Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1561920
MD5:c83c27e0a38171f33fccf4b2600d26ba
SHA1:3ba7ff69e865484bd954e630f0b538e78a73c897
SHA256:5c13124239eba35acf4dcef7b193742f8e8a4be281cc9c60c585028aa1f76443
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 4844 cmdline: "C:\Users\user\Desktop\file.exe" MD5: C83C27E0A38171F33FCCF4B2600D26BA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.2125966795.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2259234529.0000000000712000.00000040.00000001.01000000.00000003.sdmp

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009119E20_2_009119E2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0089D94A0_2_0089D94A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071DB5F0_2_0071DB5F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008EFE2F0_2_008EFE2F
Source: file.exe, 00000000.00000000.2118852370.0000000000716000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000002.2260424707.00000000011EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 2827776 > 1048576
Source: file.exeStatic PE information: Raw size of toofgppz is bigger than: 0x100000 < 0x2ac400
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.2125966795.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2259234529.0000000000712000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.710000.0.unpack :EW;.rsrc:W;.idata :W;toofgppz:EW;xcabpzyl:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x2c1aba should be: 0x2bc0dc
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name: toofgppz
Source: file.exeStatic PE information: section name: xcabpzyl
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0089D371 push edi; mov dword ptr [esp], ebp0_2_0089D3EB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0089D371 push 7A7245C8h; mov dword ptr [esp], eax0_2_0089D437
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0089D371 push esi; mov dword ptr [esp], 4FFCAAC0h0_2_0089D456
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0089D371 push 671EBEEEh; mov dword ptr [esp], ebp0_2_0089D491
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0089D371 push eax; mov dword ptr [esp], 43F4F0A4h0_2_0089D4F7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071E430 push 64CD4543h; mov dword ptr [esp], edi0_2_0071F5D6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00721525 push ebx; mov dword ptr [esp], 1F8F472Ah0_2_00723E1E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071E5C2 push 68E6C861h; mov dword ptr [esp], esi0_2_0071E5DB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A9A0C push 1E3A4677h; mov dword ptr [esp], edi0_2_008AA280
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008AAFD9 push ebp; mov dword ptr [esp], eax0_2_008AAFEA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A908B push esi; mov dword ptr [esp], ecx0_2_008ACCB6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00721066 push ebx; mov dword ptr [esp], ecx0_2_0072356E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0089A093 push ecx; mov dword ptr [esp], 09410FDFh0_2_0089A095
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0089A093 push ebp; mov dword ptr [esp], eax0_2_0089A576
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008AF090 push edx; mov dword ptr [esp], ebp0_2_008AF098
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071F06E push 4E7B545Bh; mov dword ptr [esp], edi0_2_0071F885
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0089A0A8 push 4F0D6FD5h; mov dword ptr [esp], eax0_2_0089A0AD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0072105D push ecx; mov dword ptr [esp], esi0_2_00720A9B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0072105D push 2D358ACFh; mov dword ptr [esp], ebp0_2_00722307
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A00B9 push ebx; ret 0_2_008A00C8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071C038 push ebx; mov dword ptr [esp], 7AF28902h0_2_0071C4C3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008AD0E3 push ebp; mov dword ptr [esp], 7DFDA452h0_2_008ADCA2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008AD0FA push 3F13F071h; mov dword ptr [esp], ecx0_2_008AD5C9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00722001 push 6923A756h; mov dword ptr [esp], edi0_2_00724C24
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A90F7 push ebp; mov dword ptr [esp], 6CEE59E1h0_2_008A9100
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A90F7 push esi; mov dword ptr [esp], ecx0_2_008A9109
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0072400D push esi; mov dword ptr [esp], ecx0_2_0072400E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007230F2 push 0BEFFA33h; mov dword ptr [esp], ecx0_2_007230FB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071C0D2 push esi; mov dword ptr [esp], edi0_2_0071C4D2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071C0D2 push edx; mov dword ptr [esp], ebp0_2_0071C530
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071F0D5 push edx; mov dword ptr [esp], 00000004h0_2_0071F107
Source: file.exeStatic PE information: section name: entropy: 7.790301985477709

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71DBB8 second address: 71DBC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F4924F39176h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 885804 second address: 885808 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 885808 second address: 88580E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88580E second address: 885819 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89D207 second address: 89D223 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4924F39176h 0x00000008 jmp 00007F4924F39182h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89D3BA second address: 89D3BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89D3BE second address: 89D3E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F4924F39180h 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jg 00007F4924F39176h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89D52D second address: 89D532 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89D679 second address: 89D685 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jnl 00007F4924F39176h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89D7F7 second address: 89D80F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4925A3CFADh 0x00000007 push ecx 0x00000008 js 00007F4925A3CFA6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89D951 second address: 89D95C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89DA99 second address: 89DAB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4925A3CFAAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jno 00007F4925A3CFA8h 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89FC32 second address: 89FC36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89FC36 second address: 89FC40 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4925A3CFA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89FC40 second address: 89FC45 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89FC45 second address: 89FCD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a movzx esi, cx 0x0000000d mov dh, 11h 0x0000000f push 00000000h 0x00000011 push 7BEE7DF4h 0x00000016 pushad 0x00000017 jmp 00007F4925A3CFAAh 0x0000001c push eax 0x0000001d jl 00007F4925A3CFA6h 0x00000023 pop eax 0x00000024 popad 0x00000025 xor dword ptr [esp], 7BEE7D74h 0x0000002c mov di, 1CE0h 0x00000030 push 00000003h 0x00000032 mov ecx, dword ptr [ebp+122D2E45h] 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push edx 0x0000003d call 00007F4925A3CFA8h 0x00000042 pop edx 0x00000043 mov dword ptr [esp+04h], edx 0x00000047 add dword ptr [esp+04h], 0000001Ch 0x0000004f inc edx 0x00000050 push edx 0x00000051 ret 0x00000052 pop edx 0x00000053 ret 0x00000054 mov ecx, dword ptr [ebp+122D2CC1h] 0x0000005a push 00000003h 0x0000005c mov ecx, edx 0x0000005e call 00007F4925A3CFA9h 0x00000063 push esi 0x00000064 jno 00007F4925A3CFA8h 0x0000006a pop esi 0x0000006b push eax 0x0000006c pushad 0x0000006d push ebx 0x0000006e pushad 0x0000006f popad 0x00000070 pop ebx 0x00000071 jng 00007F4925A3CFACh 0x00000077 push eax 0x00000078 push edx 0x00000079 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89FCD3 second address: 89FCE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 push edx 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89FCE0 second address: 89FD4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 mov eax, dword ptr [eax] 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F4925A3CFACh 0x0000000f jng 00007F4925A3CFA6h 0x00000015 popad 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b jmp 00007F4925A3CFAFh 0x00000020 pop eax 0x00000021 push 00000000h 0x00000023 push ebx 0x00000024 call 00007F4925A3CFA8h 0x00000029 pop ebx 0x0000002a mov dword ptr [esp+04h], ebx 0x0000002e add dword ptr [esp+04h], 0000001Ch 0x00000036 inc ebx 0x00000037 push ebx 0x00000038 ret 0x00000039 pop ebx 0x0000003a ret 0x0000003b lea ebx, dword ptr [ebp+12455ACCh] 0x00000041 mov edx, dword ptr [ebp+122D2B08h] 0x00000047 xchg eax, ebx 0x00000048 push edi 0x00000049 push eax 0x0000004a push edx 0x0000004b jno 00007F4925A3CFA6h 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89FDA7 second address: 89FE3E instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4924F39176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d or edx, dword ptr [ebp+122D2C5Dh] 0x00000013 push 00000000h 0x00000015 and edi, dword ptr [ebp+122D2C15h] 0x0000001b mov dword ptr [ebp+122D1CF6h], edi 0x00000021 push E7D8C653h 0x00000026 jc 00007F4924F39183h 0x0000002c jmp 00007F4924F3917Dh 0x00000031 add dword ptr [esp], 18273A2Dh 0x00000038 push 00000000h 0x0000003a push ebx 0x0000003b call 00007F4924F39178h 0x00000040 pop ebx 0x00000041 mov dword ptr [esp+04h], ebx 0x00000045 add dword ptr [esp+04h], 0000001Bh 0x0000004d inc ebx 0x0000004e push ebx 0x0000004f ret 0x00000050 pop ebx 0x00000051 ret 0x00000052 push 00000003h 0x00000054 xor dh, 00000053h 0x00000057 push 00000000h 0x00000059 movzx esi, bx 0x0000005c push 00000003h 0x0000005e mov dl, E4h 0x00000060 push 63927568h 0x00000065 pushad 0x00000066 js 00007F4924F3918Dh 0x0000006c jmp 00007F4924F39187h 0x00000071 pushad 0x00000072 push eax 0x00000073 push edx 0x00000074 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89FE3E second address: 89FEB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 add dword ptr [esp], 5C6D8A98h 0x0000000f push 00000000h 0x00000011 push ecx 0x00000012 call 00007F4925A3CFA8h 0x00000017 pop ecx 0x00000018 mov dword ptr [esp+04h], ecx 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc ecx 0x00000025 push ecx 0x00000026 ret 0x00000027 pop ecx 0x00000028 ret 0x00000029 lea ebx, dword ptr [ebp+12455AD5h] 0x0000002f push 00000000h 0x00000031 push eax 0x00000032 call 00007F4925A3CFA8h 0x00000037 pop eax 0x00000038 mov dword ptr [esp+04h], eax 0x0000003c add dword ptr [esp+04h], 0000001Bh 0x00000044 inc eax 0x00000045 push eax 0x00000046 ret 0x00000047 pop eax 0x00000048 ret 0x00000049 mov edx, dword ptr [ebp+122D2E05h] 0x0000004f call 00007F4925A3CFB2h 0x00000054 mov cl, ADh 0x00000056 pop edi 0x00000057 xchg eax, ebx 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89FEB6 second address: 89FEBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89FEBA second address: 89FECC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007F4925A3CFA8h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89FFCA second address: 8A005B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a jc 00007F4924F3917Eh 0x00000010 jno 00007F4924F39178h 0x00000016 pop eax 0x00000017 sub edi, 443D1EBDh 0x0000001d push 00000003h 0x0000001f mov edx, ebx 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push ecx 0x00000026 call 00007F4924F39178h 0x0000002b pop ecx 0x0000002c mov dword ptr [esp+04h], ecx 0x00000030 add dword ptr [esp+04h], 00000014h 0x00000038 inc ecx 0x00000039 push ecx 0x0000003a ret 0x0000003b pop ecx 0x0000003c ret 0x0000003d jno 00007F4924F39176h 0x00000043 push 00000003h 0x00000045 jmp 00007F4924F3917Fh 0x0000004a push 463D6225h 0x0000004f jno 00007F4924F39181h 0x00000055 add dword ptr [esp], 79C29DDBh 0x0000005c or dword ptr [ebp+12452B85h], edx 0x00000062 lea ebx, dword ptr [ebp+12455AE0h] 0x00000068 sbb si, 6200h 0x0000006d push eax 0x0000006e jc 00007F4924F3918Eh 0x00000074 push eax 0x00000075 push edx 0x00000076 push eax 0x00000077 push edx 0x00000078 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A005B second address: 8A005F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C075A second address: 8C079E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4924F3917Bh 0x00000008 je 00007F4924F39176h 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 push ebx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F4924F39187h 0x00000019 pop ebx 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e ja 00007F4924F3917Eh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C079E second address: 8C07C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4925A3CFB0h 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007F4925A3CFA6h 0x0000000f jmp 00007F4925A3CFAFh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C07C7 second address: 8C07CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BE588 second address: 8BE58C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BE86B second address: 8BE86F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BE86F second address: 8BE89C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F4925A3CFAFh 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F4925A3CFB4h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BE89C second address: 8BE8A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F4924F39176h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BE8A7 second address: 8BE8CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007F4925A3CFB9h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BE8CB second address: 8BE907 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4924F3917Ah 0x00000009 jmp 00007F4924F3917Eh 0x0000000e popad 0x0000000f jo 00007F4924F39185h 0x00000015 jmp 00007F4924F3917Fh 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e jbe 00007F4924F39176h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BE907 second address: 8BE90B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BE90B second address: 8BE911 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BEA11 second address: 8BEA21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F4925A3CFACh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BEA21 second address: 8BEA72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jp 00007F4924F39176h 0x0000000b jne 00007F4924F39176h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push edi 0x00000017 jmp 00007F4924F39186h 0x0000001c jmp 00007F4924F39185h 0x00000021 pop edi 0x00000022 jg 00007F4924F3917Eh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BEBDC second address: 8BEBE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BEBE2 second address: 8BEBF0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4924F3917Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BEEAC second address: 8BEEB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BEEB4 second address: 8BEEB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BEEB8 second address: 8BEED8 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4925A3CFA6h 0x00000008 jmp 00007F4925A3CFAFh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BF01A second address: 8BF030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 ja 00007F4924F39176h 0x0000000c pushad 0x0000000d popad 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BF030 second address: 8BF03D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F4925A3CFA6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BF1D0 second address: 8BF1DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F4924F39176h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BF1DE second address: 8BF1E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BF315 second address: 8BF336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4924F39189h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BF48F second address: 8BF499 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4925A3CFA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BF499 second address: 8BF4D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push esi 0x00000008 pushad 0x00000009 jmp 00007F4924F39185h 0x0000000e push esi 0x0000000f pop esi 0x00000010 jno 00007F4924F39176h 0x00000016 jmp 00007F4924F39182h 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e push esi 0x0000001f pop esi 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B76B5 second address: 8B76B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8B76B9 second address: 8B76F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 jnl 00007F4924F39193h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4924F39182h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BF8E9 second address: 8BF8EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BFF2E second address: 8BFF3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4924F3917Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C0086 second address: 8C00A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4925A3CFB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C05B8 second address: 8C05DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F4924F3917Ch 0x0000000b push esi 0x0000000c pop esi 0x0000000d jmp 00007F4924F3917Eh 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C1EFC second address: 8C1F00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C1F00 second address: 8C1F06 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8966D5 second address: 8966D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8966D9 second address: 8966F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4924F39183h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CB18E second address: 8CB192 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CA5F9 second address: 8CA5FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CA5FD second address: 8CA61B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4925A3CFB8h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CA771 second address: 8CA77A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CA8C1 second address: 8CA8D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F4925A3CFACh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CA8D1 second address: 8CA8D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CA8D7 second address: 8CA8DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CA8DD second address: 8CA8E7 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4924F39176h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CAA3F second address: 8CAA55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4925A3CFB1h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CAD2E second address: 8CAD36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CAD36 second address: 8CAD3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CAD3B second address: 8CAD5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F4924F39184h 0x0000000b popad 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CAD5D second address: 8CAD63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CAFEB second address: 8CAFEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CAFEF second address: 8CB00A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4925A3CFB1h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CB00A second address: 8CB00E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CB00E second address: 8CB012 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CCD4D second address: 8CCD53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CCD53 second address: 8CCD9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4925A3CFADh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d add dword ptr [esp], 45087352h 0x00000014 push 00000000h 0x00000016 push esi 0x00000017 call 00007F4925A3CFA8h 0x0000001c pop esi 0x0000001d mov dword ptr [esp+04h], esi 0x00000021 add dword ptr [esp+04h], 00000014h 0x00000029 inc esi 0x0000002a push esi 0x0000002b ret 0x0000002c pop esi 0x0000002d ret 0x0000002e mov esi, edx 0x00000030 mov edi, dword ptr [ebp+122D58EFh] 0x00000036 push EC4A87A6h 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CCD9D second address: 8CCDA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CCF02 second address: 8CCF1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4925A3CFB5h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CDABE second address: 8CDAC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CDAC2 second address: 8CDAC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CE18B second address: 8CE195 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4924F39176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CE195 second address: 8CE1B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4925A3CFADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jg 00007F4925A3CFACh 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CE1B8 second address: 8CE1BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CE1BC second address: 8CE1EE instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4925A3CFA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007F4925A3CFA8h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 xchg eax, ebx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CE1EE second address: 8CE1F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CE1F4 second address: 8CE1FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F4925A3CFA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CE7FA second address: 8CE813 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4924F39185h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D03A2 second address: 8D0427 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4925A3CFA8h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F4925A3CFB1h 0x00000012 nop 0x00000013 mov dword ptr [ebp+1247B20Ah], edx 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push edi 0x0000001e call 00007F4925A3CFA8h 