Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1562131
MD5:2279cb27373137620622b50c8252e7f7
SHA1:6aa22e3f08223831d0fe1cd4c203314a4597ae82
SHA256:5a046fdbee1b681fe3ea9fba1367efce36b3f6b6a88339651f93ce8496d1728b
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5720 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 2279CB27373137620622B50C8252E7F7)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010445CA CryptVerifySignatureA,0_2_010445CA
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.2243777074.0000000005360000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmp

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100D4990_2_0100D499
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6DDA50_2_00E6DDA5
Source: file.exe, 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000002.2379042033.000000000177E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 2787328 > 1048576
Source: file.exeStatic PE information: Raw size of jbfodduo is bigger than: 0x100000 < 0x2a2800
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.2243777074.0000000005360000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.e60000.0.unpack :EW;.rsrc:W;.idata :W;jbfodduo:EW;xtxfamsb:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x2a9861 should be: 0x2b4059
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name: jbfodduo
Source: file.exeStatic PE information: section name: xtxfamsb
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF6640 push 472A3DACh; mov dword ptr [esp], ebx0_2_00FFBBB6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6E7E4 push ecx; mov dword ptr [esp], ebx0_2_00E6EE4A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0101E637 push ecx; ret 0_2_0101E636
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE9861 push ebx; mov dword ptr [esp], esp0_2_00FE99B3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE99CD push ebp; mov dword ptr [esp], 495B90F5h0_2_00FE99F2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE99CD push ecx; mov dword ptr [esp], edi0_2_00FE9A16
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE99CD push 1E21F264h; mov dword ptr [esp], eax0_2_00FE9AEB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100DD2B push eax; mov dword ptr [esp], 7FFF5DFDh0_2_0100DD5F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100DD2B push 07F9AE0Bh; mov dword ptr [esp], ecx0_2_0100DD9E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100DD2B push eax; mov dword ptr [esp], 17DF98A6h0_2_0100DDC1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100DE9F push 0BDFE230h; mov dword ptr [esp], edi0_2_0100DF3F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E720FF push ebx; mov dword ptr [esp], ebp0_2_00E7211C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6C0FF push 2AF771B9h; mov dword ptr [esp], edx0_2_00E6C911
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01034118 push eax; ret 0_2_01034127
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01030133 push ebp; ret 0_2_01030142
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6C0D2 push ebp; mov dword ptr [esp], 2E0F466Bh0_2_00E6C0E5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01032136 push ecx; ret 0_2_01032145
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0102413A push ecx; ret 0_2_01024149
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E740A6 push ecx; mov dword ptr [esp], eax0_2_00E740BB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0101E143 push ecx; ret 0_2_0101E152
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0103614B push ebp; ret 0_2_0103615A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01038157 push ecx; ret 0_2_01038166
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0102E154 push edi; ret 0_2_0102E163
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0103015D push ebx; ret 0_2_0103016C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0103415D push edx; ret 0_2_0103416C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01024162 push esi; ret 0_2_01024171
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0101E16B push esi; ret 0_2_0101E17A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01036175 push eax; ret 0_2_01036184
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6C09D push 2AF771B9h; mov dword ptr [esp], edx0_2_00E6C911
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0103817F push ebx; ret 0_2_0103818E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0102E188 push edx; ret 0_2_0102E197
Source: file.exeStatic PE information: section name: entropy: 7.779883397377464

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEA609 second address: FEA61E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jc 00007F64C133C3C6h 0x0000000b jnp 00007F64C133C3C6h 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD2CE1 second address: FD2CE6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD2CE6 second address: FD2D16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jmp 00007F64C133C3D8h 0x0000000b jmp 00007F64C133C3D0h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE96F9 second address: FE96FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE96FE second address: FE9729 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F64C133C3CCh 0x00000008 jmp 00007F64C133C3D7h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE9729 second address: FE9745 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F64C0ADE4F5h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE9877 second