8541->8543 8542->8545 8546 5d94e8 8542->8546 8543->8545 8548 5d94ff 8546->8548 8547 5d9568 CreateFileA 8550 5d95ad 8547->8550 8548->8547 8549 5d95fc 8548->8549 8549->8545 8550->8549 8552 5d8bc7 CloseHandle 8550->8552 8553 5d8bdb 8552->8553 8553->8549 8795 5d8a70 8796 5d6dae GetCurrentThreadId 8795->8796 8797 5d8a7c 8796->8797 8798 5d8a9a 8797->8798 8799 5d74c0 2 API calls 8797->8799 8800 5d8acb GetModuleHandleExA 8798->8800 8801 5d8aa2 8798->8801 8799->8798 8800->8801 8802 5e0231 8804 5e023d 8802->8804 8805 5e024f 8804->8805 8806 5d840d 17 API calls 8805->8806 8807 5e025e 8806->8807 8808 5e0277 8807->8808 8809 5dfdee 2 API calls 8807->8809 8809->8808 8554 3fe56f 8555 3fefdd VirtualAlloc 8554->8555 8557 3ff450 8555->8557 8810 5df22d GetSystemInfo 8811 5df28b VirtualAlloc 8810->8811 8813 5df24d 8810->8813 8825 5df579 8811->8825 8813->8811 8814 5df2d2 8815 5df3a7 8814->8815 8817 5df579 VirtualAlloc GetModuleFileNameA VirtualProtect 8814->8817 8816 5df3c3 GetModuleFileNameA VirtualProtect 8815->8816 8824 5df36b 8815->8824 8816->8824 8818 5df2fc 8817->8818 8818->8815 8819 5df579 VirtualAlloc GetModuleFileNameA VirtualProtect 8818->8819 8820 5df326 8819->8820 8820->8815 8821 5df579 VirtualAlloc GetModuleFileNameA VirtualProtect 8820->8821 8822 5df350 8821->8822 8822->8815 8823 5df579 VirtualAlloc GetModuleFileNameA VirtualProtect 8822->8823 8822->8824 8823->8815 8827 5df581 8825->8827 8828 5df5ad 8827->8828 8829 5df595 8827->8829 8831 5df445 2 API calls 8828->8831 8835 5df445 8829->8835 8832 5df5be 8831->8832 8837 5df5d0 8832->8837 8840 5df44d 8835->8840 8838 5df5e1 VirtualAlloc 8837->8838 8839 5df5cc 8837->8839 8838->8839 8841 5df460 8840->8841 8842 5dfa98 2 API calls 8841->8842 8843 5df4a3 8841->8843 8842->8843 8844 5dae69 8845 5d6dae GetCurrentThreadId 8844->8845 8846 5dae75 GetCurrentProcess 8845->8846 8847 5daec1 8846->8847 8849 5dae85 8846->8849 8848 5daec6 DuplicateHandle 8847->8848 8852 5daebc 8848->8852 8849->8847 8850 5daeb0 8849->8850 8853 5d8c06 8850->8853 8855 5d8c30 8853->8855 8854 5d8cc3 8854->8852 8855->8854 8856 5d8bee CloseHandle 8855->8856 8856->8854 8558 5d85c5 8561 5d840d 8558->8561 8564 5d8474 8561->8564 8563 5d8422 8566 5d8481 8564->8566 8567 5d8497 8566->8567 8568 5d84bc 8567->8568 8579 5d849f 8567->8579 8583 5e04a0 8567->8583 8570 5d6dae GetCurrentThreadId 8568->8570 8575 5d84c1 8570->8575 8571 5d856c 8605 5d82ac 8571->8605 8572 5d857f 8573 5d859d LoadLibraryExA 8572->8573 8574 5d8589 LoadLibraryExW 8572->8574 8577 5d8543 8573->8577 8574->8577 8578 5d74c0 2 API calls 8575->8578 8580 5d84d2 8578->8580 8579->8571 8579->8572 8580->8579 8581 5d8500 8580->8581 8585 5d7dec 8581->8585 8609 5e04af 8583->8609 8586 5d7e08 8585->8586 8587 5d7e12 8585->8587 8586->8577 8617 5d763f 8587->8617 8592 5d7f0c 8592->8586 8649 5d85fe 8592->8649 8595 5d7e62 8595->8592 8598 5d7e8f 8595->8598 8627 5d781d 8595->8627 8631 5d7ab8 8598->8631 8599 5d7e9a 8599->8592 8636 5d7a2f 8599->8636 8601 5d7ec7 8601->8592 8602 5d7eef 8601->8602 8640 5e00f5 8601->8640 8602->8592 8644 5dfdee 8602->8644 8606 5d82b7 8605->8606 8607 5d82d8 LoadLibraryExA 8606->8607 8608 5d82c7 8606->8608 8607->8608 8608->8577 8610 5e04bf 8609->8610 8611 5d6dae GetCurrentThreadId 8610->8611 8616 5e0511 8610->8616 8612 5e0527 8611->8612 8613 5d74c0 2 API calls 8612->8613 8614 5e0539 8613->8614 8615 5d74c0 2 API calls 8614->8615 8614->8616 8615->8616 8618 5d76b4 8617->8618 8619 5d765b 8617->8619 8618->8586 8621 5d76e5 VirtualAlloc 8618->8621 8619->8618 8620 5d768b VirtualAlloc 8619->8620 8620->8618 8622 5d772a 8621->8622 8622->8592 8623 5d7762 8622->8623 8626 5d778a 8623->8626 8624 5d7801 8624->8595 8625 5d77a3 VirtualAlloc 8625->8624 8625->8626 8626->8624 8626->8625 8628 5d7838 8627->8628 8630 5d783d 8627->8630 8628->8598 8629 5d7870 lstrcmpiA 8629->8628 8629->8630 8630->8628 8630->8629 8632 5d7bc4 8631->8632 8634 5d7ae5 8631->8634 8632->8599 8634->8632 8651 5d75ca 8634->8651 8659 5d86db 8634->8659 8637 5d7a58 8636->8637 8638 5d7a99 8637->8638 8639 5d7a70 VirtualProtect 8637->8639 8638->8601 8639->8637 8639->8638 8641 5e01c2 8640->8641 8642 5e0111 8640->8642 8641->8602 8642->8641 8643 5dfc59 VirtualProtect 8642->8643 8643->8642 8645 5dfdff 8644->8645 8646 5dfe82 8644->8646 8645->8646 8647 5dfa98 2 API calls 8645->8647 8648 5dfc59 VirtualProtect 8645->8648 8646->8592 8647->8645 8648->8645 8684 5d860a 8649->8684 8652 5d840d 17 API calls 8651->8652 8654 5d75dd 8652->8654 8653 5d7623 8653->8634 8654->8653 8655 5d762f 8654->8655 8657 5d7606 8654->8657 8656 5d85fe 2 API calls 8655->8656 8656->8653 8657->8653 8658 5d85fe 2 API calls 8657->8658 8658->8653 8661 5d86e4 8659->8661 8662 5d86f3 8661->8662 8663 5d86fb 8662->8663 8665 5d6dae GetCurrentThreadId 8662->8665 8664 5d8728 GetProcAddress 8663->8664 8666 5d871e 8664->8666 8667 5d8705 8665->8667 8667->8663 8668 5d8715 8667->8668 8670 5d813c 8668->8670 8671 5d8228 8670->8671 8672 5d815b 8670->8672 8671->8666 8672->8671 8673 5d8198 lstrcmpiA 8672->8673 8674 5d81c2 8672->8674 8673->8672 8673->8674 8674->8671 8676 5d8085 8674->8676 8677 5d8096 8676->8677 8678 5d80c6 lstrcpyn 8677->8678 8683 5d8121 8677->8683 8680 5d80e2 8678->8680 8678->8683 8679 5d75ca 16 API calls 8681 5d8110 8679->8681 8680->8679 8680->8683 8682 5d86db 16 API calls 8681->8682 8681->8683 8682->8683 8683->8671 8685 5d8619 8684->8685 8687 5d6dae GetCurrentThreadId 8685->8687 8691 5d8621 8685->8691 8686 5d866f FreeLibrary 8688 5d8656 8686->8688 8689 5d862b 8687->8689 8690 5d863b 8689->8690 8689->8691 8693 5d7fec 8690->8693 8691->8686 8694 5d800f 8693->8694 8696 5d804f 8693->8696 8694->8696 8697 5d6ba8 8694->8697 8696->8688 8698 5d6bb1 8697->8698 8699 5d6bc9 8698->8699 8701 5d6b8f 8698->8701 8699->8696 8702 5d85fe 2 API calls 8701->8702 8703 5d6b9c 8702->8703 8703->8698 8857 5db5e5 8859 5db5f1 8857->8859 8860 5d6dae