0x00000023 pop edi 0x00000024 mov dword ptr [esp+04h], edi 0x00000028 add dword ptr [esp+04h], 00000015h 0x00000030 inc edi 0x00000031 push edi 0x00000032 ret 0x00000033 pop edi 0x00000034 ret 0x00000035 pushad 0x00000036 jg 00007F4925A3CFABh 0x0000003c call 00007F4925A3CFAFh 0x00000041 pop edi 0x00000042 popad 0x00000043 push 00000000h 0x00000045 mov dword ptr [ebp+12451863h], ebx 0x0000004b xchg eax, ebx 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007F4925A3CFB9h 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D1811 second address: 8D1817 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D1817 second address: 8D181B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D36BC second address: 8D36CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4924F3917Ah 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D36CB second address: 8D36D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D94C8 second address: 8D94CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D7888 second address: 8D788E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D94CE second address: 8D94D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DB68B second address: 8DB71D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007F4925A3CFA8h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 mov ebx, dword ptr [ebp+1245DB00h] 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push ebp 0x0000002d call 00007F4925A3CFA8h 0x00000032 pop ebp 0x00000033 mov dword ptr [esp+04h], ebp 0x00000037 add dword ptr [esp+04h], 0000001Ah 0x0000003f inc ebp 0x00000040 push ebp 0x00000041 ret 0x00000042 pop ebp 0x00000043 ret 0x00000044 and bx, 44D8h 0x00000049 jmp 00007F4925A3CFB0h 0x0000004e push 00000000h 0x00000050 mov edi, dword ptr [ebp+122D2B19h] 0x00000056 xchg eax, esi 0x00000057 jnp 00007F4925A3CFB9h 0x0000005d push eax 0x0000005e je 00007F4925A3CFB0h 0x00000064 push eax 0x00000065 push edx 0x00000066 push eax 0x00000067 pop eax 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D9694 second address: 8D9715 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebx 0x0000000a call 00007F4924F39178h 0x0000000f pop ebx 0x00000010 mov dword ptr [esp+04h], ebx 0x00000014 add dword ptr [esp+04h], 00000016h 0x0000001c inc ebx 0x0000001d push ebx 0x0000001e ret 0x0000001f pop ebx 0x00000020 ret 0x00000021 mov dword ptr [ebp+124562E7h], ecx 0x00000027 push dword ptr fs:[00000000h] 0x0000002e mov di, FBE1h 0x00000032 mov bx, ax 0x00000035 mov dword ptr fs:[00000000h], esp 0x0000003c mov bh, dl 0x0000003e mov eax, dword ptr [ebp+122D0559h] 0x00000044 mov edi, 699CAE0Dh 0x00000049 push FFFFFFFFh 0x0000004b push 00000000h 0x0000004d push ebx 0x0000004e call 00007F4924F39178h 0x00000053 pop ebx 0x00000054 mov dword ptr [esp+04h], ebx 0x00000058 add dword ptr [esp+04h], 00000015h 0x00000060 inc ebx 0x00000061 push ebx 0x00000062 ret 0x00000063 pop ebx 0x00000064 ret 0x00000065 mov dword ptr [ebp+122D289Dh], eax 0x0000006b push eax 0x0000006c push ebx 0x0000006d push eax 0x0000006e push edx 0x0000006f jmp 00007F4924F3917Bh 0x00000074 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DA795 second address: 8DA79B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DA79B second address: 8DA7B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jno 00007F4924F39176h 0x00000012 jng 00007F4924F39176h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DD915 second address: 8DD919 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DD919 second address: 8DD91F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DD9D9 second address: 8DD9F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F4925A3CFA6h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 jc 00007F4925A3CFACh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DB8A5 second address: 8DB8CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F4924F39188h 0x0000000a jmp 00007F4924F39182h 0x0000000f popad 0x00000010 push eax 0x00000011 jbe 00007F4924F39184h 0x00000017 push eax 0x00000018 push edx 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DB996 second address: 8DB9BA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4925A3CFB1h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jng 00007F4925A3CFB2h 0x00000011 js 00007F4925A3CFACh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DEAAC second address: 8DEAB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DEAB1 second address: 8DEAD6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4925A3CFB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007F4925A3CFA6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DEAD6 second address: 8DEADA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DDC39 second address: 8DDC3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DFA74 second address: 8DFADE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4924F39180h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jno 00007F4924F3917Eh 0x00000010 nop 0x00000011 mov bh, 41h 0x00000013 mov edi, 2B195CE5h 0x00000018 push 00000000h 0x0000001a mov edi, 3BCECBC9h 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 push eax 0x00000024 call 00007F4924F39178h 0x00000029 pop eax 0x0000002a mov dword ptr [esp+04h], eax 0x0000002e add dword ptr [esp+04h], 0000001Ah 0x00000036 inc eax 0x00000037 push eax 0x00000038 ret 0x00000039 pop eax 0x0000003a ret 0x0000003b adc bx, 41C3h 0x00000040 xchg eax, esi 0x00000041 jl 00007F4924F39184h 0x00000047 push eax 0x00000048 push edx 0x00000049 jo 00007F4924F39176h 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DFADE second address: 8DFAF7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 je 00007F4925A3CFBCh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4925A3CFAAh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DFAF7 second address: 8DFAFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E0A07 second address: 8E0A21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4925A3CFB6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E0A21 second address: 8E0AAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jmp 00007F4924F39183h 0x00000010 jbe 00007F4924F39176h 0x00000016 popad 0x00000017 push esi 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a pop esi 0x0000001b popad 0x0000001c nop 0x0000001d push 00000000h 0x0000001f push ebx 0x00000020 call 00007F4924F39178h 0x00000025 pop ebx 0x00000026 mov dword ptr [esp+04h], ebx 0x0000002a add dword ptr [esp+04h], 00000015h 0x00000032 inc ebx 0x00000033 push ebx 0x00000034 ret 0x00000035 pop ebx 0x00000036 ret 0x00000037 jmp 00007F4924F39187h 0x0000003c jmp 00007F4924F39186h 0x00000041 push 00000000h 0x00000043 mov dword ptr [ebp+12475E0Eh], ecx 0x00000049 sub dword ptr [ebp+124517D4h], ebx 0x0000004f push 00000000h 0x00000051 mov edi, esi 0x00000053 xchg eax, esi 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E0AAE second address: 8E0AB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DEC99 second address: 8DED57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D3948h], eax 0x00000010 push dword ptr fs:[00000000h] 0x00000017 mov dword ptr [ebp+122D395Dh], ebx 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 push 00000000h 0x00000026 push eax 0x00000027 call 00007F4924F39178h 0x0000002c pop eax 0x0000002d mov dword ptr [esp+04h], eax 0x00000031 add dword ptr [esp+04h], 00000017h 0x00000039 inc eax 0x0000003a push eax 0x0000003b ret 0x0000003c pop eax 0x0000003d ret 0x0000003e mov eax, dword ptr [ebp+122D1039h] 0x00000044 call 00007F4924F39184h 0x00000049 jc 00007F4924F39189h 0x0000004f jmp 00007F4924F39183h 0x00000054 pop edi 0x00000055 mov di, ax 0x00000058 push FFFFFFFFh 0x0000005a push 00000000h 0x0000005c push ebx 0x0000005d call 00007F4924F39178h 0x00000062 pop ebx 0x00000063 mov dword ptr [esp+04h], ebx 0x00000067 add dword ptr [esp+04h], 00000017h 0x0000006f inc ebx 0x00000070 push ebx 0x00000071 ret 0x00000072 pop ebx 0x00000073 ret 0x00000074 mov edi, dword ptr [ebp+12451824h] 0x0000007a push eax 0x0000007b pushad 0x0000007c push eax 0x0000007d push edx 0x0000007e jmp 00007F4924F39189h 0x00000083 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E0AB2 second address: 8E0AE4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4925A3CFB5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pop ebx 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 pop eax 0x00000014 jmp 00007F4925A3CFADh 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E1AAD second address: 8E1AD1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F4924F39186h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E39AF second address: 8E39B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E39B3 second address: 8E39BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E39BD second address: 8E3A2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4925A3CFB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F4925A3CFA8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 push 00000000h 0x00000029 mov dword ptr [ebp+12452B00h], eax 0x0000002f push 00000000h 0x00000031 pushad 0x00000032 mov edi, dword ptr [ebp+122D1D35h] 0x00000038 sbb eax, 46EC5702h 0x0000003e popad 0x0000003f xchg eax, esi 0x00000040 jmp 00007F4925A3CFAFh 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007F4925A3CFADh 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88F815 second address: 88F84A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 js 00007F4924F39176h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f jl 00007F4924F39176h 0x00000015 popad 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 je 00007F4924F3918Ch 0x0000001f jmp 00007F4924F39184h 0x00000024 push eax 0x00000025 pop eax 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88F84A second address: 88F874 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jnp 00007F4925A3CFA6h 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4925A3CFB8h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E2B81 second address: 8E2B85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88F874 second address: 88F878 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E3B96 second address: 8E3BB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4924F39185h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E2B85 second address: 8E2C14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 jmp 00007F4925A3CFB5h 0x0000000e push dword ptr fs:[00000000h] 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007F4925A3CFA8h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 00000018h 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f mov dword ptr fs:[00000000h], esp 0x00000036 mov ebx, dword ptr [ebp+122D2DE5h] 0x0000003c mov eax, dword ptr [ebp+122D0B5Dh] 0x00000042 and edi, dword ptr [ebp+122D2C8Dh] 0x00000048 mov edi, ebx 0x0000004a push FFFFFFFFh 0x0000004c push 00000000h 0x0000004e push ebp 0x0000004f call 00007F4925A3CFA8h 0x00000054 pop ebp 0x00000055 mov dword ptr [esp+04h], ebp 0x00000059 add dword ptr [esp+04h], 0000001Bh 0x00000061 inc ebp 0x00000062 push ebp 0x00000063 ret 0x00000064 pop ebp 0x00000065 ret 0x00000066 nop 0x00000067 jbe 00007F4925A3CFAEh 0x0000006d push ebx 0x0000006e push eax 0x0000006f push edx 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E994B second address: 8E9961 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4924F39176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pop eax 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E6BC2 second address: 8E6BC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E6BC6 second address: 8E6BDE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4924F3917Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EF91C second address: 8EF95A instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4925A3CFAEh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007F4925A3CFD2h 0x00000010 jno 00007F4925A3CFACh 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F4925A3CFB2h 0x0000001d jng 00007F4925A3CFA6h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EF0F6 second address: 8EF0FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EF0FA second address: 8EF11A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4925A3CFB4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F9BA1 second address: 8F9BB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F4924F39176h 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8F9BB1 second address: 8F9BC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jp 00007F4925A3CFB6h 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 888E87 second address: 888E90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 888E90 second address: 888E94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 888E94 second address: 888E9E instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4924F39176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90195A second address: 90195E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90195E second address: 901964 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 901964 second address: 901981 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4925A3CFB8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 901A83 second address: 901A8D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4924F3917Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 903A5D second address: 903A79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4925A3CFB8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 905EA7 second address: 905EAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 905EAD second address: 905EB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 909FBF second address: 909FC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 909FC5 second address: 909FDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F4925A3CFA6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F4925A3CFA6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 909FDA second address: 909FDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 909FDE second address: 909FE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 909FE2 second address: 909FEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90A116 second address: 90A11A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90A11A second address: 90A13F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4924F39176h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4924F39181h 0x00000014 push ecx 0x00000015 push edi 0x00000016 pop edi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90A13F second address: 90A144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90A144 second address: 90A14E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F4924F39176h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90A2A3 second address: 90A2A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90A2A7 second address: 90A2AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90A841 second address: 90A845 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90A845 second address: 90A84B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90A84B second address: 90A860 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnl 00007F4925A3CFA6h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnp 00007F4925A3CFAEh 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90A9C8 second address: 90A9D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F4924F39176h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90A9D2 second address: 90A9F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4925A3CFB9h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90A9F5 second address: 90A9FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90A9FB second address: 90AA11 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4925A3CFA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jnl 00007F4925A3CFA6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90AA11 second address: 90AA16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 912035 second address: 912049 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F4925A3CFA6h 0x0000000a jbe 00007F4925A3CFA6h 0x00000010 popad 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 912049 second address: 91204E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91204E second address: 912059 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F4925A3CFA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91234C second address: 912354 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91EB64 second address: 91EBA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4925A3CFADh 0x00000009 popad 0x0000000a pushad 0x0000000b jp 00007F4925A3CFA6h 0x00000011 jns 00007F4925A3CFA6h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b jmp 00007F4925A3CFABh 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 pop eax 0x00000023 popad 0x00000024 push ecx 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F4925A3CFAEh 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 883D75 second address: 883D8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4924F3917Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D6AB second address: 91D6AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D6AF second address: 91D6D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4924F39188h 0x00000007 jnc 00007F4924F39176h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D6D4 second address: 91D6D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D98C second address: 91D990 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91DC5B second address: 91DC65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91DC65 second address: 91DC6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F4924F39176h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91DC6F second address: 91DC73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91DDC4 second address: 91DDCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91DEEA second address: 91DEEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91E2A4 second address: 91E2AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91E2AA second address: 91E2D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4925A3CFB8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F4925A3CFAFh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91E2D7 second address: 91E2E1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4924F3917Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91E3FC second address: 91E400 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91E400 second address: 91E41E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F4924F39182h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9234F7 second address: 923514 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4925A3CFA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F4925A3CFABh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 923514 second address: 923525 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4924F39176h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D4A11 second address: 8B76B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push edi 0x0000000b call 00007F4925A3CFB5h 0x00000010 mov dword ptr [ebp+12451812h], eax 0x00000016 pop edi 0x00000017 pop edi 0x00000018 call dword ptr [ebp+122D1DC0h] 0x0000001e push ebx 0x0000001f jng 00007F4925A3CFC4h 0x00000025 jmp 00007F4925A3CFB8h 0x0000002a jbe 00007F4925A3CFA6h 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D500D second address: 8D5013 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D5013 second address: 8D5017 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D5205 second address: 8D521C instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4924F39178h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 je 00007F4924F39176h 0x00000016 pop edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D521C second address: 8D5227 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F4925A3CFA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D5227 second address: 8D524B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, esi 0x00000008 mov dl, ch 0x0000000a jmp 00007F4924F3917Fh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jl 00007F4924F39176h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D524B second address: 8D5255 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4925A3CFA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D537C second address: 8D53A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 jnp 00007F4924F39189h 0x0000000e jmp 00007F4924F39183h 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D54B3 second address: 8D54B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92287E second address: 922884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 922884 second address: 92288E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92288E second address: 922894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 922A0A second address: 922A0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 922A0E second address: 922A12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 922C9E second address: 922CA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 922CA9 second address: 922CAF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92309E second address: 9230A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9259EA second address: 9259F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9259F0 second address: 9259F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9256D2 second address: 9256E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4924F3917Dh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9256E4 second address: 9256F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jns 00007F4925A3CFA6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9256F5 second address: 925713 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4924F39180h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 925713 second address: 925717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 925717 second address: 925723 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4924F39176h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 925723 second address: 925749 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4925A3CFABh 0x00000009 jmp 00007F4925A3CFB7h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 