address: FE9891 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F64C133C3D4h 0x0000000c jmp 00007F64C133C3CEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE9891 second address: FE9897 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE9B26 second address: FE9B30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F64C133C3C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE9B30 second address: FE9B34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE9B34 second address: FE9B3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE9C8B second address: FE9C90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEC712 second address: E6DE4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64C133C3D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d ja 00007F64C133C3DFh 0x00000013 pop eax 0x00000014 mov dword ptr [ebp+122D1E22h], ebx 0x0000001a stc 0x0000001b push dword ptr [ebp+122D084Dh] 0x00000021 jmp 00007F64C133C3CDh 0x00000026 call dword ptr [ebp+122D25F6h] 0x0000002c pushad 0x0000002d mov dword ptr [ebp+122D1DF8h], ebx 0x00000033 xor eax, eax 0x00000035 add dword ptr [ebp+122D1E01h], ebx 0x0000003b mov edx, dword ptr [esp+28h] 0x0000003f pushad 0x00000040 and esi, dword ptr [ebp+122D2D0Eh] 0x00000046 sub eax, dword ptr [ebp+122D2D96h] 0x0000004c popad 0x0000004d mov dword ptr [ebp+122D2CFAh], eax 0x00000053 mov dword ptr [ebp+122D1DF8h], ecx 0x00000059 jmp 00007F64C133C3D4h 0x0000005e mov esi, 0000003Ch 0x00000063 stc 0x00000064 add esi, dword ptr [esp+24h] 0x00000068 jo 00007F64C133C3DDh 0x0000006e jmp 00007F64C133C3D7h 0x00000073 lodsw 0x00000075 jc 00007F64C133C3C7h 0x0000007b clc 0x0000007c add eax, dword ptr [esp+24h] 0x00000080 jns 00007F64C133C3CCh 0x00000086 mov ebx, dword ptr [esp+24h] 0x0000008a jmp 00007F64C133C3CDh 0x0000008f push eax 0x00000090 push eax 0x00000091 push edx 0x00000092 push edx 0x00000093 push eax 0x00000094 pop eax 0x00000095 pop edx 0x00000096 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEC78C second address: FEC81E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007F64C0ADE4E8h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 movzx esi, cx 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push ebp 0x0000002b call 00007F64C0ADE4E8h 0x00000030 pop ebp 0x00000031 mov dword ptr [esp+04h], ebp 0x00000035 add dword ptr [esp+04h], 0000001Ch 0x0000003d inc ebp 0x0000003e push ebp 0x0000003f ret 0x00000040 pop ebp 0x00000041 ret 0x00000042 add cl, 00000060h 0x00000045 mov esi, dword ptr [ebp+122D2EB2h] 0x0000004b mov edx, eax 0x0000004d call 00007F64C0ADE4E9h 0x00000052 jnc 00007F64C0ADE4FAh 0x00000058 push eax 0x00000059 jng 00007F64C0ADE4F4h 0x0000005f push eax 0x00000060 push edx 0x00000061 jne 00007F64C0ADE4E6h 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEC81E second address: FEC844 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007F64C133C3D2h 0x0000000f mov eax, dword ptr [eax] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push edi 0x00000017 pop edi 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEC844 second address: FEC84A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEC84A second address: FEC84E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEC84E second address: FEC852 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEC852 second address: FEC89A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push edi 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pop edx 0x00000011 pop edi 0x00000012 pop eax 0x00000013 or dword ptr [ebp+122D1CF9h], edx 0x00000019 push 00000003h 0x0000001b push ebx 0x0000001c je 00007F64C133C3C6h 0x00000022 pop edx 0x00000023 push 00000000h 0x00000025 mov cx, C3A8h 0x00000029 push 00000003h 0x0000002b mov dword ptr [ebp+122D1D98h], esi 0x00000031 call 00007F64C133C3C9h 0x00000036 push eax 0x00000037 push edx 0x00000038 js 00007F64C133C3CCh 0x0000003e jnc 00007F64C133C3C6h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEC89A second address: FEC8AB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F64C0ADE4E8h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEC8AB second address: FEC8C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F64C133C3D5h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEC8C7 second address: FEC8D6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push edi 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEC8D6 second address: FEC8E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edi 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F64C133C3C6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEC8E7 second address: FEC8F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEC8F6 second address: FEC8FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEC97A second address: FEC984 instructions: 0x00000000 rdtsc 0x00000002 js 00007F64C0ADE4E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEC984 second address: FECA13 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F64C133C3CCh 0x00000008 jg 00007F64C133C3C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push ecx 0x00000012 jmp 00007F64C133C3D4h 0x00000017 pop ecx 0x00000018 nop 0x00000019 push 00000000h 0x0000001b push ebx 0x0000001c call 00007F64C133C3C8h 0x00000021 pop ebx 0x00000022 mov dword ptr [esp+04h], ebx 0x00000026 add dword ptr [esp+04h], 00000019h 0x0000002e inc ebx 0x0000002f push ebx 0x00000030 ret 0x00000031 pop ebx 0x00000032 ret 0x00000033 mov edx, esi 0x00000035 mov si, dx 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push