GetCurrentThreadId 8859->8860 8861 5db5fd 8860->8861 8863 5db61d 8861->8863 8864 5db4f1 8861->8864 8866 5db4fd 8864->8866 8867 5db511 8866->8867 8868 5d6dae GetCurrentThreadId 8867->8868 8869 5db529 8868->8869 8870 5db53e 8869->8870 8890 5db40a 8869->8890 8874 5db546 8870->8874 8882 5db4af IsBadWritePtr 8870->8882 8877 5db5ba CreateFileA 8874->8877 8878 5db597 CreateFileW 8874->8878 8875 5d74c0 2 API calls 8876 5db579 8875->8876 8876->8874 8879 5db581 8876->8879 8881 5db587 8877->8881 8878->8881 8884 5d8d04 8879->8884 8883 5db4d1 8882->8883 8883->8874 8883->8875 8887 5d8d11 8884->8887 8885 5d8e0c 8885->8881 8886 5d8d4a CreateFileA 8888 5d8d96 8886->8888 8887->8885 8887->8886 8888->8885 8889 5d8bc7 CloseHandle 8888->8889 8889->8885 8892 5db419 GetWindowsDirectoryA 8890->8892 8893 5db443 8892->8893 8704 5e01c7 8706 5e01d3 8704->8706 8707 5e01e5 8706->8707 8708 5dfdee 2 API calls 8707->8708 8709 5e01f7 8708->8709 8710 581283 LoadLibraryA 8711 58128b 8710->8711 8894 58f563 LoadLibraryA 8712 4941308 8713 4941349 ImpersonateLoggedOnUser 8712->8713 8714 4941376 8713->8714 8715 4940d48 8716 4940d4c OpenSCManagerW 8715->8716 8718 4940ddc 8716->8718

    Executed Functions

    Function 005DF22D Relevance: 3.1, APIs: 2, Instructions: 107memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 338 5df22d-5df247 GetSystemInfo 339 5df24d-5df285 338->339 340 5df28b-5df2d4 VirtualAlloc call 5df579 338->340 339->340 344 5df3ba-5df3bf call 5df3c3 340->344 345 5df2da-5df2fe call 5df579 340->345 352 5df3c1-5df3c2 344->352 345->344 351 5df304-5df328 call 5df579 345->351 351->344 355 5df32e-5df352 call 5df579 351->355 355->344 358 5df358-5df365 355->358 359 5df38b-5df3a2 call 5df579 358->359 360 5df36b-5df386 358->360 363 5df3a7-5df3a9 359->363 364 5df3b5 360->364 363->344 365 5df3af 363->365 364->352 365->364
    APIs
    • GetSystemInfo.KERNELBASE(?,-11ED5FEC), ref: 005DF239
    • VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 005DF29A
    Memory Dump Source
    • Source File: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID: AllocInfoSystemVirtual
    • String ID:
    • API String ID: 3440192736-0
    • Opcode ID: 963477f4e7f1ce5a42b8d9366559e0f4c7f5fb3ff18b6ebc7bf07d69e080d46b
    • Instruction ID: 3a34fc87d6d7f7e0cbf97a4bdf1a344081ef940c334ebad46d4f11c1b37715c2
    • Opcode Fuzzy Hash: 963477f4e7f1ce5a42b8d9366559e0f4c7f5fb3ff18b6ebc7bf07d69e080d46b
    • Instruction Fuzzy Hash: D94101B1D44206AFE735DF64CC55BA6BAACFB49701F0044A3B603DE982D67095E09BE4
    Function 005F9540 Relevance: .1, Instructions: 111COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 6edc6d9dbb25b2c790e2905759e8a3ab1529d4c135f43662868ba53079975a4a
    • Instruction ID: 588100d058afa3717de120479b340bf6fdc0018d36a459a65a77790466ff2e00
    • Opcode Fuzzy Hash: 6edc6d9dbb25b2c790e2905759e8a3ab1529d4c135f43662868ba53079975a4a
    • Instruction Fuzzy Hash: D14155B210C200AFE709AF29D85267EFBE5FF88721F168C2DE6C582650E7354480CB5B
    Function 005D8481 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • LoadLibraryExW.KERNEL32(?,?,?), ref: 005D8592
    • LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 005D85A6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: .dll$.exe$1002
    • API String ID: 1029625771-847511843
    • Opcode ID: 287060255e72bfaa5e7561e773cee275fc4e592787964297868186deaac870f2
    • Instruction ID: e221e461384abae9debfa2c5ccddc7741ab2ee87d5304430a31a0799fa389870
    • Opcode Fuzzy Hash: 287060255e72bfaa5e7561e773cee275fc4e592787964297868186deaac870f2
    • Instruction Fuzzy Hash: 79316A7140420AFFCF35AF58E904ABE7FB5BF44310F148567F80696261DB31A9A0DB50
    Function 005D5B9E Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 585libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 5d5b9e-5dc479 43 5dc47b-5dc482 38->43 44 5dc484-5dc49a 38->44 43->44 45 5dc49b-5dc4c2 LoadLibraryA 43->45 44->45 48 5dc4c8-5dc4d3 45->48 49 5dc4db-5dc4e2 45->49 48->49 50 5dc4e8-5dc4ef 49->50 51 5dc4fa-5dc504 49->51 50->51 52 5dc4f5 50->52 53 5dc519 51->53 54 5dc50a-5dc514 51->54 52->51 55 5dc523-5dc5ba 53->55 54->55 62 5dc5df-5dc605 55->62 63 5dc5c0-5dc5d9 55->63 66 5dc629-5dc630 62->66 67 5dc60b-5dc624 62->67 63->62 68 5dc63c-5dc649 66->68 67->68 70 5dc66d-5dc674 68->70 71 5dc64f-5dc668 68->71 73 5dc680-5dc969 70->73 71->73 97 5dc96f-5dc97b 73->97 98 5dc980-5dc986 73->98 99 5dc98c-5dc9a8 97->99 98->99 101 5dc9bf-5dc9c5 99->101 102 5dc9ae-5dc9ba 99->102 103 5dc9cb-5dc9e7 101->103 102->103 105 5dc9ed-5dc9f9 103->105 106 5dc9fe-5dca04 103->106 107 5dca0a-5dca19 105->107 106->107 109 5dca1f-5dca26 107->109 110 5dca4b-5dca52 107->110 109->110 111 5dca2c-5dca45 109->111 112 5dca58-5dca5f 110->112 113 5dca84-5dca98 110->113 111->110 112->113 114 5dca65-5dca7e 112->114 115 5dcaaf-5dcab5 113->115 116 5dca9e-5dcaaa 113->116 114->113 117 5dcabb-5dcad7 115->117 116->117 121 5dcadd-5dcae9 117->121 122 5dcaee-5dcaf4 117->122 123 5dcafa-5dcb16 121->123 122->123 125 5dcb2d-5dcb33 123->125 126 5dcb1c-5dcb28 123->126 127 5dcb39-5dcb48 125->127 126->127 129 5dcb8d-5dcba1 127->129 130 5dcb4e-5dcb62 127->130 131 5dcbb8-5dcbbe 129->131 132 5dcba7-5dcbb3 129->132 133 5dcb79-5dcb7f 130->133 134 5dcb68-5dcb74 130->134 136 5dcbc4-5dcbe0 131->136 132->136 135 5dcb85-5dcb87 133->135 134->135 135->129 139 5dcbf7-5dcbfd 136->139 140 5dcbe6-5dcbf2 136->140 141 5dcc03-5dcc1f 139->141 140->141 143 5dcc25-5dcc31 141->143 144 5dcc36-5dcc3c 141->144 145 5dcc42-5dcc5e 143->145 144->145 147 5dcc75-5dcc7b 145->147 148 5dcc64-5dcc70 145->148 149 5dcc81-5dccbc 147->149 148->149 152 5dccd3-5dccd9 149->152 153 5dccc2-5dccce 149->153 154 5dccdf-5dccfb 152->154 153->154 156 5dcd01-5dcd0d 154->156 157 5dcd12-5dcd18 154->157 158 5dcd1e-5dcd5f 156->158 157->158 162 5dcd65-5dcda1 158->162 163 5dcda7-5dcdae 158->163 162->163 164 5dcf6d-5dcf81 163->164 165 5dcdb4-5dcdc8 163->165 168 5dcf98-5dcf9e 164->168 169 5dcf87-5dcf93 164->169 166 5dcddf-5dcde5 165->166 167 5dcdce-5dcdda 165->167 171 5dcdeb-5dce07 166->171 167->171 172 5dcfa4-5dcfc0 168->172 169->172 176 5dce0d-5dce19 171->176 177 5dce1e-5dce24 171->177 178 5dcfd7-5dcfdd 172->178 179 5dcfc6-5dcfd2 172->179 180 5dce2a-5dce46 176->180 177->180 181 5dcfe3-5dcfff 178->181 179->181 184 5dce5d-5dce63 180->184 185 5dce4c-5dce58 180->185 186 5dce69-5dce85 184->186 185->186 188 5dce9c-5dcea2 186->188 189 5dce8b-5dce97 186->189 190 5dcea8-5dcec4 188->190 189->190 192 5dcedb-5dcee1 190->192 193 5dceca-5dced6 190->193 194 5dcee7-5dcf03 192->194 193->194 196 5dcf09-5dcf15 194->196 197 5dcf1a-5dcf20 194->197 198 5dcf26-5dcf42 196->198 197->198 200 5dcf59-5dcf5f 198->200 201 5dcf48-5dcf54 198->201 202 5dcf65-5dcf67 200->202 201->202 202->164