928255 second address: 928278 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4924F39176h 0x00000008 je 00007F4924F39176h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F4924F3917Fh 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 928278 second address: 92827E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92827E second address: 928293 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4924F3917Bh 0x00000007 jo 00007F4924F3917Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92857C second address: 928580 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 928580 second address: 92859C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4924F39182h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9286E1 second address: 9286FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F4925A3CFA6h 0x0000000a popad 0x0000000b jmp 00007F4925A3CFB2h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9286FE second address: 92871E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4924F39178h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F4924F39182h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92D61A second address: 92D61E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92D61E second address: 92D624 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92CC7E second address: 92CC82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92CC82 second address: 92CC92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnc 00007F4924F3917Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92CC92 second address: 92CC98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92CC98 second address: 92CCA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92D0CE second address: 92D0D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 933F0E second address: 933F21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F4924F39176h 0x0000000d jg 00007F4924F39176h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 933F21 second address: 933F46 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F4925A3CFABh 0x0000000d popad 0x0000000e pushad 0x0000000f pushad 0x00000010 jmp 00007F4925A3CFABh 0x00000015 push edi 0x00000016 pop edi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 933F46 second address: 933F6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4924F39188h 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9327EE second address: 932823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4925A3CFB4h 0x00000009 pop edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4925A3CFB9h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 932823 second address: 932827 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 932827 second address: 932834 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 932834 second address: 93283D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93298D second address: 9329BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F4925A3CFA6h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007F4925A3CFAAh 0x00000014 pushad 0x00000015 jnp 00007F4925A3CFA6h 0x0000001b jl 00007F4925A3CFA6h 0x00000021 push eax 0x00000022 pop eax 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9329BA second address: 9329BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 932EA3 second address: 932EC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jg 00007F4925A3CFACh 0x0000000b jne 00007F4925A3CFA6h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F4925A3CFAAh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 932EC0 second address: 932EEB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push edx 0x00000009 jmp 00007F4924F39189h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D57A3 second address: 8D57B5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4925A3CFA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007F4925A3CFACh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 933065 second address: 933078 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 pushad 0x0000000a jbe 00007F4924F39176h 0x00000010 push edi 0x00000011 pop edi 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9331DE second address: 9331E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8982D9 second address: 8982DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93854F second address: 938557 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 938557 second address: 938561 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4924F39176h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 938561 second address: 93856B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93856B second address: 93856F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 937E5A second address: 937E5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 937E5F second address: 937E65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 937E65 second address: 937E98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F4925A3CFB7h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jo 00007F4925A3CFB0h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 937E98 second address: 937E9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 937FD3 second address: 937FE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4925A3CFB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93E758 second address: 93E779 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4924F39187h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93E779 second address: 93E783 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4925A3CFA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93E783 second address: 93E79A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F4924F3917Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93E8E2 second address: 93E8EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93EAE0 second address: 93EB14 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4924F39176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007F4924F39178h 0x00000010 pushad 0x00000011 jc 00007F4924F39176h 0x00000017 pushad 0x00000018 popad 0x00000019 je 00007F4924F39176h 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 pushad 0x00000023 jmp 00007F4924F3917Dh 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F8E8 second address: 93F8EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F8EE second address: 93F8F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93FF36 second address: 93FF4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4925A3CFB2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93FF4C second address: 93FF55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88A8F4 second address: 88A903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jc 00007F4925A3CFAAh 0x0000000b push edi 0x0000000c pop edi 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9491E3 second address: 9491E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9491E9 second address: 949205 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4925A3CFA6h 0x00000008 jo 00007F4925A3CFA6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop ebx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jno 00007F4925A3CFA6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 949205 second address: 949209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 949209 second address: 94920F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94920F second address: 94921E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007F4924F39176h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 948352 second address: 94835F instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4925A3CFA8h 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9484B7 second address: 9484BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9487CA second address: 9487ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4925A3CFB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jc 00007F4925A3CFACh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 948AEC second address: 948AF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 948AF1 second address: 948B0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F4925A3CFB1h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 948B0B second address: 948B0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 948C49 second address: 948C5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4925A3CFAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 948EF8 second address: 948F0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F4924F39176h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jo 00007F4924F39176h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 948F0F second address: 948F19 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4925A3CFA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 951827 second address: 95182B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94F9FC second address: 94FA05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94FA05 second address: 94FA1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4924F39181h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94FA1C second address: 94FA4A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F4925A3CFB1h 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jnc 00007F4925A3CFC0h 0x00000013 js 00007F4925A3CFAAh 0x00000019 push edi 0x0000001a pop edi 0x0000001b push eax 0x0000001c pop eax 0x0000001d pushad 0x0000001e pushad 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94FA4A second address: 94FA50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9502AF second address: 9502BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9502BC second address: 9502DE instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4924F39178h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F4924F39180h 0x00000012 push eax 0x00000013 pop eax 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9502DE second address: 9502F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4925A3CFB3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9505EA second address: 9505F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9516A4 second address: 9516C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4925A3CFB5h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9516C4 second address: 9516D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4924F3917Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9516D7 second address: 9516EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F4925A3CFB2h 0x0000000c ja 00007F4925A3CFA6h 0x00000012 jnp 00007F4925A3CFA6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94F493 second address: 94F4A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jg 00007F4924F39182h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94F4A2 second address: 94F4BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F4925A3CFA6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4925A3CFAFh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94F4BE second address: 94F4D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4924F3917Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94F4D2 second address: 94F4E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4925A3CFACh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95491E second address: 954983 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4924F39189h 0x00000007 jmp 00007F4924F3917Dh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 jg 00007F4924F39176h 0x00000016 jmp 00007F4924F39186h 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F4924F39188h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 954983 second address: 954989 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9592DE second address: 9592E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9592E2 second address: 9592EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9592EA second address: 9592F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9592F0 second address: 9592F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9592F6 second address: 9592FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 958E6D second address: 958E7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4925A3CFAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 958E7F second address: 958E8F instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4924F3917Ah 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 958E8F second address: 958E93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 965A92 second address: 965AA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4924F3917Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 965AA5 second address: 965ABE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4925A3CFACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnp 00007F4925A3CFA6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 965ABE second address: 965AC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 965AC4 second address: 965AE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F4925A3CFA6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push esi 0x0000000e jmp 00007F4925A3CFADh 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 965AE3 second address: 965AE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9654E5 second address: 9654F1 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4925A3CFA6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9654F1 second address: 965505 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4924F3917Eh 0x00000008 jc 00007F4924F39176h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 965505 second address: 965509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97F9FC second address: 97FA19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F4924F39184h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97FCC3 second address: 97FCC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9827FD second address: 98280B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F4924F39176h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88DD99 second address: 88DD9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88DD9F second address: 88DDA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9862F5 second address: 9862F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 987EFC second address: 987F1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jnl 00007F4924F39176h 0x0000000c pop edi 0x0000000d jmp 00007F4924F3917Ch 0x00000012 popad 0x00000013 pushad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98987B second address: 989885 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4925A3CFB2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 989885 second address: 9898BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4924F39176h 0x0000000a pushad 0x0000000b jnc 00007F4924F39176h 0x00000011 push edi 0x00000012 pop edi 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F4924F39187h 0x0000001f pushad 0x00000020 pushad 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9898BB second address: 9898C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98FA2D second address: 98FA3C instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4924F3917Ah 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98FA3C second address: 98FA51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4925A3CFAFh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88C405 second address: 88C40F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F4924F39176h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A6594 second address: 9A6599 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A6599 second address: 9A65A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007F4924F39176h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9ACE40 second address: 9ACE51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4925A3CFADh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9ACE51 second address: 9ACE5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F4924F3917Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9ACE5F second address: 9ACEA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 jmp 00007F4925A3CFAAh 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop ecx 0x0000000d jmp 00007F4925A3CFADh 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jo 00007F4925A3CFA6h 0x0000001c pushad 0x0000001d popad 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 jmp 00007F4925A3CFB3h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AC891 second address: 9AC895 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AC895 second address: 9AC89B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9ACB36 second address: 9ACB3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9ACB3C second address: 9ACB53 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4925A3CFA6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F4925A3CFABh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9ACB53 second address: 9ACB58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B02A4 second address: 9B02A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B02A8 second address: 9B02C0 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4924F39176h 0x00000008 jl 00007F4924F39176h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jnc 00007F4924F39178h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B02C0 second address: 9B02C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B02C6 second address: 9B02CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BB672 second address: 9BB68B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4925A3CFB1h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BB68B second address: 9BB695 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BB695 second address: 9BB6B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F4925A3CFD5h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4925A3CFB2h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BB1E8 second address: 9BB1FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F4924F3917Eh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BB1FD second address: 9BB201 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BB201 second address: 9BB210 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push esi 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B3D85 second address: 9B3D9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F4925A3CFAEh 0x0000000b ja 00007F4925A3CFA6h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CFDED second address: 8CFDFE instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4924F39176h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CFDFE second address: 8CFE03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D000B second address: 8D0010 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 71DB10 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 71DC1F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 8C3438 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 8C1D00 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 71B0FA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 8E999A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 8D4BBA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 95A764 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4F70000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 51C0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4F70000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A000A rdtsc 0_2_008A000A
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7088Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008FDB13 GetSystemInfo,VirtualAlloc,0_2_008FDB13
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exeBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exeBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0089FCBB Start: 0089FCD3 End: 0089FCE00_2_0089FCBB
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A000A rdtsc 0_2_008A000A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0071B7B6 LdrInitializeThunk,0_2_0071B7B6
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, file.exe, 00000000.00000002.2259615004.00000000008E9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping641
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		41
Disable or Modify Tools		LSASS Memory2
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Bypass User Account Control		261
Virtualization/Sandbox Evasion		Security Account Manager261
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS23
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
Obfuscated Files or Information		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
Software Packing		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
Bypass User Account Control		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1561920
Start date and time:2024-11-24 20:00:07 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 26s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.evad.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
  • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, ctldl.windowsupdate.com
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • VT rate limit hit for: file.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File
Process:C:\Users\user\Desktop\file.exe
File Type:CSV text
Category:dropped
Size (bytes):226
Entropy (8bit):5.360398796477698
Encrypted:false
SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:3A8957C6382192B71471BD14359D0B12
SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:true
Reputation:high, very likely benign file
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.512573662466733
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:2'827'776 bytes
MD5:c83c27e0a38171f33fccf4b2600d26ba
SHA1:3ba7ff69e865484bd954e630f0b538e78a73c897
SHA256:5c13124239eba35acf4dcef7b193742f8e8a4be281cc9c60c585028aa1f76443
SHA512:9925559c4454ad3545ccf70f85428885cd596490ed81c508d04cc18a5be58407693d1078a3dd69b46e60828ef5c580f89de3fbdb37fd4ad0d55446f120a3b899
SSDEEP:49152:VVadeCDmsnrJ9ADCnMa6I0uiOn58aJa8UeMKcL:2deCDzrAmnMk0Un58yaWMn
TLSH:11D54BA2B40571CFD48F17789427CE826D9D03F9572409D7A86CB4BA7EB7CC129B6C28
File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............+.. ...`....@.. ........................+.......,...`................................