edi 0x0000003d call 00007F64C133C3C8h 0x00000042 pop edi 0x00000043 mov dword ptr [esp+04h], edi 0x00000047 add dword ptr [esp+04h], 00000019h 0x0000004f inc edi 0x00000050 push edi 0x00000051 ret 0x00000052 pop edi 0x00000053 ret 0x00000054 push 013DEDB9h 0x00000059 jo 00007F64C133C3E3h 0x0000005f push eax 0x00000060 push edx 0x00000061 jmp 00007F64C133C3D1h 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FECA13 second address: FECA17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FECA17 second address: FECA95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xor dword ptr [esp], 013DED39h 0x0000000d mov edi, eax 0x0000000f push 00000003h 0x00000011 add esi, dword ptr [ebp+122D2CA2h] 0x00000017 push 00000000h 0x00000019 mov cx, F319h 0x0000001d push 00000003h 0x0000001f sub dword ptr [ebp+122D230Dh], esi 0x00000025 jmp 00007F64C133C3D2h 0x0000002a push 9174C112h 0x0000002f jnp 00007F64C133C3D7h 0x00000035 jmp 00007F64C133C3D1h 0x0000003a add dword ptr [esp], 2E8B3EEEh 0x00000041 mov edx, dword ptr [ebp+122D2C46h] 0x00000047 lea ebx, dword ptr [ebp+124525EFh] 0x0000004d mov cx, 575Fh 0x00000051 xchg eax, ebx 0x00000052 jo 00007F64C133C3CEh 0x00000058 jc 00007F64C133C3C8h 0x0000005e pushad 0x0000005f popad 0x00000060 push eax 0x00000061 push edx 0x00000062 push ecx 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FECBD4 second address: FECBD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C4C7 second address: 100C4CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C4CD second address: 100C4D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C4D5 second address: 100C4DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C4DB second address: 100C4E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C4E1 second address: 100C4EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C4EB second address: 100C4F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C668 second address: 100C67F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F64C133C3CFh 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C67F second address: 100C689 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F64C0ADE4E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C689 second address: 100C69E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007F64C133C3C6h 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C69E second address: 100C6C6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F64C0ADE4E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jbe 00007F64C0ADE4E6h 0x00000013 jmp 00007F64C0ADE4F0h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100CC64 second address: 100CC6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100CF2E second address: 100CF32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100CF32 second address: 100CF4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007F64C133C3C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007F64C133C3C6h 0x00000014 jns 00007F64C133C3C6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100D077 second address: 100D07D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100D07D second address: 100D083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100D083 second address: 100D096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F64C0ADE4EEh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100D096 second address: 100D09D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100D1D4 second address: 100D1D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100D1D8 second address: 100D216 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64C133C3D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F64C133C3CAh 0x0000000f push edx 0x00000010 pop edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F64C133C3D8h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100D4A0 second address: 100D4A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100100A second address: 100100E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100100E second address: 1001012 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1001012 second address: 100101E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD6339 second address: FD6345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD6345 second address: FD634B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100D606 second address: 100D611 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100D611 second address: 100D615 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100D615 second address: 100D62A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F64C0ADE4EFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100DBC4 second address: 100DBD0 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F64C133C3CEh 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100DBD0 second address: 100DBEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F64C0ADE4F7h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100DD49 second address: 100DD4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100DEB9 second address: 100DEBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100DEBD second address: 100DEC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100DEC3 second address: 100DECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100DECD second address: 100DED1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100DED1 second address: 100DEFF instructions: 0x00000000 rdtsc 0x00000002 je 