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 005DC4A4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: 1002$G$g-r
    • API String ID: 1029625771-3687583354
    • Opcode ID: 8b32d73b1b95eb4a17cbe8ef3762637e6a023815a501c09daa829abd230ae901
    • Instruction ID: a9f505349d8b089299eaeaff202e8fd1333ba444685cc042759f72f84265586a
    • Opcode Fuzzy Hash: 8b32d73b1b95eb4a17cbe8ef3762637e6a023815a501c09daa829abd230ae901
    • Instruction Fuzzy Hash: 8D62F3B414925EDFEF51DF68C808BEF3AA5EB19345F104426AC1682A90D37A4DB0EF1D
    Function 005DFC59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 204 5dfc59-5dfc67 205 5dfc6d-5dfc7f 204->205 206 5dfc8a-5dfc94 call 5dfaee 204->206 205->206 210 5dfc85 205->210 211 5dfc9f-5dfca8 206->211 212 5dfc9a 206->212 213 5dfde9-5dfdeb 210->213 214 5dfcae-5dfcb5 211->214 215 5dfcc0-5dfcc7 211->215 212->213 214->215 218 5dfcbb 214->218 216 5dfccd 215->216 217 5dfcd2-5dfce2 215->217 216->213 217->213 219 5dfce8-5dfcf4 call 5dfbc3 217->219 218->213 222 5dfcf7-5dfcfb 219->222 222->213 223 5dfd01-5dfd0b 222->223 224 5dfd11-5dfd24 223->224 225 5dfd32-5dfd35 223->225 224->225 230 5dfd2a-5dfd2c 224->230 226 5dfd38-5dfd3b 225->226 228 5dfde1-5dfde4 226->228 229 5dfd41-5dfd48 226->229 228->222 231 5dfd4e-5dfd54 229->231 232 5dfd76-5dfd8f 229->232 230->225 230->228 233 5dfd5a-5dfd5f 231->233 234 5dfd71 231->234 238 5dfda8-5dfdb0 VirtualProtect 232->238 239 5dfd95-5dfda3 232->239 233->234 235 5dfd65-5dfd6b 233->235 236 5dfdd9-5dfddc 234->236 235->232 235->234 236->226 240 5dfdb6-5dfdb9 238->240 239->240 240->236 242 5dfdbf-5dfdd8 240->242 242->236
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID:
    • String ID: .exe$.exe
    • API String ID: 0-1392631246
    • Opcode ID: 57ca03000b9acf0eb5e8d7fc3b99f0ff56a022f00a651b9bc466021ea250c3ca
    • Instruction ID: 86b3bb5511421c35284ed1fda7fa154acb88ab3908e33dc8813904a9d17d9515
    • Opcode Fuzzy Hash: 57ca03000b9acf0eb5e8d7fc3b99f0ff56a022f00a651b9bc466021ea250c3ca
    • Instruction Fuzzy Hash: C6415C71904209EFDB35DF68D944BAA7FA2FF00315F2484A7E903AA791C371ACA0DB51
    Function 005D8987 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 244 5d8987-5d8998 call 5d82eb 247 5d899e 244->247 248 5d89a3-5d89ac call 5d6dae 244->248 249 5d8a37-5d8a3b 247->249 255 5d89e0-5d89e7 248->255 256 5d89b2-5d89be call 5d74c0 248->256 251 5d8a4f-5d8a52 GetModuleHandleA 249->251 252 5d8a41-5d8a4a GetModuleHandleW 249->252 254 5d8a58 251->254 252->254 258 5d8a62-5d8a64 254->258 259 5d89ed-5d89f4 255->259 260 5d8a32 call 5d6e59 255->260 262 5d89c3-5d89c5 256->262 259->260 263 5d89fa-5d8a01 259->263 260->249 262->260 264 5d89cb-5d89d0 262->264 263->260 265 5d8a07-5d8a0e 263->265 264->260 266 5d89d6-5d8a5d call 5d6e59 264->266 265->260 267 5d8a14-5d8a28 265->267 266->258 267->260
    APIs
    • GetModuleHandleW.KERNEL32(?,?,?,?,005D8919,?,00000000,00000000), ref: 005D8A44
    • GetModuleHandleA.KERNEL32(00000000,?,?,?,005D8919,?,00000000,00000000), ref: 005D8A52
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID: HandleModule
    • String ID: .dll
    • API String ID: 4139908857-2738580789
    • Opcode ID: eca4e6716849d2d13a6a71b132824e5981a5c43cd02a85d1fb51970c623bbe71
    • Instruction ID: 95e3d9dd10a7ecd8f7f9aa186bea00cb5704f0500752f6444cb697adc153a21a
    • Opcode Fuzzy Hash: eca4e6716849d2d13a6a71b132824e5981a5c43cd02a85d1fb51970c623bbe71
    • Instruction Fuzzy Hash: C3117C3020560AAEDB31DFACC80D7B97F79FF10395F044227E40594AA0EBB199E4DA82
    Function 005DB2E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 271 5db2e1-5db2ef 272 5db2f5-5db2fc 271->272 273 5db301 271->273 274 5db308-5db31e call 5d6dae call 5d7512 272->274 273->274 279 5db33d 274->279 280 5db324-5db332 call 5d74c0 274->280 281 5db341-5db344 279->281 286 5db349-5db34e 280->286 287 5db338 280->287 283 5db374-5db37b call 5d6e59 281->283 288 5db365-5db368 GetFileAttributesA 286->288 289 5db354-5db360 GetFileAttributesW 286->289 287->281 291 5db36e-5db36f 288->291 289->291 291->283
    APIs
    • GetFileAttributesW.KERNELBASE(00B514BC,-11ED5FEC), ref: 005DB35A
    • GetFileAttributesA.KERNEL32(00000000,-11ED5FEC), ref: 005DB368
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: 8565bd18fffd1d7645ce170956a5efd0563c6175510151e641e51e18d6112fb7
    • Instruction ID: 2b120ec00130ff28ab57fa1d5bd5597f6b4017bc31ff961b293cbff4281b7d04
    • Opcode Fuzzy Hash: 8565bd18fffd1d7645ce170956a5efd0563c6175510151e641e51e18d6112fb7
    • Instruction Fuzzy Hash: 0E018170508609FAFF319F5CC90D79D7E72BF40344F114927E502692A0D3705A95FB41