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x6ba000
Entrypoint Section:.taggant
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F49248AF62Ah

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x20000x40000x1200913415cf5df5e96c8a71082a96989083False0.9338107638888888data7.790301985477709IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
toofgppz0xa0000x2ae0000x2ac4003f7dfc782a5332e7e3db754f492f4a94unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
xcabpzyl0x2b80000x20000x6008e645ff0e888c9c90e5e608c7452118fFalse0.5846354166666666data5.071402394364557IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant0x2ba0000x40000x2200b92bb9987323716744378821110a5f6bFalse0.0764016544117647DOS executable (COM)0.9800117128445186IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x60900x30cdata0.42948717948717946
RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

Imports

DLLImport
kernel32.dlllstrcpy

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:14:01:05
Start date:24/11/2024
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\file.exe"
Imagebase:0x710000
File size:2'827'776 bytes
MD5 hash:C83C27E0A38171F33FCCF4B2600D26BA
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:5.2%
    Dynamic/Decrypted Code Coverage:4.4%
    Signature Coverage:5.7%
    Total number of Nodes:298
    Total number of Limit Nodes:18
    execution_graph 8473 71e430 VirtualAlloc 8474 71e442 8473->8474 8780 8feaad 8782 8feab9 8780->8782 8783 8feacb 8782->8783 8784 8fe6d4 2 API calls 8783->8784 8785 8feadd 8784->8785 8475 8f330b 8477 8f3329 8475->8477 8476 8f3493 8477->8476 8483 8f2cd2 8477->8483 8479 8f3488 8480 8f3ac7 4 API calls 8479->8480 8480->8476 8482 8f3366 8482->8479 8489 8f3ac7 8482->8489 8484 8f2cdf 8483->8484 8485 8f2d18 CreateFileA 8484->8485 8488 8f2dda 8484->8488 8486 8f2d64 8485->8486 8486->8488 8491 8f2b95 CloseHandle 8486->8491 8488->8482 8493 8f3ad0 8489->8493 8492 8f2ba9 8491->8492 8492->8488 8501 8f0d7c GetCurrentThreadId 8493->8501 8495 8f3adc 8496 8f3b05 8495->8496 8497 8f3af5 8495->8497 8499 8f3b0a CloseHandle 8496->8499 8505 8f2bbc 8497->8505 8500 8f3afb 8499->8500 8502 8f0d94 8501->8502 8503 8f0dca Sleep 8502->8503 8504 8f0ddb 8502->8504 8503->8502 8504->8495 8508 8f0c27 8505->8508 8509 8f0c3d 8508->8509 8510 8f0c57 8509->8510 8512 8f0c0b 8509->8512 8510->8500 8513 8f2b95 CloseHandle 8512->8513 8514 8f0c1b 8513->8514 8514->8510 8786 8f28eb 8788 8f28f7 8786->8788 8789 8f290b 8788->8789 8791 8f2933 8789->8791 8792 8f294c 8789->8792 8794 8f2955 8792->8794 8795 8f2964 8794->8795 8796 8f296c 8795->8796 8797 8f0d7c 2 API calls 8795->8797 8798 8f2a0f GetModuleHandleW 8796->8798 8799 8f2a1d GetModuleHandleA 8796->8799 8800 8f2976 8797->8800 8801 8f29a4 8798->8801 8799->8801 8802 8f148e 2 API calls 8800->8802 8803 8f2991 8800->8803 8802->8803 8803->8796 8803->8801 8515 8a9a0c 8516 8ae808 8515->8516 8517 8ae85c RegOpenKeyA 8516->8517 8518 8ae835 RegOpenKeyA 8516->8518 8520 8ae879 8517->8520 8518->8517 8519 8ae852 8518->8519 8519->8517 8521 8ae8bd GetNativeSystemInfo 8520->8521 8522 8aa268 8520->8522 8521->8522 8523 89fe8f 8524 89feca CreateFileA 8523->8524 8526 89ff04 8524->8526 8527 71b7b6 8528 71b7bb 8527->8528 8529 71b926 LdrInitializeThunk 8528->8529 8807 8feb63 8809 8feb6f 8807->8809 8810 8feb81 8809->8810 8815 8f23f4 8810->8815 8812 8feb90 8813 8feba9 8812->8813 8814 8fe6d4 GetModuleFileNameA VirtualProtect 8812->8814 8814->8813 8817 8f2400 8815->8817 8818 8f2415 8817->8818 8819 8f2442 18 API calls 8818->8819 8820 8f2433 8818->8820 8819->8820 8530 5051308 8531 5051349 ImpersonateLoggedOnUser 8530->8531 8532 5051376 8531->8532 8533 5050d48 8534 5050d93 OpenSCManagerW 8533->8534 8536 5050ddc 8534->8536 8821 8f2a3e 8822 8f0d7c 2 API calls 8821->8822 8823 8f2a4a 8822->8823 8824 8f2a68 8823->8824 8825 8f148e 2 API calls 8823->8825 8826 8f2a99 GetModuleHandleExA 8824->8826 8827 8f2a70 8824->8827 8825->8824 8826->8827 8539 8aafd9 LoadLibraryA 8540 5051510 8541 5051558 ControlService 8540->8541 8542 505158f 8541->8542 8830 50510f0 8831 5051131 8830->8831 8833 8f3ad0 4 API calls 8831->8833 8832 5051151 8833->8832 8543 721525 8545 723e0f 8543->8545 8544 724b08 8545->8544 8547 8fdcb4 8545->8547 8548 8fdcc2 8547->8548 8549 8fdce2 8548->8549 8551 8fdf84 8548->8551 8549->8544 8552 8fdf94 8551->8552 8554 8fdfb7 8551->8554 8552->8554 8555 8fe37e 8552->8555 8554->8548 8558 8fe385 8555->8558 8557 8fe3cf 8557->8554 8558->8557 8560 8fe28c 8558->8560 8564 8fe53f 8558->8564 8561 8fe2a1 8560->8561 8562 8fe32b GetModuleFileNameA 8561->8562 8563 8fe361 8561->8563 8562->8561 8563->8558 8567 8fe553 8564->8567 8565 8fe56b 8565->8558 8566 8fe68e VirtualProtect 8566->8567 8567->8565 8567->8566 8568 8feb17 8570 8feb23 8568->8570 8571 8feb35 8570->8571 8576 8f23db 8571->8576 8574 8feb5d 8584 8f2442 8576->8584 8578 8f23f0 8578->8574 8579 8fe6d4 8578->8579 8580 8fe6e5 8579->8580 8582 8fe768 8579->8582 8581 8fe37e 2 API calls 8580->8581 8580->8582 8583 8fe53f VirtualProtect 8580->8583 8581->8580 8582->8574 8583->8580 8586 8f244f 8584->8586 8588 8f2465 8586->8588 8587 8f248a 8590 8f0d7c 2 API calls 8587->8590 8588->8587 8598 8f246d 8588->8598 8607 8fed86 8588->8607 8593 8f248f 8590->8593 8591 8f254d 8595 8f256b LoadLibraryExA 8591->8595 8596 8f2557 LoadLibraryExW 8591->8596 8592 8f253a 8629 8f227a 8592->8629 8603 8f148e 8593->8603 8602 8f2511 8595->8602 8596->8602 8598->8591 8598->8592 8600 8f24ce 8609 8f1dba 8600->8609 8604 8f14dc 8603->8604 8606 8f149f 8603->8606 8604->8598 8604->8600 8606->8604 8633 8f132f 8606->8633 8653 8fed95 8607->8653 8610 8f1dd6 8609->8610 8611 8f1de0 8609->8611 8610->8602 8661 8f160d 8611->8661 8618 8f1e30 8619 8f1e5d 8618->8619 8628 8f1eda 8618->8628 8671 8f17eb 8618->8671 8675 8f1a86 8619->8675 8622 8f1e68 8622->8628 8680 8f19fd 8622->8680 8626 8f1ebd 8627 8fe6d4 2 API calls 8626->8627 8626->8628 8627->8628 8628->8610 8688 8f25cc 8628->8688 8630 8f2285 8629->8630 8631 8f22a6 LoadLibraryExA 8630->8631 8632 8f2295 8630->8632 8631->8632 8632->8602 8635 8f135c 8633->8635 8634 8f1462 8634->8606 8635->8634 8636 8f138a PathAddExtensionA 8635->8636 8637 8f13a5 8635->8637 8636->8637 8642 8f13c7 8637->8642 8645 8f0fd0 8637->8645 8639 8f1410 8639->8634 8640 8f1439 8639->8640 8641 8f0fd0 lstrcmpiA 8639->8641 8640->8634 8644 8f0fd0 lstrcmpiA 8640->8644 8641->8640 8642->8634 8642->8639 8643 8f0fd0 lstrcmpiA 8642->8643 8643->8639 8644->8634 8646 8f0fee 8645->8646 8647 8f1005 8646->8647 8649 8f0f4d 8646->8649 8647->8642 8651 8f0f78 8649->8651 8650 8f0fc0 8650->8647 8651->8650 8652 8f0faa lstrcmpiA 8651->8652 8652->8650 8654 8feda5 8653->8654 8655 8f0d7c 2 API calls 8654->8655 8660 8fedf7 8654->8660 8656 8fee0d 8655->8656 8657 8f148e 2 API calls 8656->8657 8658 8fee1f 8657->8658 8659 8f148e 2 API calls 8658->8659 8658->8660 8659->8660 8662 8f1682 8661->8662 8663 8f1629 8661->8663 8662->8610 8665 8f16b3 VirtualAlloc 8662->8665 8663->8662 8664 8f1659 VirtualAlloc 8663->8664 8664->8662 8666 8f16f8 8665->8666 8666->8628 8667 8f1730 8666->8667 8668 8f1758 8667->8668 8669 8f1771 VirtualAlloc 8668->8669 8670 8f17cf 8668->8670 8669->8668 8669->8670 8670->8618 8672 8f180b 8671->8672 8674 8f1806 8671->8674 8673 8f183e lstrcmpiA 8672->8673 8672->8674 8673->8672 8673->8674 8674->8619 8677 8f1b92 8675->8677 8678 8f1ab3 8675->8678 8677->8622 8678->8677 8690 8f1598 8678->8690 8698 8f26a9 8678->8698 8682 8f1a26 8680->8682 8681 8f1a3e VirtualProtect 8681->8682 8683 8f1a67 8681->8683 8682->8681 8682->8683 8683->8626 8683->8628 8684 8fe9db 8683->8684 8685 8feaa8 8684->8685 8686 8fe9f7 8684->8686 8685->8626 8686->8685 8687 8fe53f VirtualProtect 8686->8687 8687->8686 8723 8f25d8 8688->8723 8691 8f23db 18 API calls 8690->8691 8692 8f15ab 8691->8692 8693 8f15fd 8692->8693 8695 8f15d4 8692->8695 8697 8f15f1 8692->8697 8694 8f25cc 3 API calls 8693->8694 8694->8697 8696 8f25cc 3 API calls 8695->8696 8695->8697 8696->8697 8697->8678 8700 8f26b2 8698->8700 8701 8f26c1 8700->8701 8702 8f26c9 8701->8702 8704 8f0d7c 2 API calls 8701->8704 8703 8f26f6 GetProcAddress 8702->8703 8708 8f26ec 8703->8708 8705 8f26d3 8704->8705 8705->8702 8706 8f26e3 8705->8706 8709 8f210a 8706->8709 8710 8f21f6 8709->8710 8711 8f2129 8709->8711 8710->8708 8711->8710 8712 8f2166 lstrcmpiA 8711->8712 8713 8f2190 8711->8713 8712->8711 8712->8713 8713->8710 8715 8f2053 8713->8715 8716 8f2064 8715->8716 8717 8f2094 lstrcpyn 8716->8717 8722 8f20ef 8716->8722 8719 8f20b0 8717->8719 8717->8722 8718 8f1598 17 API calls 8720 8f20de 8718->8720 8719->8718 8719->8722 8721 8f26a9 17 API calls 8720->8721 8720->8722 8721->8722 8722->8710 8724 8f25e7 8723->8724 8726 8f0d7c 2 API calls 8724->8726 8730 8f25ef 8724->8730 8725 8f263d FreeLibrary 8727 8f2624 8725->8727 8728 8f25f9 8726->8728 8729 8f2609 8728->8729 8728->8730 8732 8f1fba 8729->8732 8730->8725 8733 8f201d 8732->8733 8734 8f1fdd 8732->8734 8733->8727 8734->8733 8736 8f0b76 8734->8736 8737 8f0b7f 8736->8737 8738 8f0b97 8737->8738 8740 8f0b5d 8737->8740 8738->8733 8741 8f25cc GetCurrentThreadId Sleep FreeLibrary 8740->8741 8742 8f0b6a 8741->8742 8742->8737 8834 89d371 LoadLibraryA 8835 89d37a 8834->8835 8836 8f34b6 8838 8f34cd 8836->8838 8837 8f35ca 8838->8837 8839 8f3536 CreateFileA 8838->8839 8840 8f357b 8839->8840 8840->8837 8841 8f2b95 CloseHandle 8840->8841 8841->8837 8743 8fdb13 GetSystemInfo 8744 8fdb71 VirtualAlloc 8743->8744 8746 8fdb33 8743->8746 8758 8fde5f 8744->8758 8746->8744 8747 8fdbb8 8748 8fdc8d 8747->8748 8749 8fde5f VirtualAlloc GetModuleFileNameA VirtualProtect 8747->8749 8750 8fdca9 GetModuleFileNameA VirtualProtect 8748->8750 8757 8fdc51 8748->8757 8751 8fdbe2 8749->8751 8750->8757 8751->8748 8752 8fde5f VirtualAlloc GetModuleFileNameA VirtualProtect 8751->8752 8753 8fdc0c 8752->8753 8753->8748 8754 8fde5f VirtualAlloc GetModuleFileNameA VirtualProtect 8753->8754 8755 8fdc36 8754->8755 8755->8748 8756 8fde5f VirtualAlloc GetModuleFileNameA VirtualProtect 8755->8756 8755->8757 8756->8748 8760 8fde67 8758->8760 8761 8fde7b 8760->8761 8762 8fde93 8760->8762 8768 8fdd2b 8761->8768 8764 8fdd2b 2 API calls 8762->8764 8765 8fdea4 8764->8765 8770 8fdeb6 8765->8770 8773 8fdd33 8768->8773 8771 8fdec7 VirtualAlloc 8770->8771 8772 8fdeb2 8770->8772 8771->8772 8774 8fdd46 8773->8774 8775 8fe37e 2 API calls 8774->8775 8776 8fdd89 8774->8776 8775->8776 8777 8f2593 8778 8f23db 18 API calls 8777->8778 8779 8f25a6 8778->8779

    Executed Functions

    Function 008FDB13 Relevance: 3.1, APIs: 2, Instructions: 107memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 242 8fdb13-8fdb2d GetSystemInfo 243 8fdb33-8fdb6b 242->243 244 8fdb71-8fdbba VirtualAlloc call 8fde5f 242->244 243->244 248 8fdca0-8fdca5 call 8fdca9 244->248 249 8fdbc0-8fdbe4 call 8fde5f 244->249 255 8fdca7-8fdca8 248->255 249->248 256 8fdbea-8fdc0e call 8fde5f 249->256 256->248 259 8fdc14-8fdc38 call 8fde5f 256->259 259->248 262 8fdc3e-8fdc4b 259->262 263 8fdc71-8fdc88 call 8fde5f 262->263 264 8fdc51-8fdc6c 262->264 267 8fdc8d-8fdc8f 263->267 268 8fdc9b 264->268 267->248 269 8fdc95 267->269 268->255 269->268
    APIs
    • GetSystemInfo.KERNELBASE(?,-11BB5FEC), ref: 008FDB1F
    • VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 008FDB80
    Memory Dump Source
    • Source File: 00000000.00000002.2259649594.00000000008F7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2259213567.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259234529.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259250938.0000000000716000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259269742.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259287523.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259393540.0000000000880000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259411320.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259465368.00000000008A9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259482388.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259499958.00000000008BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259516963.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259537127.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259552385.00000000008D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259569480.00000000008DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259585182.00000000008E7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259600314.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259615004.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259634079.00000000008F4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259673333.000000000091A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259688682.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259703427.0000000000920000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259719307.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259733831.0000000000927000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259751352.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259767910.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259781890.0000000000936000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259795804.0000000000937000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259810126.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259826795.0000000000941000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259842679.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259856892.0000000000943000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259942133.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259960451.0000000000946000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259982444.000000000094A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260000706.0000000000952000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260016944.0000000000953000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009AE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260092535.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260112489.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_file.jbxd
    Similarity
    • API ID: AllocInfoSystemVirtual
    • String ID:
    • API String ID: 3440192736-0
    • Opcode ID: 37132c10a7794330de36c6778f408b7bd223ba6313b5ebc75a965f6f12a25aa7
    • Instruction ID: 6912767d7ffee6d180e76dde1553afa49c8bb7069f025af2c42a85b23cf0b3bb
    • Opcode Fuzzy Hash: 37132c10a7794330de36c6778f408b7bd223ba6313b5ebc75a965f6f12a25aa7
    • Instruction Fuzzy Hash: 9E4124B190430AAFD725DFB18945FA7BBACFB48740F1001A6BB07DD582EAB095D4C791
    Function 008A000A Relevance: 1.6, APIs: 1, Instructions: 54fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(00000000), ref: 008A0078
    Memory Dump Source
    • Source File: 00000000.00000002.2259432225.000000000089A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2259213567.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259234529.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259250938.0000000000716000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259269742.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259287523.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259393540.0000000000880000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259411320.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259465368.00000000008A9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259482388.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259499958.00000000008BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259516963.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259537127.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259552385.00000000008D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259569480.00000000008DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259585182.00000000008E7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259600314.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259615004.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259634079.00000000008F4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259649594.00000000008F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259673333.000000000091A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259688682.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259703427.0000000000920000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259719307.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259733831.0000000000927000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259751352.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259767910.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259781890.0000000000936000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259795804.0000000000937000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259810126.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259826795.0000000000941000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259842679.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259856892.0000000000943000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259942133.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259960451.0000000000946000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259982444.000000000094A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260000706.0000000000952000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260016944.0000000000953000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009AE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260092535.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260112489.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 568cd388760a8410ae4f48c193b01acebf7e8cd27eff65fccf8b5480d9616734
    • Instruction ID: a70f0133704977d30429230f67e45b04ace2678873edc8711d610d39cdf5adf5
    • Opcode Fuzzy Hash: 568cd388760a8410ae4f48c193b01acebf7e8cd27eff65fccf8b5480d9616734
    • Instruction Fuzzy Hash: 4601F7B6908B496EF701CF795D80BBF7B98FB9A314F31441BE445D6852C16009499E36
    Function 0071B7B6 Relevance: 1.3, Strings: 1, Instructions: 18COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2259269742.000000000071A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2259213567.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259234529.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259250938.0000000000716000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259287523.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259393540.0000000000880000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259411320.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259465368.00000000008A9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259482388.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259499958.00000000008BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259516963.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259537127.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259552385.00000000008D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259569480.00000000008DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259585182.00000000008E7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259600314.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259615004.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259634079.00000000008F4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259649594.00000000008F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259673333.000000000091A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259688682.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259703427.0000000000920000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259719307.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259733831.0000000000927000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259751352.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259767910.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259781890.0000000000936000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259795804.0000000000937000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259810126.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259826795.0000000000941000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259842679.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259856892.0000000000943000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259942133.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259960451.0000000000946000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259982444.000000000094A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260000706.0000000000952000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260016944.0000000000953000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009AE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260092535.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260112489.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_file.jbxd
    Similarity
    • API ID:
    • String ID: !!iH
    • API String ID: 0-3430752988
    • Opcode ID: e7e4ee3d492ab73c1a1843bf35f803c324b6abc264f74275341f13b5ed623d02
    • Instruction ID: 392f7d170385b5c29e66ea4bf6cf7132f3f28a947ae2f06d674c3b53c2fe4def
    • Opcode Fuzzy Hash: e7e4ee3d492ab73c1a1843bf35f803c324b6abc264f74275341f13b5ed623d02
    • Instruction Fuzzy Hash: B0E0C2311485C9CADF16AF7888017DA761EEB80B00F600125FA018AEC5CB3D6D928795
    Function 008F244F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • LoadLibraryExW.KERNEL32(?,?,?), ref: 008F2560
    • LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 008F2574
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2259615004.00000000008E9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2259213567.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259234529.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259250938.0000000000716000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259269742.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259287523.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259393540.0000000000880000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259411320.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259465368.00000000008A9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259482388.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259499958.00000000008BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259516963.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259537127.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259552385.00000000008D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259569480.00000000008DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259585182.00000000008E7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259600314.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259634079.00000000008F4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259649594.00000000008F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259673333.000000000091A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259688682.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259703427.0000000000920000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259719307.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259733831.0000000000927000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259751352.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259767910.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259781890.0000000000936000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259795804.0000000000937000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259810126.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259826795.0000000000941000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259842679.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259856892.0000000000943000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259942133.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259960451.0000000000946000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259982444.000000000094A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260000706.0000000000952000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260016944.0000000000953000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009AE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260092535.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260112489.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: .dll$.exe$1002
    • API String ID: 1029625771-847511843