00007F64C0ADE4E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F64C0ADE4F3h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 pop eax 0x00000018 jo 00007F64C0ADE4E8h 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100DEFF second address: 100DF0E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 jnc 00007F64C133C3C6h 0x0000000b pop ecx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100E07A second address: 100E082 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1010A5E second address: 1010A68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1010A68 second address: 1010A70 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1010A70 second address: 1010A77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1010A77 second address: 1010A7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1012F85 second address: 1012FF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F64C133C3D4h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007F64C133C3D8h 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 pushad 0x00000018 push edi 0x00000019 jo 00007F64C133C3C6h 0x0000001f pop edi 0x00000020 jmp 00007F64C133C3CAh 0x00000025 popad 0x00000026 mov eax, dword ptr [eax] 0x00000028 push ebx 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c pop edx 0x0000002d pop ebx 0x0000002e mov dword ptr [esp+04h], eax 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F64C133C3D3h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1013182 second address: 10131C0 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F64C0ADE4E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F64C0ADE4F9h 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F64C0ADE4F6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10131C0 second address: 10131CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10191EE second address: 10191F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1018DB9 second address: 1018DBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10190AE second address: 10190C0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F64C0ADE4E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007F64C0ADE4ECh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101B7AF second address: 101B7D9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F64C133C3CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F64C133C3D7h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101B7D9 second address: 101B7F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jno 00007F64C0ADE4E6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jmp 00007F64C0ADE4EAh 0x00000015 mov eax, dword ptr [eax] 0x00000017 push edx 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101B7F9 second address: 101B81C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a jnp 00007F64C133C3CAh 0x00000010 pop eax 0x00000011 movsx edi, si 0x00000014 push D9F68350h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push edi 0x0000001e pop edi 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101B81C second address: 101B822 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101B959 second address: 101B95D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101BB59 second address: 101BBA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64C0ADE4F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F64C0ADE4F2h 0x0000000f pop eax 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F64C0ADE4F9h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101BC4B second address: 101BC4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101C395 second address: 101C3AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64C0ADE4EFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101C442 second address: 101C482 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 xchg eax, ebx 0x00000005 push 00000000h 0x00000007 push edx 0x00000008 call 00007F64C133C3C8h 0x0000000d pop edx 0x0000000e mov dword ptr [esp+04h], edx 0x00000012 add dword ptr [esp+04h], 00000019h 0x0000001a inc edx 0x0000001b push edx 0x0000001c ret 0x0000001d pop edx 0x0000001e ret 0x0000001f add si, 40C1h 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 jmp 00007F64C133C3CFh 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101C482 second address: 101C487 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101C7CF second address: 101C7D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101C7D3 second address: 101C7E0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F64C0ADE4E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101C7E0 second address: 101C7FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007F64C133C3CEh 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101C8E4 second address: 101C8FE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jl 00007F64C0ADE4E6h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e ja 00007F64C0ADE4E8h 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101C8FE second address: 101C902 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101C9CF second address: 101C9D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101C9D3 second address: 101C9DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101C9DC second address: 101CA1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F64C0ADE4E6h 0x0000000a popad 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f sub dword ptr [ebp+122D2FD7h], ebx 0x00000015 xchg eax, ebx 0x00000016 pushad 0x00000017 push edx 0x00000018 jmp 00007F64C0ADE4ECh 0x0000001d pop edx 0x0000001e push eax 0x0000001f jmp 00007F64C0ADE4F2h 