    Function 005D7361 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 292 5d7361-5d7391 294 5d74bc-5d74bd 292->294 295 5d7397-5d73ac 292->295 295->294 297 5d73b2-5d73b6 295->297 298 5d73bc-5d73ce PathAddExtensionA 297->298 299 5d73d8-5d73df 297->299 304 5d73d7 298->304 300 5d73e5-5d73f4 call 5d7002 299->300 301 5d7401-5d7408 299->301 306 5d73f9-5d73fb 300->306 302 5d740e-5d7415 301->302 303 5d744a-5d7451 301->303 307 5d742e-5d743d call 5d7002 302->307 308 5d741b-5d7424 302->308 309 5d7457-5d746d call 5d7002 303->309 310 5d7473-5d747a 303->310 304->299 306->294 306->301 317 5d7442-5d7444 307->317 308->307 311 5d742a 308->311 309->294 309->310 314 5d749c-5d74a3 310->314 315 5d7480-5d7496 call 5d7002 310->315 311->307 314->294 316 5d74a9-5d74b6 call 5d703b 314->316 315->294 315->314 316->294 317->294 317->303
    APIs
    • PathAddExtensionA.KERNELBASE(?,00000000), ref: 005D73C3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID: ExtensionPath
    • String ID: \\?\
    • API String ID: 158807944-4282027825
    • Opcode ID: f4abc5599206a8e6fff2586ea5a6065ab2254ad0fbb84d944ec36e6308452a3f
    • Instruction ID: 605a82b4c0257313f5681b3583754be56c399a606f377ec108edb6114001b196
    • Opcode Fuzzy Hash: f4abc5599206a8e6fff2586ea5a6065ab2254ad0fbb84d944ec36e6308452a3f
    • Instruction Fuzzy Hash: AD31183660420EBEEF329F98CD49B9E7E75BF48341F000057F902A51A0E3769AA1DF54
    Function 005D8A70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 323 5d8a70-5d8a83 call 5d6dae 326 5d8a89-5d8a95 call 5d74c0 323->326 327 5d8ac6-5d8ada call 5d6e59 GetModuleHandleExA 323->327 330 5d8a9a-5d8a9c 326->330 333 5d8ae4-5d8ae6 327->333 330->327 332 5d8aa2-5d8aa9 330->332 334 5d8aaf 332->334 335 5d8ab2-5d8adf call 5d6e59 332->335 334->335 335->333
    APIs
      • Part of subcall function 005D6DAE: GetCurrentThreadId.KERNEL32 ref: 005D6DBD
    • GetModuleHandleExA.KERNELBASE(?,?,?), ref: 005D8AD4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID: CurrentHandleModuleThread
    • String ID: .dll
    • API String ID: 2752942033-2738580789
    • Opcode ID: 5b796a1b4328662ca24765f75926cabe125517dd98c9d079fff17ad9cd623ce5
    • Instruction ID: b11cda3ad21641948484d56ffb842110d71c63cca572ea7e7cb454ecd9cce157
    • Opcode Fuzzy Hash: 5b796a1b4328662ca24765f75926cabe125517dd98c9d079fff17ad9cd623ce5
    • Instruction Fuzzy Hash: D0F06D75204206AFDF20DF58D849AAA3FB5FF58310F148027FA1586251EB30C861AA60
    Function 005DB4FD Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 366 5db4fd-5db50b 367 5db51d 366->367 368 5db511-5db518 366->368 369 5db524-5db530 call 5d6dae 367->369 368->369 372 5db54b-5db55b call 5db4af 369->372 373 5db536-5db540 call 5db40a 369->373 379 5db56d-5db57b call 5d74c0 372->379 380 5db561-5db568 372->380 373->372 378 5db546 373->378 381 5db58c-5db591 378->381 379->381 386 5db581-5db582 call 5d8d04 379->386 380->381 384 5db5ba-5db5cf CreateFileA 381->384 385 5db597-5db5b5 CreateFileW 381->385 387 5db5d5-5db5d6 384->387 385->387 391 5db587 386->391 388 5db5db-5db5e2 call 5d6e59 387->388 391->388
    APIs
    • CreateFileW.KERNELBASE(00B514BC,?,?,-11ED5FEC,?,?,?,-11ED5FEC,?), ref: 005DB5AF
      • Part of subcall function 005DB4AF: IsBadWritePtr.KERNEL32(?,00000004), ref: 005DB4BD
    • CreateFileA.KERNEL32(?,?,?,-11ED5FEC,?,?,?,-11ED5FEC,?), ref: 005DB5CF
    Memory Dump Source
    • Source File: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID: CreateFile$Write
    • String ID:
    • API String ID: 1125675974-0
    • Opcode ID: fda75ed5deaee38ceb68bf5fd08d529fd27b88b0f81adf25db2dca90fe535d5b
    • Instruction ID: 8b7a5b5420bbe01b5a78fb4f1f1f9248833b5522ce74618a697aedcff2ec48f7
    • Opcode Fuzzy Hash: fda75ed5deaee38ceb68bf5fd08d529fd27b88b0f81adf25db2dca90fe535d5b
    • Instruction Fuzzy Hash: 7611293140420AFAEF32AF98ED09B9E3E73BF44344F014517B906652A1E736CAA1EB41
    Function 005DAE69 Relevance: 3.0, APIs: 2, Instructions: 41COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 393 5dae69-5dae7f call 5d6dae GetCurrentProcess 396 5dae85-5dae88 393->396 397 5daec1-5daee3 call 5d6e59 DuplicateHandle 393->397 396->397 399 5dae8e-5dae91 396->399 402 5daeed-5daeef 397->402 399->397 401 5dae97-5daeaa call 5d6c08 399->401 401->397 405 5daeb0-5daee8 call 5d8c06 call 5d6e59 401->405 405->402
    APIs
      • Part of subcall function 005D6DAE: GetCurrentThreadId.KERNEL32 ref: 005D6DBD
    • GetCurrentProcess.KERNEL32(-11ED5FEC), ref: 005DAE76
    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 005DAEDC
    Memory Dump Source
    • Source File: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID: Current$DuplicateHandleProcessThread
    • String ID:
    • API String ID: 3748180921-0
    • Opcode ID: d2272b2b1f4939fae03f136a9aed419345bf987c7c3378960f5fe4ff7355dd13
    • Instruction ID: 07dc4a74dd1ba42bdcc35533f1bc32cd5c70b7dc97a800ccb0bb4f27213c5214
    • Opcode Fuzzy Hash: d2272b2b1f4939fae03f136a9aed419345bf987c7c3378960f5fe4ff7355dd13
    • Instruction Fuzzy Hash: 2201FB7710014ABA9F32AFA8DC49C9F3F39FF98754B004517FA0594151C735D462EB62
    Function 005D94E8 Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 410 5d94e8-5d94f9 411 5d94ff-5d9513 call 5d6e8c 410->411 412 5d9528-5d9531 call 5d6e8c 410->412 422 5d9616 411->422 423 5d9519-5d9527 411->423 417 5d960e-5d9611 call 5d6eb1 412->417 418 5d9537-5d9548 call 5d8cca 412->418 417->422 426 5d954e-5d9552 418->426 427 5d9568-5d95a7 CreateFileA 418->427 425 5d961d-5d9621 422->425 423->412 431 5d9558-5d9564 426->431 432 5d9565 426->432 428 5d95ad-5d95ca 427->428 429 5d95cb-5d95ce 427->429 428->429 433 5d95d4-5d95eb call 5d6bce 429->433 434 5d9601-5d9609 call 5d8b59 429->434 431->432 432->427 433->425 441 5d95f1-5d95fc call 5d8bc7 433->441 434->422 441->422
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 005D959D
    Memory Dump Source
    • Source File: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 9243b9e45be1d97599c82dc992e54ef4dbc3ee15a633be01f039565ab2c5baeb
    • Instruction ID: dc6e34d0925dcbd54c63d9a01a06a7a18bad8a03aebc2471cef94d0598c5adcc
    • Opcode Fuzzy Hash: 9243b9e45be1d97599c82dc992e54ef4dbc3ee15a633be01f039565ab2c5baeb
    • Instruction Fuzzy Hash: 28317C71A00205FAEB319F69DC49F9EBBB8FF44314F208267FA05AA291D7719A51CF14