    • Opcode ID: 5f027a41d585666eee162a4fae4fcfe95d3c938fa918586d5264b4fbc5c015c3
    • Instruction ID: 2b7dd57ee27216a5a8f8eb5c315eb809b00293818920c84035ea4389042003e1
    • Opcode Fuzzy Hash: 5f027a41d585666eee162a4fae4fcfe95d3c938fa918586d5264b4fbc5c015c3
    • Instruction Fuzzy Hash: 5531697190010EEFDF25AF74D914ABD7B76FF18310F104115FA06DA461C77199A0DB66
    Function 008F2955 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 40 8f2955-8f2966 call 8f22b9 43 8f296c 40->43 44 8f2971-8f297a call 8f0d7c 40->44 45 8f2a05-8f2a09 43->45 51 8f29ae-8f29b5 44->51 52 8f2980-8f298c call 8f148e 44->52 47 8f2a0f-8f2a18 GetModuleHandleW 45->47 48 8f2a1d-8f2a20 GetModuleHandleA 45->48 50 8f2a26 47->50 48->50 54 8f2a30-8f2a32 50->54 55 8f29bb-8f29c2 51->55 56 8f2a00 call 8f0e27 51->56 57 8f2991-8f2993 52->57 55->56 58 8f29c8-8f29cf 55->58 56->45 57->56 60 8f2999-8f299e 57->60 58->56 61 8f29d5-8f29dc 58->61 60->56 62 8f29a4-8f2a2b call 8f0e27 60->62 61->56 63 8f29e2-8f29f6 61->63 62->54 63->56
    APIs
    • GetModuleHandleW.KERNEL32(?,?,?,?,008F28E7,?,00000000,00000000), ref: 008F2A12
    • GetModuleHandleA.KERNEL32(00000000,?,?,?,008F28E7,?,00000000,00000000), ref: 008F2A20
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2259615004.00000000008E9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2259213567.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259234529.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259250938.0000000000716000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259269742.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259287523.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259393540.0000000000880000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259411320.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259465368.00000000008A9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259482388.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259499958.00000000008BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259516963.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259537127.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259552385.00000000008D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259569480.00000000008DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259585182.00000000008E7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259600314.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259634079.00000000008F4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259649594.00000000008F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259673333.000000000091A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259688682.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259703427.0000000000920000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259719307.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259733831.0000000000927000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259751352.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259767910.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259781890.0000000000936000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259795804.0000000000937000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259810126.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259826795.0000000000941000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259842679.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259856892.0000000000943000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259942133.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259960451.0000000000946000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259982444.000000000094A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260000706.0000000000952000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260016944.0000000000953000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009AE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260092535.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260112489.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_file.jbxd
    Similarity
    • API ID: HandleModule
    • String ID: .dll
    • API String ID: 4139908857-2738580789
    • Opcode ID: 7495d2e06458435ceee6fa7d1ed3b00c41d89a84db51bf4f22acff9d7114ad48
    • Instruction ID: a8062147c84ae0bcc81634fd6dcc0e61439a602cae7d06d4c4bf59d8f0eb7937
    • Opcode Fuzzy Hash: 7495d2e06458435ceee6fa7d1ed3b00c41d89a84db51bf4f22acff9d7114ad48
    • Instruction Fuzzy Hash: 5C11273060566EEADB31EF34D808B797AB1FB00399F104225FA03C54E5C77699A4DAA2
    Function 008A9A0C Relevance: 4.6, APIs: 3, Instructions: 78registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 67 8a9a0c-8ae833 70 8ae85c-8ae877 RegOpenKeyA 67->70 71 8ae835-8ae850 RegOpenKeyA 67->71 73 8ae879-8ae883 70->73 74 8ae88f-8ae8bb 70->74 71->70 72 8ae852 71->72 72->70 73->74 77 8ae8c8-8ae8d2 74->77 78 8ae8bd-8ae8c6 GetNativeSystemInfo 74->78 79 8ae8de-8ae8ec 77->79 80 8ae8d4 77->80 78->77 82 8ae8f8-8ae8ff 79->82 83 8ae8ee 79->83 80->79 84 8ae912 82->84 85 8ae905-8ae90c 82->85 83->82 84->84 85->84 86 8aa268-8aa26f 85->86 87 8ab8ac-8ab8b2 86->87 88 8aa275-8aa8a9 86->88 88->87
    APIs
    • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 008AE848
    • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 008AE86F
    • GetNativeSystemInfo.KERNELBASE(?), ref: 008AE8C6
    Memory Dump Source
    • Source File: 00000000.00000002.2259465368.00000000008A9000.00000080.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2259213567.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259234529.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259250938.0000000000716000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259269742.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259287523.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259393540.0000000000880000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259411320.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259482388.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259499958.00000000008BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259516963.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259537127.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259552385.00000000008D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259569480.00000000008DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259585182.00000000008E7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259600314.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259615004.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259634079.00000000008F4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259649594.00000000008F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259673333.000000000091A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259688682.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259703427.0000000000920000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259719307.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259733831.0000000000927000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259751352.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259767910.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259781890.0000000000936000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259795804.0000000000937000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259810126.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259826795.0000000000941000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259842679.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259856892.0000000000943000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259942133.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259960451.0000000000946000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259982444.000000000094A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260000706.0000000000952000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260016944.0000000000953000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009AE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260092535.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260112489.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_file.jbxd
    Similarity
    • API ID: Open$InfoNativeSystem
    • String ID:
    • API String ID: 1247124224-0
    • Opcode ID: 42cd9b5c49cfd371ce783ffda406c9a4fdb578833ba04fbd9da49491b099b717
    • Instruction ID: 77df333791e8af20cfdb525f1c9467695721414092fa402c79df651fbbee8feb
    • Opcode Fuzzy Hash: 42cd9b5c49cfd371ce783ffda406c9a4fdb578833ba04fbd9da49491b099b717
    • Instruction Fuzzy Hash: 24310C7150420EEEEF21DF60C848BEF37AAFB06314F544926E982C2D51DBB64CA4DB59
    Function 008F132F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 158 8f132f-8f135f 160 8f148a-8f148b 158->160 161 8f1365-8f137a 158->161 161->160 163 8f1380-8f1384 161->163 164 8f138a-8f139c PathAddExtensionA 163->164 165 8f13a6-8f13ad 163->165 168 8f13a5 164->168 166 8f13cf-8f13d6 165->166 167 8f13b3-8f13c2 call 8f0fd0 165->167 170 8f13dc-8f13e3 166->170 171 8f1418-8f141f 166->171 174 8f13c7-8f13c9 167->174 168->165 175 8f13fc-8f140b call 8f0fd0 170->175 176 8f13e9-8f13f2 170->176 172 8f1425-8f143b call 8f0fd0 171->172 173 8f1441-8f1448 171->173 172->160 172->173 178 8f144e-8f1464 call 8f0fd0 173->178 179 8f146a-8f1471 173->179 174->160 174->166 182 8f1410-8f1412 175->182 176->175 180 8f13f8 176->180 178->160 178->179 179->160 185 8f1477-8f1484 call 8f1009 179->185 180->175 182->160 182->171 185->160
    APIs
    • PathAddExtensionA.KERNELBASE(?,00000000), ref: 008F1391
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2259615004.00000000008E9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2259213567.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259234529.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259250938.0000000000716000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259269742.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259287523.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259393540.0000000000880000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259411320.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259465368.00000000008A9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259482388.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259499958.00000000008BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259516963.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259537127.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259552385.00000000008D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259569480.00000000008DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259585182.00000000008E7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259600314.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259634079.00000000008F4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259649594.00000000008F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259673333.000000000091A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259688682.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259703427.0000000000920000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259719307.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259733831.0000000000927000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259751352.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259767910.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259781890.0000000000936000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259795804.0000000000937000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259810126.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259826795.0000000000941000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259842679.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259856892.0000000000943000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259942133.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259960451.0000000000946000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259982444.000000000094A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260000706.0000000000952000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260016944.0000000000953000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009AE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260092535.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260112489.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_file.jbxd
    Similarity
    • API ID: ExtensionPath
    • String ID: \\?\
    • API String ID: 158807944-4282027825
    • Opcode ID: c8f39ad89ec365c4cd7f74eaebad96b3bf355fa9e18a5138301bce0097774fe1
    • Instruction ID: 9205a2df4f656563136c2a2cbfd84c90fe33b71eabe2dc3215fd8c34abfca40d
    • Opcode Fuzzy Hash: c8f39ad89ec365c4cd7f74eaebad96b3bf355fa9e18a5138301bce0097774fe1
    • Instruction Fuzzy Hash: 11313875A0120EFFDF228FA4CC09BAEBA76FF94700F101154FA01A50A0D7729A60DF65
    Function 05050D41 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 189 5050d41-5050d97 191 5050d9f-5050da3 189->191 192 5050d99-5050d9c 189->192 193 5050da5-5050da8 191->193 194 5050dab-5050dda OpenSCManagerW 191->194 192->191 193->194 195 5050de3-5050df7 194->195 196 5050ddc-5050de2 194->196 196->195
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 05050DCD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2261937544.0000000005050000.00000040.00000800.00020000.00000000.sdmp, Offset: 05050000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5050000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID: ]p
    • API String ID: 1889721586-1110362306
    • Opcode ID: 591741b5c60ebc5fa63c1d8ff7ceb3a77166f3eb884ab23e6b894c2961bd8f0b
    • Instruction ID: bae02283747db62db18a3a9d98af27112787c9b869d13e97c0cc81b73c760837
    • Opcode Fuzzy Hash: 591741b5c60ebc5fa63c1d8ff7ceb3a77166f3eb884ab23e6b894c2961bd8f0b
    • Instruction Fuzzy Hash: 2D214CB6D00209CFCB50CF99D984ADEFBF5FB88320F14851AD908AB244C7346545CFA4
    Function 05050D48 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 198 5050d48-5050d97 200 5050d9f-5050da3 198->200 201 5050d99-5050d9c 198->201 202 5050da5-5050da8 200->202 203 5050dab-5050dda OpenSCManagerW 200->203 201->200 202->203 204 5050de3-5050df7 203->204 205 5050ddc-5050de2 203->205 205->204
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 05050DCD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2261937544.0000000005050000.00000040.00000800.00020000.00000000.sdmp, Offset: 05050000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5050000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID: ]p
    • API String ID: 1889721586-1110362306
    • Opcode ID: eda192b8f1fe54c4c1d6c8101589b99773d5a0645c36f404a768abdbb722c4ad
    • Instruction ID: 2e1be3e58cc6b3fbebb900a723c8a5ee10f37a2d07d58e44cf828624f2fd5d90
    • Opcode Fuzzy Hash: eda192b8f1fe54c4c1d6c8101589b99773d5a0645c36f404a768abdbb722c4ad
    • Instruction Fuzzy Hash: 3C2147B6C00218DFCB50CF99D888ADEFBF4FF88320F14811AD908AB205C734A940CBA4
    Function 05051510 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54serviceCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 207 5051510-505158d ControlService 209 5051596-50515b7 207->209 210 505158f-5051595 207->210 210->209
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 05051580
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2261937544.0000000005050000.00000040.00000800.00020000.00000000.sdmp, Offset: 05050000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5050000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID: ]p
    • API String ID: 253159669-1110362306
    • Opcode ID: 4e2a3490f1044a5c28d4fbd32fd12a4380c6d02fe43bbb2a52ad99028372dd4d
    • Instruction ID: 12f5edbe8f49de157fe4571e7c8abb16432259f9a3270a5497aba980fc4c1781
    • Opcode Fuzzy Hash: 4e2a3490f1044a5c28d4fbd32fd12a4380c6d02fe43bbb2a52ad99028372dd4d
    • Instruction Fuzzy Hash: C71117B5900249DFDB10CF9AC984BDEFBF4EB48320F108029E959A3240D778A644CFA5
    Function 05051509 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52serviceCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 212 5051509-5051550 213 5051558-505158d ControlService 212->213 214 5051596-50515b7 213->214 215 505158f-5051595 213->215 215->214
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 05051580
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2261937544.0000000005050000.00000040.00000800.00020000.00000000.sdmp, Offset: 05050000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5050000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID: ]p
    • API String ID: 253159669-1110362306
    • Opcode ID: f91cc4ed6bba6b142b898a652f61c3a30e667143f849c942ba0227ff202030ca
    • Instruction ID: 152c906e37789a7ca6b4fa1c4d76a70b873e11656365f13de2ec2c63d219cf71
    • Opcode Fuzzy Hash: f91cc4ed6bba6b142b898a652f61c3a30e667143f849c942ba0227ff202030ca
    • Instruction Fuzzy Hash: CE1106B5900249CFDB10CF9AD584BDEFBF4EB58320F108029D559A3251C738A644CFA5
    Function 05051301 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 217 5051301-5051341 218 5051349-5051374 ImpersonateLoggedOnUser 217->218 219 5051376-505137c 218->219 220 505137d-505139e 218->220 219->220
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 05051367
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2261937544.0000000005050000.00000040.00000800.00020000.00000000.sdmp, Offset: 05050000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5050000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID: ]p
    • API String ID: 2216092060-1110362306
    • Opcode ID: 4c968e8a5575224d2c7c09ec740d5a5e8038306fdf162b1151db86de190a30a7
    • Instruction ID: 7ce028c7af128ad0e2139f69f4ee0ed3d5cd3046c44b1bcc8929c1eb8d0e98c1
    • Opcode Fuzzy Hash: 4c968e8a5575224d2c7c09ec740d5a5e8038306fdf162b1151db86de190a30a7
    • Instruction Fuzzy Hash: 891146B5800249CFDB20CF9AD984BDEBBF4EF48320F148429D518A3240D778A545CBA1
    Function 05051308 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 222 5051308-5051374 ImpersonateLoggedOnUser 224 5051376-505137c 222->224 225 505137d-505139e 222->225 224->225
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 05051367
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2261937544.0000000005050000.00000040.00000800.00020000.00000000.sdmp, Offset: 05050000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5050000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID: ]p
    • API String ID: 2216092060-1110362306
    • Opcode ID: f99409eb6ee92c3735e925452778a574f4a10659fa3c44b5320ae830d1f748d7
    • Instruction ID: d086957f63c9136c29813f6ec9c0480dcbfb6ef349e4281af123649cf1b3c830
    • Opcode Fuzzy Hash: f99409eb6ee92c3735e925452778a574f4a10659fa3c44b5320ae830d1f748d7
    • Instruction Fuzzy Hash: 781136B5800249CFDB20CF9AD944BDEFBF8EB48320F14841AD558A3240D778A944CFA5
    Function 008F2A3E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 227 8f2a3e-8f2a51 call 8f0d7c 230 8f2a57-8f2a63 call 8f148e 227->230 231 8f2a94-8f2aa8 call 8f0e27 GetModuleHandleExA 227->231 235 8f2a68-8f2a6a 230->235 236 8f2ab2-8f2ab4 231->236 235->231 237 8f2a70-8f2a77 235->237 238 8f2a7d 237->238 239 8f2a80-8f2aad call 8f0e27 237->239 238->239 239->236
    APIs
      • Part of subcall function 008F0D7C: GetCurrentThreadId.KERNEL32 ref: 008F0D8B
      • Part of subcall function 008F0D7C: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 008F0DCE
    • GetModuleHandleExA.KERNELBASE(?,?,?), ref: 008F2AA2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2259615004.00000000008E9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2259213567.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259234529.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259250938.0000000000716000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259269742.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259287523.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259393540.0000000000880000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259411320.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259465368.00000000008A9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259482388.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259499958.00000000008BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259516963.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259537127.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259552385.00000000008D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259569480.00000000008DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259585182.00000000008E7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259600314.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259634079.00000000008F4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259649594.00000000008F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259673333.000000000091A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259688682.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259703427.0000000000920000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259719307.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259733831.0000000000927000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259751352.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259767910.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259781890.0000000000936000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259795804.0000000000937000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259810126.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259826795.0000000000941000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259842679.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259856892.0000000000943000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259942133.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259960451.0000000000946000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259982444.000000000094A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260000706.0000000000952000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260016944.0000000000953000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009AE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260092535.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260112489.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_file.jbxd
    Similarity
    • API ID: CurrentHandleModuleSleepThread
    • String ID: .dll
    • API String ID: 683542999-2738580789
    • Opcode ID: 3ce9d155378a65b9852be91994f21e31c82c29a2012b4819d362561d3318dca9
    • Instruction ID: 2137fb3da7c81ad4aad615aad6ee58deda77087d8d9eca5736c1687cb39e1a34
    • Opcode Fuzzy Hash: 3ce9d155378a65b9852be91994f21e31c82c29a2012b4819d362561d3318dca9
    • Instruction Fuzzy Hash: 0EF01D7260021DEFDB209F78D945ABA3BA5FF18354F208115FF16C9052D731D8A0DA61
    Function 008F0D7C Relevance: 3.0, APIs: 2, Instructions: 33sleepthreadCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 270 8f0d7c-8f0d92 GetCurrentThreadId 271 8f0d94-8f0da0 270->271 272 8f0ddb-8f0de8 call 8f7bfb 271->272 273 8f0da6-8f0da8 271->273 273->272 274 8f0dae-8f0db5 273->274 276 8f0dbb-8f0dc2 274->276 277 8f0dca-8f0dd6 Sleep 274->277 276->277 279 8f0dc8 276->279 277->271 279->277
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 008F0D8B
    • Sleep.KERNELBASE(00000005,00050000,00000000), ref: 008F0DCE
    Memory Dump Source