0x00000024 pop eax 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101CA1C second address: 101CA20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101CEEF second address: 101CF35 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F64C0ADE4E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b mov dword ptr [esp], eax 0x0000000e call 00007F64C0ADE4F4h 0x00000013 mov di, dx 0x00000016 pop edi 0x00000017 push 00000000h 0x00000019 sub dword ptr [ebp+122D3A2Bh], ecx 0x0000001f push 00000000h 0x00000021 xchg eax, ebx 0x00000022 pushad 0x00000023 pushad 0x00000024 jmp 00007F64C0ADE4F1h 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101D9C4 second address: 101DA15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 jmp 00007F64C133C3D2h 0x0000000b push 00000000h 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F64C133C3C8h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D2B25h], ecx 0x0000002d push 00000000h 0x0000002f or si, EBF5h 0x00000034 xchg eax, ebx 0x00000035 push eax 0x00000036 push edx 0x00000037 jng 00007F64C133C3C8h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101D7D2 second address: 101D7F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64C0ADE4F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE3BB5 second address: FE3BB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE3BB9 second address: FE3BD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F64C0ADE4F5h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1020148 second address: 102014E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102014E second address: 1020152 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10217E6 second address: 102183B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 jmp 00007F64C133C3CDh 0x0000000b nop 0x0000000c push ecx 0x0000000d mov dword ptr [ebp+122D25D8h], ecx 0x00000013 pop esi 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007F64C133C3C8h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 00000018h 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 push 00000000h 0x00000032 xchg eax, ebx 0x00000033 pushad 0x00000034 push ecx 0x00000035 pushad 0x00000036 popad 0x00000037 pop ecx 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F64C133C3CDh 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102183B second address: 1021851 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F64C0ADE4E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e ja 00007F64C0ADE4E8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10222D7 second address: 10222DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10222DB second address: 10222E5 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F64C0ADE4E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1022BD5 second address: 1022C44 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F64C133C3D6h 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 mov dword ptr [ebp+122D2466h], eax 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push edi 0x0000001b call 00007F64C133C3C8h 0x00000020 pop edi 0x00000021 mov dword ptr [esp+04h], edi 0x00000025 add dword ptr [esp+04h], 00000016h 0x0000002d inc edi 0x0000002e push edi 0x0000002f ret 0x00000030 pop edi 0x00000031 ret 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ebx 0x00000037 call 00007F64C133C3C8h 0x0000003c pop ebx 0x0000003d mov dword ptr [esp+04h], ebx 0x00000041 add dword ptr [esp+04h], 00000014h 0x00000049 inc ebx 0x0000004a push ebx 0x0000004b ret 0x0000004c pop ebx 0x0000004d ret 0x0000004e cld 0x0000004f xchg eax, ebx 0x00000050 pushad 0x00000051 push eax 0x00000052 pushad 0x00000053 popad 0x00000054 pop eax 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 popad 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1022C44 second address: 1022C56 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jo 00007F64C0ADE4F4h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1022C56 second address: 1022C5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10236B4 second address: 10236BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10236BA second address: 10236BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10252ED second address: 1025304 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64C0ADE4F3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1025304 second address: 1025322 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F64C133C3CCh 0x0000000c jnc 00007F64C133C3C6h 0x00000012 popad 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 jns 00007F64C133C3C6h 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1025322 second address: 1025326 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10283FF second address: 102841E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F64C133C3C6h 0x0000000a popad 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F64C133C3CDh 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102841E second address: 1028430 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F64C0ADE4E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pushad 0x00000010 popad 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1028430 second address: 1028435 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102997B second address: 1029985 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F64C0ADE4E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1029985 second address: 1029992 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1029992 second address: 