    Function 00581283 Relevance: 1.6, APIs: 1, Instructions: 102libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 444 581283-581285 LoadLibraryA 445 581299 444->445 446 58128b-581298 444->446 447 58129f-5812b0 445->447 448 5812b1-5813b5 445->448 446->445 447->448
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: e8ef07c2d9b1ec623c1148b148a2fa60f1cf9e6bc515b3f131d6061c5ff97b61
    • Instruction ID: b025edc65890f88bc28e5c86a5c9e8e7e547b1df03546d406281a79a3776e3a5
    • Opcode Fuzzy Hash: e8ef07c2d9b1ec623c1148b148a2fa60f1cf9e6bc515b3f131d6061c5ff97b61
    • Instruction Fuzzy Hash: 98318FF650C704AFE301AF0AEC81A7EFBE9FF94721F02882DE6C592610E63154508B57
    Function 005D8D04 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 452 5d8d04-5d8d13 call 5d6e8c 455 5d8e19 452->455 456 5d8d19-5d8d2a call 5d8cca 452->456 458 5d8e20-5d8e24 455->458 460 5d8d4a-5d8d90 CreateFileA 456->460 461 5d8d30-5d8d34 456->461 464 5d8ddb-5d8dde 460->464 465 5d8d96-5d8db7 460->465 462 5d8d3a-5d8d46 461->462 463 5d8d47 461->463 462->463 463->460 466 5d8de4-5d8dfb call 5d6bce 464->466 467 5d8e11-5d8e14 call 5d8b59 464->467 465->464 472 5d8dbd-5d8dda 465->472 466->458 474 5d8e01-5d8e0c call 5d8bc7 466->474 467->455 472->464 474->455
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 005D8D86
    Memory Dump Source
    • Source File: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 9e469d827a26649f2630637fc3c95998b34d9f807816a9169ae6f26a5064d9fb
    • Instruction ID: f2a46183e0a3bcde8f7dfd68c4e7d4a8c7d3ea71f5a6c1eec3d08d6453d2db01
    • Opcode Fuzzy Hash: 9e469d827a26649f2630637fc3c95998b34d9f807816a9169ae6f26a5064d9fb
    • Instruction Fuzzy Hash: 71319FB1600205BAEB309F68DC46FAA7BB8FB44724F20425BF611EE2D1D7B1A5518B14
    Function 005DF9A6 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 478 5df9a6-5df9b5 479 5df9bb 478->479 480 5df9c1-5df9d5 478->480 479->480 482 5df9db-5df9e5 480->482 483 5dfa93-5dfa95 480->483 484 5df9eb-5df9f5 482->484 485 5dfa82-5dfa8e 482->485 484->485 486 5df9fb-5dfa05 484->486 485->480 486->485 487 5dfa0b-5dfa1a 486->487 489 5dfa25-5dfa2a 487->489 490 5dfa20 487->490 489->485 491 5dfa30-5dfa3f 489->491 490->485 491->485 492 5dfa45-5dfa5c GetModuleFileNameA 491->492 492->485 493 5dfa62-5dfa70 call 5df902 492->493 496 5dfa7b-5dfa7d 493->496 497 5dfa76 493->497 496->483 497->485
    APIs
    • GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,?), ref: 005DFA53
    Memory Dump Source
    • Source File: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID: FileModuleName
    • String ID:
    • API String ID: 514040917-0
    • Opcode ID: d7f8c00707b9fb8b176e7e439aa7e252d3fef2cdb33c16ac44f8f2b8cfdd5de3
    • Instruction ID: 5783de12de700d5cc2780d657f786b79c2faad96cf1d2817f80e65f332627e08
    • Opcode Fuzzy Hash: d7f8c00707b9fb8b176e7e439aa7e252d3fef2cdb33c16ac44f8f2b8cfdd5de3
    • Instruction Fuzzy Hash: 2F118771A05225ABDB30960C9C48BBA7BBCFF48754F1440B7EC0B96241E7B49EC0CBA1
    Function 04940D43 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 498 4940d43-4940d46 499 4940d4c-4940d97 498->499 500 4940d48-4940d4b 498->500 502 4940d9f-4940da3 499->502 503 4940d99-4940d9c 499->503 500->499 504 4940da5-4940da8 502->504 505 4940dab-4940dda OpenSCManagerW 502->505 503->502 504->505 506 4940de3-4940df7 505->506 507 4940ddc-4940de2 505->507 507->506
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04940DCD
    Memory Dump Source
    • Source File: 00000000.00000002.1399110120.0000000004940000.00000040.00000800.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4940000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: a757b1f4b3cbe689c0f7ca288526c98b89f0ea6ab02cd8c5312bc2094cf87961
    • Instruction ID: 72fde5829fe74958f8c3140bc83d8935277d5301a27cad1a0c38b62fcb6a583f
    • Opcode Fuzzy Hash: a757b1f4b3cbe689c0f7ca288526c98b89f0ea6ab02cd8c5312bc2094cf87961
    • Instruction Fuzzy Hash: D02138B6C003089FCB14CF99D884BDEFBF4EF88310F14812AE908AB204D734A544CBA4
    Function 04940D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04940DCD
    Memory Dump Source
    • Source File: 00000000.00000002.1399110120.0000000004940000.00000040.00000800.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4940000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: eada1b9689e58a778eced807b16f86d3078fd59c938ec2e393e72a17e3156f71
    • Instruction ID: 09f64cfbf4c91f37a265e95a4b11e0d2fc2a8c9e56b3e0b0fa6971f3b7974749
    • Opcode Fuzzy Hash: eada1b9689e58a778eced807b16f86d3078fd59c938ec2e393e72a17e3156f71
    • Instruction Fuzzy Hash: 3A2115B6C013189FCB14CFA9D884BDEFBF4EF88310F14852AE908AB204D774A544CBA4
    Function 04941509 Relevance: 1.6, APIs: 1, Instructions: 56serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 04941580
    Memory Dump Source
    • Source File: 00000000.00000002.1399110120.0000000004940000.00000040.00000800.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4940000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 7d1572f49a152880ee9d9f993f94fd9f7906162297d4ad443a16641a2837b188
    • Instruction ID: 9bfa5e64c3820a6007e866fa79ea0a260558a2d545a0ec0f2e219f4b3a4ceeb3
    • Opcode Fuzzy Hash: 7d1572f49a152880ee9d9f993f94fd9f7906162297d4ad443a16641a2837b188
    • Instruction Fuzzy Hash: 352117B5D003499FDB20CFAAD485BDEFBF4EB48310F10842AE559A7250D778A644CFA5
    Function 04941510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 04941580
    Memory Dump Source
    • Source File: 00000000.00000002.1399110120.0000000004940000.00000040.00000800.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4940000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: d8f267db91a48f10dfb8eef8f039b09fc5edf2649d45eb5b6012a3de01a0c7a7
    • Instruction ID: d99252cace6344c65b7807a83c414d22ddb79f39480df609815448cbe5505d5b