    • Source File: 00000000.00000002.2259615004.00000000008E9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2259213567.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259234529.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259250938.0000000000716000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259269742.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259287523.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259393540.0000000000880000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259411320.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259465368.00000000008A9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259482388.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259499958.00000000008BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259516963.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259537127.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259552385.00000000008D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259569480.00000000008DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259585182.00000000008E7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259600314.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259634079.00000000008F4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259649594.00000000008F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259673333.000000000091A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259688682.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259703427.0000000000920000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259719307.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259733831.0000000000927000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259751352.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259767910.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259781890.0000000000936000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259795804.0000000000937000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259810126.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259826795.0000000000941000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259842679.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259856892.0000000000943000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259942133.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259960451.0000000000946000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259982444.000000000094A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260000706.0000000000952000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260016944.0000000000953000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009AE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260092535.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260112489.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_file.jbxd
    Similarity
    • API ID: CurrentSleepThread
    • String ID:
    • API String ID: 1164918020-0
    • Opcode ID: 77bc5c9440e653cc07dfe5f6d1305058fd0f65c9aa396a0de5786404770b2057
    • Instruction ID: c172d4789f4c4dc9405877e058e9fda135f358dc3fde28b19df28a5670eeb197
    • Opcode Fuzzy Hash: 77bc5c9440e653cc07dfe5f6d1305058fd0f65c9aa396a0de5786404770b2057
    • Instruction Fuzzy Hash: 5CF0673150250DEEDB21AFA4E98876AB2B4FB4132AF600269E202D6042D7712986DA82
    Function 0089D371 Relevance: 1.6, APIs: 1, Instructions: 132libraryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2259432225.000000000089A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2259213567.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259234529.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259250938.0000000000716000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259269742.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259287523.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259393540.0000000000880000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259411320.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259465368.00000000008A9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259482388.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259499958.00000000008BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259516963.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259537127.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259552385.00000000008D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259569480.00000000008DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259585182.00000000008E7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259600314.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259615004.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259634079.00000000008F4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259649594.00000000008F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259673333.000000000091A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259688682.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259703427.0000000000920000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259719307.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259733831.0000000000927000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259751352.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259767910.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259781890.0000000000936000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259795804.0000000000937000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259810126.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259826795.0000000000941000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259842679.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259856892.0000000000943000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259942133.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259960451.0000000000946000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259982444.000000000094A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260000706.0000000000952000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260016944.0000000000953000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009AE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260092535.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260112489.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 5b85e057e51f9bef08c479f7e567941b2c01c6aef33a16556ae9e6957b023268
    • Instruction ID: 38f838d2df29c820bb7ade69ed6c524800702ad2c05d62a7ab49464c92c9e74e
    • Opcode Fuzzy Hash: 5b85e057e51f9bef08c479f7e567941b2c01c6aef33a16556ae9e6957b023268
    • Instruction Fuzzy Hash: EF416DB214C308AFD311BF49DC816BAFBE8FB55721F25482DE6C592A00E77558409B67
    Function 0089D518 Relevance: 1.6, APIs: 1, Instructions: 120libraryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2259432225.000000000089A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2259213567.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259234529.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259250938.0000000000716000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259269742.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259287523.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259393540.0000000000880000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259411320.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259465368.00000000008A9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259482388.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259499958.00000000008BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259516963.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259537127.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259552385.00000000008D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259569480.00000000008DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259585182.00000000008E7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259600314.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259615004.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259634079.00000000008F4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259649594.00000000008F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259673333.000000000091A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259688682.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259703427.0000000000920000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259719307.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259733831.0000000000927000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259751352.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259767910.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259781890.0000000000936000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259795804.0000000000937000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259810126.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259826795.0000000000941000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259842679.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259856892.0000000000943000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259942133.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259960451.0000000000946000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259982444.000000000094A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260000706.0000000000952000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260016944.0000000000953000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009AE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260092535.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260112489.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 1d02ab94d72c9a4771db345962725c5ddedeaf6175d8ba3c8bcebb55c7f97be1
    • Instruction ID: 25d67ebddf5258ff3feacaa677350e1b214671b77f5a747e9dae3b72315b0b72
    • Opcode Fuzzy Hash: 1d02ab94d72c9a4771db345962725c5ddedeaf6175d8ba3c8bcebb55c7f97be1
    • Instruction Fuzzy Hash: 26314DF660C300AFE301AE49DC85BBAFBE9EFD4760F15482DE7C182640E63558548A67
    Function 0089FE8F Relevance: 1.6, APIs: 1, Instructions: 115fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2259432225.000000000089A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2259213567.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259234529.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259250938.0000000000716000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259269742.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259287523.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259393540.0000000000880000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259411320.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259465368.00000000008A9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259482388.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259499958.00000000008BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259516963.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259537127.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259552385.00000000008D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259569480.00000000008DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259585182.00000000008E7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259600314.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259615004.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259634079.00000000008F4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259649594.00000000008F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259673333.000000000091A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259688682.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259703427.0000000000920000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259719307.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259733831.0000000000927000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259751352.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259767910.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259781890.0000000000936000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259795804.0000000000937000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259810126.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259826795.0000000000941000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259842679.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259856892.0000000000943000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259942133.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259960451.0000000000946000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259982444.000000000094A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260000706.0000000000952000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260016944.0000000000953000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009AE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260092535.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260112489.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 97b76e3cd5119d5cba273badea1dea173d4661333a3b44475c7fc7b53031deb1
    • Instruction ID: c258e91631d0788280e61c0c642c82ab2893074997431e7e6fd6153bd0b04668
    • Opcode Fuzzy Hash: 97b76e3cd5119d5cba273badea1dea173d4661333a3b44475c7fc7b53031deb1
    • Instruction Fuzzy Hash: F42127B324C2556EEA05AE549D50BEB7B1DFB83334F344436F601D7543EEA05D05A270
    Function 008FE53F Relevance: 1.6, APIs: 1, Instructions: 112COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2259649594.00000000008F7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2259213567.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259234529.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259250938.0000000000716000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259269742.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259287523.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259393540.0000000000880000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259411320.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259465368.00000000008A9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259482388.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259499958.00000000008BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259516963.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259537127.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259552385.00000000008D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259569480.00000000008DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259585182.00000000008E7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259600314.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259615004.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259634079.00000000008F4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259673333.000000000091A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259688682.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259703427.0000000000920000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259719307.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259733831.0000000000927000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259751352.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259767910.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259781890.0000000000936000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259795804.0000000000937000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259810126.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259826795.0000000000941000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259842679.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259856892.0000000000943000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259942133.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259960451.0000000000946000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259982444.000000000094A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260000706.0000000000952000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260016944.0000000000953000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009AE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260092535.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260112489.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c03684220e4916e5a988c6b26032c9eba3329a76d3eaee4e7aa23fa3825d7c34
    • Instruction ID: e067fe2e9fe90b3fbd897f03f21b2c632d074dd523d377e92e0b6409453a5e5a
    • Opcode Fuzzy Hash: c03684220e4916e5a988c6b26032c9eba3329a76d3eaee4e7aa23fa3825d7c34
    • Instruction Fuzzy Hash: 01418E7190020DEFDB25DF34C844BBA7BB1FF24318F208494EA02EA5A1D379ADA0DB55
    Function 008F34B6 Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 008F356B
    Memory Dump Source
    • Source File: 00000000.00000002.2259615004.00000000008E9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2259213567.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259234529.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259250938.0000000000716000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259269742.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259287523.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259393540.0000000000880000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259411320.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259465368.00000000008A9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259482388.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259499958.00000000008BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259516963.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259537127.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259552385.00000000008D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259569480.00000000008DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259585182.00000000008E7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259600314.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259634079.00000000008F4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259649594.00000000008F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259673333.000000000091A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259688682.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259703427.0000000000920000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259719307.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259733831.0000000000927000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259751352.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259767910.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259781890.0000000000936000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259795804.0000000000937000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259810126.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259826795.0000000000941000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259842679.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259856892.0000000000943000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259942133.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259960451.0000000000946000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259982444.000000000094A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260000706.0000000000952000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260016944.0000000000953000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009AE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260092535.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260112489.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 6524a70fd3fa7f5b8913a9fdd6b907415c32ebbbb6b1e32cb23bc812cd32f2a1
    • Instruction ID: d9524709f72c18f8003217970ff2703502fb192ec7562516641c387877003e69
    • Opcode Fuzzy Hash: 6524a70fd3fa7f5b8913a9fdd6b907415c32ebbbb6b1e32cb23bc812cd32f2a1
    • Instruction Fuzzy Hash: 6A315BB1900208FEEB219F74DC45FAABBB8FF48714F208169FA05EA191C7719A51CF50
    Function 008F2CD2 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 008F2D54
    Memory Dump Source
    • Source File: 00000000.00000002.2259615004.00000000008E9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2259213567.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259234529.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259250938.0000000000716000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259269742.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259287523.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259393540.0000000000880000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259411320.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259465368.00000000008A9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259482388.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259499958.00000000008BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259516963.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259537127.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259552385.00000000008D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259569480.00000000008DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259585182.00000000008E7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259600314.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259634079.00000000008F4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259649594.00000000008F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259673333.000000000091A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259688682.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259703427.0000000000920000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259719307.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259733831.0000000000927000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259751352.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259767910.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259781890.0000000000936000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259795804.0000000000937000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259810126.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259826795.0000000000941000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259842679.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259856892.0000000000943000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259942133.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259960451.0000000000946000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259982444.000000000094A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260000706.0000000000952000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260016944.0000000000953000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009AE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260092535.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260112489.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: a0bdf0b796e2814fb84dddaedc0838d6209e61d3f089454ccec73118868132cb
    • Instruction ID: be5cf1ed63fd7a8dd1e3a0c26f0e97c4c6de855b3a1c0668d72f90c4cad19523
    • Opcode Fuzzy Hash: a0bdf0b796e2814fb84dddaedc0838d6209e61d3f089454ccec73118868132cb
    • Instruction Fuzzy Hash: D2315E7164020DBEEB20AF64DC46FA9B7B8FB04728F204265F715EA0D1C3B1A581CF54
    Function 008FE28C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,?), ref: 008FE339
    Memory Dump Source
    • Source File: 00000000.00000002.2259649594.00000000008F7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2259213567.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259234529.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259250938.0000000000716000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259269742.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259287523.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259393540.0000000000880000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259411320.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259465368.00000000008A9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259482388.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259499958.00000000008BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259516963.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259537127.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259552385.00000000008D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259569480.00000000008DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259585182.00000000008E7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259600314.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259615004.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259634079.00000000008F4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259673333.000000000091A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259688682.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259703427.0000000000920000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259719307.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259733831.0000000000927000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259751352.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259767910.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259781890.0000000000936000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259795804.0000000000937000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259810126.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259826795.0000000000941000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259842679.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259856892.0000000000943000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259942133.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259960451.0000000000946000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259982444.000000000094A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260000706.0000000000952000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260016944.0000000000953000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009AE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260092535.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260112489.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_file.jbxd