1029998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102A92F second address: 102A934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102A934 second address: 102A93F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F64C0ADE4E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102A93F second address: 102A9D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F64C133C3D8h 0x0000000d nop 0x0000000e sub edi, dword ptr [ebp+122D2CB6h] 0x00000014 mov edi, esi 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ebp 0x0000001b call 00007F64C133C3C8h 0x00000020 pop ebp 0x00000021 mov dword ptr [esp+04h], ebp 0x00000025 add dword ptr [esp+04h], 0000001Ch 0x0000002d inc ebp 0x0000002e push ebp 0x0000002f ret 0x00000030 pop ebp 0x00000031 ret 0x00000032 mov edi, dword ptr [ebp+122D2C46h] 0x00000038 push 00000000h 0x0000003a ja 00007F64C133C3DEh 0x00000040 xchg eax, esi 0x00000041 jnl 00007F64C133C3CAh 0x00000047 push eax 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007F64C133C3CEh 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102C9AA second address: 102C9AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102C9AE second address: 102C9B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10229DC second address: 10229E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1024009 second address: 102401F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F64C133C3D2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1029B0D second address: 1029BBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F64C0ADE4F0h 0x0000000a popad 0x0000000b push eax 0x0000000c je 00007F64C0ADE500h 0x00000012 push edi 0x00000013 jmp 00007F64C0ADE4F8h 0x00000018 pop edi 0x00000019 nop 0x0000001a mov dword ptr [ebp+122D1CCCh], esi 0x00000020 push dword ptr fs:[00000000h] 0x00000027 mov ebx, dword ptr [ebp+122D2E5Ah] 0x0000002d mov dword ptr fs:[00000000h], esp 0x00000034 call 00007F64C0ADE4F6h 0x00000039 sbb edi, 56FAF5FAh 0x0000003f pop edi 0x00000040 mov eax, dword ptr [ebp+122D006Dh] 0x00000046 mov ebx, dword ptr [ebp+122D2F4Eh] 0x0000004c push FFFFFFFFh 0x0000004e push 00000000h 0x00000050 push esi 0x00000051 call 00007F64C0ADE4E8h 0x00000056 pop esi 0x00000057 mov dword ptr [esp+04h], esi 0x0000005b add dword ptr [esp+04h], 0000001Ah 0x00000063 inc esi 0x00000064 push esi 0x00000065 ret 0x00000066 pop esi 0x00000067 ret 0x00000068 jnp 00007F64C0ADE4ECh 0x0000006e add dword ptr [ebp+122D39D8h], edx 0x00000074 nop 0x00000075 push edi 0x00000076 push eax 0x00000077 push edx 0x00000078 push ebx 0x00000079 pop ebx 0x0000007a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E9D7 second address: 102E9DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E9DD second address: 102E9E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102DA98 second address: 102DAA5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F64C133C3C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102DAA5 second address: 102DB31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 jmp 00007F64C0ADE4ECh 0x0000000e nop 0x0000000f xor di, 1A33h 0x00000014 push dword ptr fs:[00000000h] 0x0000001b and bx, 0F7Ch 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 push 00000000h 0x00000029 push edi 0x0000002a call 00007F64C0ADE4E8h 0x0000002f pop edi 0x00000030 mov dword ptr [esp+04h], edi 0x00000034 add dword ptr [esp+04h], 00000014h 0x0000003c inc edi 0x0000003d push edi 0x0000003e ret 0x0000003f pop edi 0x00000040 ret 0x00000041 sub bx, 580Ch 0x00000046 mov bl, 51h 0x00000048 mov eax, dword ptr [ebp+122D0CC1h] 0x0000004e mov ebx, edi 0x00000050 push FFFFFFFFh 0x00000052 push 00000000h 0x00000054 push edx 0x00000055 call 00007F64C0ADE4E8h 0x0000005a pop edx 0x0000005b mov dword ptr [esp+04h], edx 0x0000005f add dword ptr [esp+04h], 00000014h 0x00000067 inc edx 0x00000068 push edx 0x00000069 ret 0x0000006a pop edx 0x0000006b ret 0x0000006c push eax 0x0000006d push eax 0x0000006e push edx 0x0000006f push eax 0x00000070 push edx 0x00000071 jmp 00007F64C0ADE4F0h 0x00000076 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102DB31 second address: 102DB35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102DB35 second address: 102DB3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102DB3B second address: 102DB41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102DB41 second address: 102DB45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102F874 second address: 102F87A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10316E0 second address: 10316E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10316E6 second address: 10316EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10316EC second address: 103178A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F64C0ADE4E8h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 jl 00007F64C0ADE4ECh 0x0000002b mov ebx, dword ptr [ebp+1247B017h] 0x00000031 mov ebx, 4E481600h 0x00000036 push 00000000h 0x00000038 mov dword ptr [ebp+1247B528h], edx 0x0000003e add edi, 5E207E60h 0x00000044 push 00000000h 0x00000046 push 00000000h 0x00000048 push ecx 0x00000049 call 00007F64C0ADE4E8h 0x0000004e pop ecx 0x0000004f mov dword ptr [esp+04h], ecx 0x00000053 add dword ptr [esp+04h], 00000019h 0x0000005b inc ecx 0x0000005c push ecx 0x0000005d ret 0x0000005e pop ecx 0x0000005f ret 0x00000060 mov ebx, 20A04158h 0x00000065 mov ebx, dword ptr [ebp+122D1D40h] 0x0000006b xchg eax, esi 0x0000006c push eax 0x0000006d jnp 00007F64C0ADE4FBh 0x00000073 jmp 00007F64C0ADE4F5h 0x00000078 pop eax 