    • Opcode Fuzzy Hash: d8f267db91a48f10dfb8eef8f039b09fc5edf2649d45eb5b6012a3de01a0c7a7
    • Instruction Fuzzy Hash: 621129B1D003498FDB10CF9AD484BDEFBF4EB48310F10802AE559A3250D778A544CFA5
    Function 005DC035 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 005D6DAE: GetCurrentThreadId.KERNEL32 ref: 005D6DBD
    • MapViewOfFileEx.KERNELBASE(?,?,?,?,?,?,-11ED5FEC), ref: 005DC0BC
    Memory Dump Source
    • Source File: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID: CurrentFileThreadView
    • String ID:
    • API String ID: 1949693742-0
    • Opcode ID: c5a13d9804f530653df16cb207c8df44d0ed64fbd97c51db1dbc1fe8e56bd584
    • Instruction ID: f82482e73a61656346287026cf52390ce1c40c54603e18d657a9cba93b6314c3
    • Opcode Fuzzy Hash: c5a13d9804f530653df16cb207c8df44d0ed64fbd97c51db1dbc1fe8e56bd584
    • Instruction Fuzzy Hash: 5D11937650014BEECF32AFA8DD0DD9E3F66BF98354B018513FA0155621C73684B2EBA1
    Function 04941301 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 04941367
    Memory Dump Source
    • Source File: 00000000.00000002.1399110120.0000000004940000.00000040.00000800.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4940000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 9c72ddbb0cae6ded6e65ccdd5065b32a11289f800f8b427e57c433df8c151ea9
    • Instruction ID: 4b330ef04cc15570838db68ee6aa6061313377f99bd4077899351dca8c701c29
    • Opcode Fuzzy Hash: 9c72ddbb0cae6ded6e65ccdd5065b32a11289f800f8b427e57c433df8c151ea9
    • Instruction Fuzzy Hash: 76111676800349CFDB20CFAAD545BDEFBF4EB48320F14842AD958A3650D778A944CFA5
    Function 005DBE1D Relevance: 1.6, APIs: 1, Instructions: 50COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID: CurrentThread
    • String ID:
    • API String ID: 2882836952-0
    • Opcode ID: b16d5acf5ccfb40c05d22e130dc9647ce9f9e25ac840c8c0cfae42d1d5883b1d
    • Instruction ID: 3c10047cc09887d4484ad348a08bba1541b5cf3fd83e5ac65012b18553965510
    • Opcode Fuzzy Hash: b16d5acf5ccfb40c05d22e130dc9647ce9f9e25ac840c8c0cfae42d1d5883b1d
    • Instruction Fuzzy Hash: BB112A7610020AEADF21AFA9D80DADE3FAEFF84340F118417F60156261D735C962EB60
    Function 04941308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 04941367
    Memory Dump Source
    • Source File: 00000000.00000002.1399110120.0000000004940000.00000040.00000800.00020000.00000000.sdmp, Offset: 04940000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4940000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 665c41860050e7d1868fede8fa61bd7537992c3212267132097ae8e1d45a8e08
    • Instruction ID: 0ea01eacff72aea95f6337b067593de018f5971cf2e833d299c1435a7c2fb929
    • Opcode Fuzzy Hash: 665c41860050e7d1868fede8fa61bd7537992c3212267132097ae8e1d45a8e08
    • Instruction Fuzzy Hash: 081106B1800349CFDB20CFAAD545BDEFBF8EB48324F14842AD558A3650D778A944CFA5
    Function 005DB701 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 005D6DAE: GetCurrentThreadId.KERNEL32 ref: 005D6DBD
    • ReadFile.KERNELBASE(?,00000000,?,00000400,?,-11ED5FEC,?,?,005D9430,?,?,00000400,?,00000000,?,00000000), ref: 005DB76D
    Memory Dump Source
    • Source File: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID: CurrentFileReadThread
    • String ID:
    • API String ID: 2348311434-0
    • Opcode ID: 0be4c97129ab3df2063e76766b8f259ef3d175468aa8234a8cd5126e32295623
    • Instruction ID: 013576fe4a8dd254582fc28f02667ba6e16ec64f9bec7e505047ebc0ae554f7b
    • Opcode Fuzzy Hash: 0be4c97129ab3df2063e76766b8f259ef3d175468aa8234a8cd5126e32295623
    • Instruction Fuzzy Hash: ECF0C93610414AFBDF226FA8D80AE9E3F6AFF95740F454513B60555221C732C8A2EBA1
    Function 0058F563 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 9ba458b89c6dc4369eefe405b6838e17da9d99251c45985ffd4f18eb52ceea8d
    • Instruction ID: 864dce7d0f60db7cc1e23186a5f1961855be2ec7acb431fe40eeff250fad4475
    • Opcode Fuzzy Hash: 9ba458b89c6dc4369eefe405b6838e17da9d99251c45985ffd4f18eb52ceea8d
    • Instruction Fuzzy Hash: E8B09231018708CBC7406F60888E8ED7BE4AA08210F010E08988192800C230A4148B42
    Function 005D6F7F Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID: lstrcmpi
    • String ID:
    • API String ID: 1586166983-0
    • Opcode ID: 3d9b8cfbb8d16bde65044dbcc1962a48b295c4a995b2c8c3862267afd9cd8acc
    • Instruction ID: 4b1f79cba0f3be3a7fe61dc3db728b138aab288050eb0a8123f7938bec78963c
    • Opcode Fuzzy Hash: 3d9b8cfbb8d16bde65044dbcc1962a48b295c4a995b2c8c3862267afd9cd8acc
    • Instruction Fuzzy Hash: A601D631A0454FBECF219FA8DC09D9EBF76FF44740F004166A505A4164E7328A6ADF64
    Function 005DF5D0 Relevance: 1.3, APIs: 1, Instructions: 37memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,?,005DF5CC,?,?,005DF2D2,?,?,005DF2D2,?,?,005DF2D2), ref: 005DF5F0
    Memory Dump Source
    • Source File: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 87b12b0591477f2fe943df755a00fbd915ed77d783f44b281843c2a7e34d5248
    • Instruction ID: 2faf312bedfc8bd2b119b1e08cd8f4fe793b597a2a618d00e745de5132f8ea3d
    • Opcode Fuzzy Hash: 87b12b0591477f2fe943df755a00fbd915ed77d783f44b281843c2a7e34d5248
    • Instruction Fuzzy Hash: 95F081B1948305EFD7348F18C90AB69BFA4FF44752F108066F64B9BA61D3B598C0CB50
    Function 003FE56F Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 003FF3F1
    Memory Dump Source
    • Source File: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: a080d47cc7f350f0be599041620aae8f216b0cc0f659f3e195769d08729333e6
    • Instruction ID: b52d56c9d4da040353c489afefc31db8370ffea2b5ee152e4d8eac274d892cd1
    • Opcode Fuzzy Hash: a080d47cc7f350f0be599041620aae8f216b0cc0f659f3e195769d08729333e6
    • Instruction Fuzzy Hash: DFF0E97510920EDFD7563E18EC46BBD7BA4EB40314F30423DDF9145B84E9320568D647
    Function 003FEAD3 Relevance: 1.3, APIs: 1, Instructions: 30memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 003FF7D0
    Memory Dump Source