    Similarity
    • API ID: FileModuleName
    • String ID:
    • API String ID: 514040917-0
    • Opcode ID: 78e025c38ba82fe7bbf5abc17eee0330bb1b7b441cf8378b8cbb48a5a753ffe2
    • Instruction ID: 28504b8e36f7e498a7dda145bc4c3f66d2e226f4439f9a615ade5a4e534398a7
    • Opcode Fuzzy Hash: 78e025c38ba82fe7bbf5abc17eee0330bb1b7b441cf8378b8cbb48a5a753ffe2
    • Instruction Fuzzy Hash: 56117C71A0132D9BFB205E358C4CFBAB76CFB19765F1041A5BA05E3261E7709D80CAA1
    Function 008A001A Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(00000000), ref: 008A0078
    Memory Dump Source
    • Source File: 00000000.00000002.2259432225.000000000089A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2259213567.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259234529.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259250938.0000000000716000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259269742.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259287523.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259393540.0000000000880000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259411320.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259465368.00000000008A9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259482388.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259499958.00000000008BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259516963.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259537127.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259552385.00000000008D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259569480.00000000008DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259585182.00000000008E7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259600314.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259615004.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259634079.00000000008F4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259649594.00000000008F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259673333.000000000091A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259688682.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259703427.0000000000920000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259719307.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259733831.0000000000927000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259751352.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259767910.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259781890.0000000000936000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259795804.0000000000937000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259810126.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259826795.0000000000941000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259842679.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259856892.0000000000943000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259942133.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259960451.0000000000946000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259982444.000000000094A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260000706.0000000000952000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260016944.0000000000953000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009AE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260092535.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260112489.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 2baf80771658d196129eaa9e54f4c4ee96f5be78b26f502375fbbc80784101e2
    • Instruction ID: c787b6be46f17dd2721f917703f9ac2211d716a82d78e4313f89b1b457a94e1e
    • Opcode Fuzzy Hash: 2baf80771658d196129eaa9e54f4c4ee96f5be78b26f502375fbbc80784101e2
    • Instruction Fuzzy Hash: FF0145B1608B565EE701CF389D91BBF7BA8FF96300F21082BE484C7853C26409498B66
    Function 008A0066 Relevance: 1.5, APIs: 1, Instructions: 34fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(00000000), ref: 008A0078
    Memory Dump Source
    • Source File: 00000000.00000002.2259432225.000000000089A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2259213567.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259234529.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259250938.0000000000716000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259269742.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259287523.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259393540.0000000000880000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259411320.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259465368.00000000008A9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259482388.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259499958.00000000008BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259516963.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259537127.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259552385.00000000008D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259569480.00000000008DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259585182.00000000008E7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259600314.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259615004.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259634079.00000000008F4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259649594.00000000008F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259673333.000000000091A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259688682.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259703427.0000000000920000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259719307.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259733831.0000000000927000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259751352.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259767910.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259781890.0000000000936000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259795804.0000000000937000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259810126.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259826795.0000000000941000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259842679.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259856892.0000000000943000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259942133.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259960451.0000000000946000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259982444.000000000094A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260000706.0000000000952000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260016944.0000000000953000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009AE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260092535.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260112489.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 757ce0d4a47e9022b0424bceabf32217560141bd4256a6ef9f954a6bfc818dca
    • Instruction ID: 5e400d2a41ab465670435289f2f68fe4bf09c03ade92d0d7e605963af3353ce3
    • Opcode Fuzzy Hash: 757ce0d4a47e9022b0424bceabf32217560141bd4256a6ef9f954a6bfc818dca
    • Instruction Fuzzy Hash: EAF0E5B5A08B165EE701AFB948C166F7BD4FFAA300F320429D484C7593D27548468A52
    Function 008AAFD9 Relevance: 1.5, APIs: 1, Instructions: 11libraryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2259465368.00000000008A9000.00000080.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2259213567.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259234529.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259250938.0000000000716000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259269742.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259287523.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259393540.0000000000880000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259411320.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259482388.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259499958.00000000008BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259516963.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259537127.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259552385.00000000008D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259569480.00000000008DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259585182.00000000008E7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259600314.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259615004.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259634079.00000000008F4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259649594.00000000008F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259673333.000000000091A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259688682.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259703427.0000000000920000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259719307.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259733831.0000000000927000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259751352.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259767910.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259781890.0000000000936000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259795804.0000000000937000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259810126.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259826795.0000000000941000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259842679.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259856892.0000000000943000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259942133.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259960451.0000000000946000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259982444.000000000094A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260000706.0000000000952000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260016944.0000000000953000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009AE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260092535.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260112489.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 41e9f586a62457695baa51b9cbc00d51b92a4da753b44e8aa84382b8ce97ed2f
    • Instruction ID: 090bbc6702434792653e36762988c50a2bd4d9ffb3a0fbf84e164842b2797842
    • Opcode Fuzzy Hash: 41e9f586a62457695baa51b9cbc00d51b92a4da753b44e8aa84382b8ce97ed2f
    • Instruction Fuzzy Hash: 1CC0EA7241C618DFDB062F6498858FEFBE4FF19714F12092DE4D292910D73568509B96
    Function 0071E430 Relevance: 1.3, APIs: 1, Instructions: 58memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2259269742.000000000071A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2259213567.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259234529.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259250938.0000000000716000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259287523.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259393540.0000000000880000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259411320.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259465368.00000000008A9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259482388.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259499958.00000000008BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259516963.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259537127.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259552385.00000000008D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259569480.00000000008DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259585182.00000000008E7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259600314.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259615004.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259634079.00000000008F4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259649594.00000000008F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259673333.000000000091A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259688682.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259703427.0000000000920000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259719307.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259733831.0000000000927000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259751352.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259767910.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259781890.0000000000936000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259795804.0000000000937000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259810126.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259826795.0000000000941000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259842679.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259856892.0000000000943000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259942133.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259960451.0000000000946000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259982444.000000000094A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260000706.0000000000952000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260016944.0000000000953000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009AE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260092535.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260112489.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 3473f51b5d86c698bc570fd7370bc451830d4bbe2775d7cf62e498bd7b79e18d
    • Instruction ID: 6421e129a0c3fe91ed8bec01e22c5ded82bca1631f2edba0b45758b83c62d0ec
    • Opcode Fuzzy Hash: 3473f51b5d86c698bc570fd7370bc451830d4bbe2775d7cf62e498bd7b79e18d
    • Instruction Fuzzy Hash: 5C016173B0512C5783500E3E6C589DFBA55EBC4372B79412EEE8AA7380DD218C0185E8
    Function 008F0F4D Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2259615004.00000000008E9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2259213567.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259234529.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259250938.0000000000716000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259269742.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259287523.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259393540.0000000000880000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259411320.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259465368.00000000008A9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259482388.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259499958.00000000008BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259516963.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259537127.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259552385.00000000008D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259569480.00000000008DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259585182.00000000008E7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259600314.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259634079.00000000008F4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259649594.00000000008F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259673333.000000000091A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259688682.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259703427.0000000000920000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259719307.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259733831.0000000000927000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259751352.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259767910.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259781890.0000000000936000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259795804.0000000000937000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259810126.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259826795.0000000000941000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259842679.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259856892.0000000000943000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259942133.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259960451.0000000000946000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259982444.000000000094A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260000706.0000000000952000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260016944.0000000000953000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009AE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260092535.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260112489.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_file.jbxd
    Similarity
    • API ID: lstrcmpi
    • String ID:
    • API String ID: 1586166983-0
    • Opcode ID: 0b338e14d0cefecdf4e1a4c0bc40aedb1089854ad3059b474059bf4f6d9dc2db
    • Instruction ID: 22d5e2a6854a55c3d511a8dbf00fa0ede4a5ad0bbf6e74b7050497744b19862e
    • Opcode Fuzzy Hash: 0b338e14d0cefecdf4e1a4c0bc40aedb1089854ad3059b474059bf4f6d9dc2db
    • Instruction Fuzzy Hash: 5001D631A0510EBECF219FA4CC05DEEBB76FF48340F405161E501E50A2DB328661DF61
    Function 008FDEB6 Relevance: 1.3, APIs: 1, Instructions: 37memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,?,008FDEB2,?,?,008FDBB8,?,?,008FDBB8,?,?,008FDBB8), ref: 008FDED6
    Memory Dump Source
    • Source File: 00000000.00000002.2259649594.00000000008F7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2259213567.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259234529.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259250938.0000000000716000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259269742.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259287523.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259393540.0000000000880000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259411320.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259465368.00000000008A9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259482388.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259499958.00000000008BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259516963.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259537127.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259552385.00000000008D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259569480.00000000008DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259585182.00000000008E7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259600314.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259615004.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259634079.00000000008F4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259673333.000000000091A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259688682.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259703427.0000000000920000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259719307.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259733831.0000000000927000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259751352.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259767910.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259781890.0000000000936000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259795804.0000000000937000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259810126.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259826795.0000000000941000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259842679.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259856892.0000000000943000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259942133.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259960451.0000000000946000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259982444.000000000094A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260000706.0000000000952000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260016944.0000000000953000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009AE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260092535.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260112489.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 0e6d24ef906b0dcfd4b516250c6cb5d6dfaaf801350d99c9d3324c183f3ed3c4
    • Instruction ID: 43258352c31871bad59146df4fa5ba0f364792e47e582fc484357d37554f9c8a
    • Opcode Fuzzy Hash: 0e6d24ef906b0dcfd4b516250c6cb5d6dfaaf801350d99c9d3324c183f3ed3c4
    • Instruction Fuzzy Hash: 31F081B190030AEFE721CF55CD05B69BFA5FF49751F208068FA4AAB592DBB198C08B54
    Function 008F3AD0 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 008F0D7C: GetCurrentThreadId.KERNEL32 ref: 008F0D8B
      • Part of subcall function 008F0D7C: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 008F0DCE
    • CloseHandle.KERNELBASE(008F3493,-11BB5FEC,?,?,008F3493,?), ref: 008F3B0E
    Memory Dump Source
    • Source File: 00000000.00000002.2259615004.00000000008E9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2259213567.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259234529.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259250938.0000000000716000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259269742.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259287523.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259393540.0000000000880000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259411320.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259465368.00000000008A9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259482388.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259499958.00000000008BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259516963.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259537127.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259552385.00000000008D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259569480.00000000008DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259585182.00000000008E7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259600314.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259634079.00000000008F4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259649594.00000000008F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259673333.000000000091A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259688682.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259703427.0000000000920000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259719307.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259733831.0000000000927000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259751352.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259767910.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259781890.0000000000936000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259795804.0000000000937000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259810126.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259826795.0000000000941000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259842679.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259856892.0000000000943000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259942133.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259960451.0000000000946000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259982444.000000000094A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260000706.0000000000952000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260016944.0000000000953000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009AE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260092535.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260112489.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_file.jbxd