0x00000079 push eax 0x0000007a push esi 0x0000007b push ecx 0x0000007c push eax 0x0000007d push edx 0x0000007e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10326BD second address: 1032753 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64C133C3D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F64C133C3C8h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 xor dword ptr [ebp+124518A0h], eax 0x0000002c push 00000000h 0x0000002e movzx edi, di 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push edi 0x00000036 call 00007F64C133C3C8h 0x0000003b pop edi 0x0000003c mov dword ptr [esp+04h], edi 0x00000040 add dword ptr [esp+04h], 00000014h 0x00000048 inc edi 0x00000049 push edi 0x0000004a ret 0x0000004b pop edi 0x0000004c ret 0x0000004d xchg eax, esi 0x0000004e pushad 0x0000004f ja 00007F64C133C3CCh 0x00000055 jmp 00007F64C133C3D3h 0x0000005a popad 0x0000005b push eax 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f push eax 0x00000060 pop eax 0x00000061 pushad 0x00000062 popad 0x00000063 popad 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1032753 second address: 1032759 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1034806 second address: 103480C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10338AB second address: 10338B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103288E second address: 103289D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10338B1 second address: 10338B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103289D second address: 10328A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1034A79 second address: 1034A83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F64C0ADE4E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10328A1 second address: 10328A7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1033999 second address: 103399F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10308EE second address: 10308F8 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F64C133C3C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10308F8 second address: 10308FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10308FE second address: 1030902 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1030902 second address: 1030906 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1030906 second address: 103097E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e pop eax 0x0000000f nop 0x00000010 mov dword ptr [ebp+122D39AFh], esi 0x00000016 push dword ptr fs:[00000000h] 0x0000001d push eax 0x0000001e mov edi, eax 0x00000020 pop edi 0x00000021 sub dword ptr [ebp+122D1CD0h], ebx 0x00000027 mov dword ptr fs:[00000000h], esp 0x0000002e push 00000000h 0x00000030 push ebp 0x00000031 call 00007F64C133C3C8h 0x00000036 pop ebp 0x00000037 mov dword ptr [esp+04h], ebp 0x0000003b add dword ptr [esp+04h], 00000015h 0x00000043 inc ebp 0x00000044 push ebp 0x00000045 ret 0x00000046 pop ebp 0x00000047 ret 0x00000048 call 00007F64C133C3D3h 0x0000004d clc 0x0000004e pop edi 0x0000004f mov eax, dword ptr [ebp+122D0D59h] 0x00000055 push FFFFFFFFh 0x00000057 add bh, FFFFFFE7h 0x0000005a adc ebx, 1DCA56EAh 0x00000060 push eax 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 push edx 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103097E second address: 1030982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1030982 second address: 103098C instructions: 0x00000000 rdtsc 0x00000002 jo 00007F64C133C3C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103689F second address: 10368A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103781E second address: 1037823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1037823 second address: 103782D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F64C0ADE4E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1049E55 second address: 1049E59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1049E59 second address: 1049E5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104A100 second address: 104A116 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F64C133C3D0h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104A116 second address: 104A120 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F64C0ADE4E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104A2D6 second address: 104A2E3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jng 00007F64C133C3C6h 0x00000009 pop edi 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1051E05 second address: 1051E09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1051E09 second address: 1051E0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1051E0F second address: 1051E24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F64C0ADE4F1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1051E24 second address: 1051E48 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F64C133C3C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jmp 00007F64C133C3CCh 0x00000015 mov eax, dword ptr [eax] 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a pushad 0x0000001b popad 0x0000001c pop ecx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1051E48 second address: 1051E6E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F64C0ADE4ECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jnp 00007F64C0ADE4F0h 0x00000016 jmp 00007F64C0ADE4EAh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1051E6E second address: 1051E74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1056E68 second address: 