    • Source File: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 919ca49d77c8631839100569678c7632f0d285b03bb819a88a9b85a20333509f
    • Instruction ID: d9763c5314546ed552ad91275802d8b7c36d8e97c4e6be78714bd7029f9e4254
    • Opcode Fuzzy Hash: 919ca49d77c8631839100569678c7632f0d285b03bb819a88a9b85a20333509f
    • Instruction Fuzzy Hash: 30F06DB2908118CFEB416F38C40436EB7A4FF55310F118A28EEA6D7B90D6316D60CA86
    Function 005D9B02 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 005D6DAE: GetCurrentThreadId.KERNEL32 ref: 005D6DBD
    • CloseHandle.KERNELBASE(005D94C5,-11ED5FEC,?,?,005D94C5,?), ref: 005D9B40
    Memory Dump Source
    • Source File: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID: CloseCurrentHandleThread
    • String ID:
    • API String ID: 3305057742-0
    • Opcode ID: 71dd9178a4fd6c2edb74784cebb84d0d3b96c66714afee64d1ab9048a29bcbb1
    • Instruction ID: c4492bb7af57b9e3f60556e6929185a4ab7a0cffbec80dd4e25cb8054dbcaa78
    • Opcode Fuzzy Hash: 71dd9178a4fd6c2edb74784cebb84d0d3b96c66714afee64d1ab9048a29bcbb1
    • Instruction Fuzzy Hash: F9E048B620814669DE317ABCE80ED9F6F29FFD0744B024123B50295251DA21C492D660
    Function 005D8BC7 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNELBASE(?,?,005D6C4D,?,?), ref: 005D8BCD
    Memory Dump Source
    • Source File: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: 96e44d402891951904d9d184dfece275daed929eb0be2d65578de42a26d05812
    • Instruction ID: 53c9f1712b9531658c459a930960e193ab0b28c0d7fa7c725e62f05a4083b085
    • Opcode Fuzzy Hash: 96e44d402891951904d9d184dfece275daed929eb0be2d65578de42a26d05812
    • Instruction Fuzzy Hash: D9B09231004209BBDB62BF95EC0A85DBF79BF51398B008162B90649121CB76E968AF94

    Non-executed Functions

    Function 005DAEFB Relevance: 3.0, APIs: 2, Instructions: 43timeCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 005D6DAE: GetCurrentThreadId.KERNEL32 ref: 005D6DBD
    • GetSystemTime.KERNEL32(?,-11ED5FEC), ref: 005DAF30
    • GetFileTime.KERNEL32(?,?,?,?,-11ED5FEC), ref: 005DAF73
    Memory Dump Source
    • Source File: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID: Time$CurrentFileSystemThread
    • String ID:
    • API String ID: 2191017843-0
    • Opcode ID: 5a7df9a0a6f689549edea66555740f8485014168a300fe4938cc18f85f95a65b
    • Instruction ID: d9171ba6a5ebe7ea247b93f290fede0d4e9a08952fdaa3f8715a95958cdb0ca2
    • Opcode Fuzzy Hash: 5a7df9a0a6f689549edea66555740f8485014168a300fe4938cc18f85f95a65b
    • Instruction Fuzzy Hash: 1101047620404BAACF216F59DC0CD8F7F36FFC5710B018563B50185261C73288A2DB61
    Function 005DBDB9 Relevance: 1.5, APIs: 1, Instructions: 24encryptionCOMMON
    Download Yara Rule
    APIs
    • CryptVerifySignatureA.ADVAPI32(?,?,?,?,?,?), ref: 005DBE00
    Memory Dump Source
    • Source File: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID: CryptSignatureVerify
    • String ID:
    • API String ID: 1015439381-0
    • Opcode ID: 7b1bcd820385ae1991839b6fc591c082c7e13740bf3198133a90d38fa92fe246
    • Instruction ID: d61d368563d81a8ca8ce2216b39d344d0ddabbd115c7e7f105300855e2c61028
    • Opcode Fuzzy Hash: 7b1bcd820385ae1991839b6fc591c082c7e13740bf3198133a90d38fa92fe246
    • Instruction Fuzzy Hash: CBF0F23660420AEFDF51DF98C905A8D7FB2FF48304F10812AFA0596221D3769AA1EF84
    Function 006487E4 Relevance: 1.5, Strings: 1, Instructions: 231COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID:
    • String ID: L{
    • API String ID: 0-466732564
    • Opcode ID: 8326040e878ef5b1d0605e4ea6d4a3a4afb4b782b3c6c41d3cca6fc1608bf36b
    • Instruction ID: 225b561e65f56a6f01750dd4854efca381f27e634980c7d2df74c7f8c67294de
    • Opcode Fuzzy Hash: 8326040e878ef5b1d0605e4ea6d4a3a4afb4b782b3c6c41d3cca6fc1608bf36b
    • Instruction Fuzzy Hash: F761D3B350C600DFD305AA2CDC45A7EBBEAEB98360F25482ED6C6C7340EA354842D793
    Function 005FA4C1 Relevance: 1.4, Strings: 1, Instructions: 192COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID:
    • String ID: +}|
    • API String ID: 0-2502784393
    • Opcode ID: 41b3d840aba6bba3e0a2eaaf7ff1fa0d33daebd196f509a8962f3cb3dbd2f009
    • Instruction ID: 69f6eeac297ee608fd7c10f82570cc5ad6ff73428f1e69d9a951a9574a568825
    • Opcode Fuzzy Hash: 41b3d840aba6bba3e0a2eaaf7ff1fa0d33daebd196f509a8962f3cb3dbd2f009
    • Instruction Fuzzy Hash: 4C5128F7A0C21CDBD600A92DAC8897BBF99E784750F354D3EE78AC3204E579484596A3
    Function 00405A56 Relevance: 1.4, Strings: 1, Instructions: 146COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID:
    • String ID: g
    • API String ID: 0-30677878
    • Opcode ID: 7d98e1e8fcb4a9f123bf20ea14ec276ef018ebfe865d72b3a5dc0385e46cbcf8
    • Instruction ID: 10e3c14080be5b0460d9a5dbeb82c19c4b7f62d2c3eed23e7a6fba4ff2908812
    • Opcode Fuzzy Hash: 7d98e1e8fcb4a9f123bf20ea14ec276ef018ebfe865d72b3a5dc0385e46cbcf8
    • Instruction Fuzzy Hash: FB5146B7F1152547F3944D29CC643A27283ABE1325F2F827D8A896B7C9D93E9C0A5384
    Function 0059B378 Relevance: .1, Instructions: 106COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e95288c4d343f17a7e7898ea2594b45b7298ff7be1eb433cec515ead82d83bfc
    • Instruction ID: 5ff707b0e4818dd7fe6f98467af2b1043c9fc6ea2a4b716a1f3f7884477095e6
    • Opcode Fuzzy Hash: e95288c4d343f17a7e7898ea2594b45b7298ff7be1eb433cec515ead82d83bfc
    • Instruction Fuzzy Hash: EA3150B290C200AFE305AF28D84667AFBE5FF58310F164D2DE6C593250EB3558508B87
    Function 0059B380 Relevance: .1, Instructions: 104COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 23bf7fd7873fa3068dc28bbc86c694ece50a57393d7e37ee639f8b3f42658aa4
    • Instruction ID: 104b82dc7c5d6740d35bc5d53fefa073fdeb10e6d4db5fb5ffe3318d3e0c8c37
    • Opcode Fuzzy Hash: 23bf7fd7873fa3068dc28bbc86c694ece50a57393d7e37ee639f8b3f42658aa4
    • Instruction Fuzzy Hash: CB3161B290C200AFE305AF28DC4277AFBE5FF58310F16492DE6D593250EB3558508B87