    Similarity
    • API ID: CloseCurrentHandleSleepThread
    • String ID:
    • API String ID: 4003616898-0
    • Opcode ID: 0f1b35ccc9fc8f64b01420f1ad0ea115c5a49a57a8b58a3144a75f71d4e4ee04
    • Instruction ID: ba30693afa9bfcd4fb8038c779df1aede1df7bbf821dd157778c156b2b751032
    • Opcode Fuzzy Hash: 0f1b35ccc9fc8f64b01420f1ad0ea115c5a49a57a8b58a3144a75f71d4e4ee04
    • Instruction Fuzzy Hash: 83E04F62A0404DA9CE217B7CE80DD7F2B28FF91368B000636F702D9012DB30D591CA72
    Function 0071E5C2 Relevance: 1.3, APIs: 1, Instructions: 17memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 0071E5C4
    Memory Dump Source
    • Source File: 00000000.00000002.2259269742.000000000071A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2259213567.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259234529.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259250938.0000000000716000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259287523.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259393540.0000000000880000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259411320.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259465368.00000000008A9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259482388.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259499958.00000000008BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259516963.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259537127.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259552385.00000000008D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259569480.00000000008DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259585182.00000000008E7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259600314.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259615004.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259634079.00000000008F4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259649594.00000000008F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259673333.000000000091A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259688682.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259703427.0000000000920000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259719307.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259733831.0000000000927000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259751352.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259767910.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259781890.0000000000936000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259795804.0000000000937000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259810126.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259826795.0000000000941000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259842679.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259856892.0000000000943000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259942133.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259960451.0000000000946000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259982444.000000000094A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260000706.0000000000952000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260016944.0000000000953000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009AE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260092535.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260112489.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 10213155106cc5150a5901f6f69c2e16f8c238e9d38ae7b462273dd63fcc0abe
    • Instruction ID: 260be171d1887b5e32cf0d607a74ae552844ff4143bf72dcdfe66ffe5c62500a
    • Opcode Fuzzy Hash: 10213155106cc5150a5901f6f69c2e16f8c238e9d38ae7b462273dd63fcc0abe
    • Instruction Fuzzy Hash: 26D017B15582148BDB942F2DA5587EE7AD0D744B10F22052DAE468A280D1394CD0869B
    Function 008F2B95 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNELBASE(?,?,008F0C1B,?,?), ref: 008F2B9B
    Memory Dump Source
    • Source File: 00000000.00000002.2259615004.00000000008E9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2259213567.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259234529.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259250938.0000000000716000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259269742.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259287523.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259393540.0000000000880000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259411320.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259465368.00000000008A9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259482388.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259499958.00000000008BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259516963.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259537127.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259552385.00000000008D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259569480.00000000008DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259585182.00000000008E7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259600314.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259634079.00000000008F4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259649594.00000000008F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259673333.000000000091A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259688682.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259703427.0000000000920000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259719307.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259733831.0000000000927000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259751352.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259767910.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259781890.0000000000936000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259795804.0000000000937000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259810126.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259826795.0000000000941000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259842679.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259856892.0000000000943000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259942133.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259960451.0000000000946000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259982444.000000000094A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260000706.0000000000952000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260016944.0000000000953000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009AE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260092535.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260112489.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_file.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: dc068f37c13919505e30dfcf5f3cdc5b154578afa32ddb07897a96643267b29b
    • Instruction ID: 9adc76cacdab44d1ed5e629dbc153b5dfabf7e4b41d92dc84cca3fe0156e03f0
    • Opcode Fuzzy Hash: dc068f37c13919505e30dfcf5f3cdc5b154578afa32ddb07897a96643267b29b
    • Instruction Fuzzy Hash: ECB09B3140020CB7CB027F55DC06C4D7F75FF113547408110BD06440618771D56097D5

    Non-executed Functions

    Function 0071DB5F Relevance: 1.6, Strings: 1, Instructions: 324COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2259269742.000000000071A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2259213567.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259234529.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259250938.0000000000716000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259287523.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259393540.0000000000880000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259411320.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259465368.00000000008A9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259482388.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259499958.00000000008BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259516963.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259537127.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259552385.00000000008D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259569480.00000000008DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259585182.00000000008E7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259600314.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259615004.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259634079.00000000008F4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259649594.00000000008F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259673333.000000000091A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259688682.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259703427.0000000000920000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259719307.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259733831.0000000000927000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259751352.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259767910.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259781890.0000000000936000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259795804.0000000000937000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259810126.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259826795.0000000000941000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259842679.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259856892.0000000000943000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259942133.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259960451.0000000000946000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259982444.000000000094A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260000706.0000000000952000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260016944.0000000000953000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009AE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260092535.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260112489.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_file.jbxd
    Similarity
    • API ID:
    • String ID: NTDL
    • API String ID: 0-3662016964
    • Opcode ID: 7ac8f1852af65615428b8d296c42725af0f48d40707c4f707df0ac1c8411f4fc
    • Instruction ID: 76bc314d1bcd151796d053b7a538949b388eb6d6ef80df5c83870262b8b9f554
    • Opcode Fuzzy Hash: 7ac8f1852af65615428b8d296c42725af0f48d40707c4f707df0ac1c8411f4fc
    • Instruction Fuzzy Hash: 9DA1267260420E8FCB21CF29C1015EF37E1EB57331F35452AE84287A82D2BA5D96DF59
    Function 008EFE2F Relevance: .1, Instructions: 149COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2259615004.00000000008E9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2259213567.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259234529.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259250938.0000000000716000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259269742.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259287523.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259393540.0000000000880000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259411320.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259465368.00000000008A9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259482388.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259499958.00000000008BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259516963.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259537127.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259552385.00000000008D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259569480.00000000008DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259585182.00000000008E7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259600314.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259634079.00000000008F4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259649594.00000000008F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259673333.000000000091A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259688682.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259703427.0000000000920000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259719307.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259733831.0000000000927000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259751352.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259767910.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259781890.0000000000936000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259795804.0000000000937000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259810126.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259826795.0000000000941000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259842679.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259856892.0000000000943000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259942133.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259960451.0000000000946000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259982444.000000000094A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260000706.0000000000952000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260016944.0000000000953000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009AE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260092535.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260112489.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2ae1ac4351cbfdf92b8b754d54bf869852fdfa2870bc88ec2d54bbac285d1cf7
    • Instruction ID: d91de4e8bc47bdc2eb78d0bc565209e267ba2b22b470cd1338ed5a976f2c17fc
    • Opcode Fuzzy Hash: 2ae1ac4351cbfdf92b8b754d54bf869852fdfa2870bc88ec2d54bbac285d1cf7
    • Instruction Fuzzy Hash: E64123B390D698DFD300AA269C4043BB7D8FF95724F36893EDAC297606E67068019783
    Function 0089D94A Relevance: .1, Instructions: 124COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2259432225.000000000089A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2259213567.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259234529.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259250938.0000000000716000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259269742.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259287523.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259393540.0000000000880000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259411320.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259465368.00000000008A9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259482388.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259499958.00000000008BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259516963.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259537127.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259552385.00000000008D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259569480.00000000008DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259585182.00000000008E7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259600314.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259615004.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259634079.00000000008F4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259649594.00000000008F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259673333.000000000091A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259688682.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259703427.0000000000920000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259719307.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259733831.0000000000927000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259751352.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259767910.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259781890.0000000000936000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259795804.0000000000937000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259810126.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259826795.0000000000941000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259842679.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259856892.0000000000943000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259942133.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259960451.0000000000946000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259982444.000000000094A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260000706.0000000000952000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260016944.0000000000953000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009AE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260092535.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260112489.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 63a47d55d3a7a3914ab384d05131c1201b6305e44876b7b2a6d0e809ddcc8ef1
    • Instruction ID: 62b33302e2f04d9a6876ed8ac8236283459b21be286549d305f5e52b6e04ec74
    • Opcode Fuzzy Hash: 63a47d55d3a7a3914ab384d05131c1201b6305e44876b7b2a6d0e809ddcc8ef1
    • Instruction Fuzzy Hash: C03150B250C310AFE315AF59DC85BBEFBE9FB98320F16482DEAC5C3250D67158448A67
    Function 009119E2 Relevance: .1, Instructions: 92COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2259649594.00000000008F7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2259213567.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259234529.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259250938.0000000000716000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259269742.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259287523.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259393540.0000000000880000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259411320.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259465368.00000000008A9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259482388.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259499958.00000000008BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259516963.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259537127.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259552385.00000000008D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259569480.00000000008DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259585182.00000000008E7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259600314.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259615004.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259634079.00000000008F4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259673333.000000000091A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259688682.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259703427.0000000000920000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259719307.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259733831.0000000000927000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259751352.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259767910.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259781890.0000000000936000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259795804.0000000000937000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259810126.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259826795.0000000000941000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259842679.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259856892.0000000000943000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259942133.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259960451.0000000000946000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259982444.000000000094A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260000706.0000000000952000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260016944.0000000000953000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009AE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260092535.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260112489.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d0662d649002fccdcb206bfc0e40698f39bf4bb6ea43fb3bc7a814cedf1ea9d5
    • Instruction ID: 90170736ae0ee04f77a8198435cd9b09345d3b581798a6920afa7569436eeaf8
    • Opcode Fuzzy Hash: d0662d649002fccdcb206bfc0e40698f39bf4bb6ea43fb3bc7a814cedf1ea9d5
    • Instruction Fuzzy Hash: 8E31E1B280D614DFD755BF68D88166AFBE4FF58720F06092DEAC493220E77558808B97
    Function 0089FCBB Relevance: .0, Instructions: 42COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2259432225.000000000089A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2259213567.0000000000710000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259234529.0000000000712000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259250938.0000000000716000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259269742.000000000071A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259287523.0000000000726000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259393540.0000000000880000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259411320.0000000000883000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259432225.00000000008A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259465368.00000000008A9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259482388.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259499958.00000000008BA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259516963.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259537127.00000000008D5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259552385.00000000008D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259569480.00000000008DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259585182.00000000008E7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259600314.00000000008E8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259615004.00000000008E9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259634079.00000000008F4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259649594.00000000008F7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259673333.000000000091A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259688682.000000000091F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259703427.0000000000920000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259719307.0000000000926000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259733831.0000000000927000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259751352.0000000000929000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259767910.0000000000935000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259781890.0000000000936000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259795804.0000000000937000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259810126.0000000000939000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259826795.0000000000941000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259842679.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259856892.0000000000943000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259942133.0000000000945000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259960451.0000000000946000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2259982444.000000000094A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260000706.0000000000952000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260016944.0000000000953000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009AE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260056945.00000000009B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260092535.00000000009C8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2260112489.00000000009CA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 37b241eb16232925627e3d1d5f1c80da83e9c02556920bc005e1c8777046b26a
    • Instruction ID: 7779dc3158b908fc17bdd87ffd1dbae043e5188c285d6f7729b65f183842218e
    • Opcode Fuzzy Hash: 37b241eb16232925627e3d1d5f1c80da83e9c02556920bc005e1c8777046b26a
    • Instruction Fuzzy Hash: 87E065F72482243DF909A2856F44DBBE7ACFBC6738B34C43AFA06D6443E19059096131