    Function 0059B3B5 Relevance: .1, Instructions: 91COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 7e563c2e7d8d358649c7c54de9180a5a3b30f713d15ed19a23657718ea99d030
    • Instruction ID: d96a832a888fffdb6202c6872a4d6bbfffcafded5dbd603500d5fc968185e47f
    • Opcode Fuzzy Hash: 7e563c2e7d8d358649c7c54de9180a5a3b30f713d15ed19a23657718ea99d030
    • Instruction Fuzzy Hash: D63161B250C204AFE305BE18DC4677AFBE5FF58310F06492DEAC593250EB3258508B87
    Function 00405B47 Relevance: .1, Instructions: 89COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b5fa4832690c295f1da8657045ff702bef0871fb209742a952cfa531b253440b
    • Instruction ID: b09b20840edde34e6f5a612015f3fcd4568f5e1182b9c9d1e47954c13d4588cc
    • Opcode Fuzzy Hash: b5fa4832690c295f1da8657045ff702bef0871fb209742a952cfa531b253440b
    • Instruction Fuzzy Hash: B23168B7F112258BF3944D29CC54362B343EBE1315F2F81798A49AB7C9D93E9C0A6384
    Function 00597361 Relevance: .0, Instructions: 34COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9fad60c53dff7302cd25773e6210d2bbdc5ddac5aca6f53effcb606ae2cc1458
    • Instruction ID: f0bb696a4252b7df4399ddfb94055b45fe8580d814d331fe171e5eedf86f673c
    • Opcode Fuzzy Hash: 9fad60c53dff7302cd25773e6210d2bbdc5ddac5aca6f53effcb606ae2cc1458
    • Instruction Fuzzy Hash: 210142B251020ACBEB04CF94C204A9ABBB4FF88320F1A86A9D8055BB50D3B46CD0CB48
    Function 005DA431 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 005D6DAE: GetCurrentThreadId.KERNEL32 ref: 005D6DBD
      • Part of subcall function 005DB4AF: IsBadWritePtr.KERNEL32(?,00000004), ref: 005DB4BD
    • wsprintfA.USER32 ref: 005DA477
    • LoadImageA.USER32(?,?,?,?,?,?), ref: 005DA53B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID: CurrentImageLoadThreadWritewsprintf
    • String ID: %8x$%8x
    • API String ID: 439219941-2046107164
    • Opcode ID: 7536f35b5339c7d485b706f1af4d69deeb9268d5346038c851d2122fa560eb0d
    • Instruction ID: 65777db3fbdccdbb3b9712e926b28a22bd7b59850e7f7c0dde13cd1a719b8c6d
    • Opcode Fuzzy Hash: 7536f35b5339c7d485b706f1af4d69deeb9268d5346038c851d2122fa560eb0d
    • Instruction Fuzzy Hash: 18310771A0010AFFDF21DFA8DC09EAEBF79FF88710F108526B611A6260D7719961DB61
    Function 005DB002 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesExW.KERNEL32(00B514BC,00004020,00000000,-11ED5FEC), ref: 005DB0EF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1396514519.00000000005CD000.00000040.00000001.01000000.00000003.sdmp, Offset: 003F0000, based on PE: true
    • Associated: 00000000.00000002.1395995408.00000000003F0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396015885.00000000003F2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396036289.00000000003F6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396057480.00000000003FA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396084199.0000000000406000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396229537.0000000000568000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396256449.000000000056B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396284310.000000000057E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396305884.0000000000580000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.0000000000582000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396327291.000000000058B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396384891.0000000000593000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396407255.0000000000594000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396428754.0000000000596000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396450352.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396487254.00000000005BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396539038.00000000005DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396559947.00000000005DE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396589226.00000000005FB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396613058.0000000000602000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396635301.0000000000603000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396657478.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396677656.0000000000609000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396698312.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396725767.0000000000618000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396747028.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396766273.000000000061D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396790990.0000000000624000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396813283.000000000062C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396835245.000000000062D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396864253.0000000000636000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396888841.0000000000637000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396936876.0000000000683000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396959543.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.000000000068F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1396983184.0000000000695000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397031396.00000000006A4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1397053897.00000000006A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_3f0000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: 00d8b803baf9ae701c1b30f1f6f42f4110bc85fa05ced6bf1873cd18b76c248d
    • Instruction ID: 443113463223a7e64abcd91d33cecbf998b6d8e2ea8d32dc7fe02472637c4353
    • Opcode Fuzzy Hash: 00d8b803baf9ae701c1b30f1f6f42f4110bc85fa05ced6bf1873cd18b76c248d
    • Instruction Fuzzy Hash: 14315C75504305EFDB35CF58D848B9ABFB1FF48340F00852BE55666760C3B1AAA5DB90