1056E6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1056E6C second address: 1056E76 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F64C133C3C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1057463 second address: 1057481 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007F64C0ADE4E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F64C0ADE4F2h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1057481 second address: 10574B3 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F64C133C3E1h 0x00000008 push eax 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f ja 00007F64C133C3E0h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10579F8 second address: 1057A00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1057A00 second address: 1057A20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F64C133C3D8h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1057A20 second address: 1057A2A instructions: 0x00000000 rdtsc 0x00000002 jg 00007F64C0ADE4ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1057A2A second address: 1057A43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F64C133C3D1h 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1057B89 second address: 1057B8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1057B8D second address: 1057B91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1057B91 second address: 1057BC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F64C0ADE4F7h 0x0000000c jmp 00007F64C0ADE4EDh 0x00000011 popad 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1057BC2 second address: 1057BD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F64C133C3C6h 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1057EC9 second address: 1057ED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F64C0ADE4E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1057ED5 second address: 1057EDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1057EDE second address: 1057EE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105C3AF second address: 105C3C9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jno 00007F64C133C3D2h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105C3C9 second address: 105C3DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F64C0ADE4EFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105C939 second address: 105C949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push edx 0x0000000b pop edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105D2E3 second address: 105D2E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105D2E9 second address: 105D2ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105D2ED second address: 105D2F7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F64C0ADE4E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105D2F7 second address: 105D31E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64C133C3CCh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F64C133C3D7h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105C0C1 second address: 105C0C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105C0C5 second address: 105C0C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10622CE second address: 10622D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10622D3 second address: 10622E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F64C133C3C6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101A126 second address: 101A12C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101A12C second address: 101A14E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F64C133C3C8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F64C133C3D2h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101A14E second address: 101A191 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F64C0ADE4ECh 0x0000000c popad 0x0000000d nop 0x0000000e mov edi, dword ptr [ebp+122D2D5Ah] 0x00000014 lea eax, dword ptr [ebp+1247FE5Dh] 0x0000001a mov edi, dword ptr [ebp+122D2CBAh] 0x00000020 pushad 0x00000021 jmp 00007F64C0ADE4F1h 0x00000026 popad 0x00000027 nop 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b js 00007F64C0ADE4E6h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101A191 second address: 101A19E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101A19E second address: 101A1A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101A1A2 second address: 100100A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F64C133C3C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b jmp 00007F64C133C3CAh 0x00000010 pop edx 0x00000011 popad 0x00000012 nop 0x00000013 sub dword ptr [ebp+122D1CD5h], eax 0x00000019 call dword ptr [ebp+122D2137h] 0x0000001f pushad 0x00000020 jmp 00007F64C133C3D1h 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F64C133C3CAh 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101A28D second address: 101A293 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101A65E second address: 101A664 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101A777 second address: 101A77B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101A77B second address: 101A785 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F64C133C3C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101A785 second address: 101A78F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F64C0ADE4E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101A78F second address: E6DE4C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov dx, bx 0x0000000c push dword ptr [ebp+122D084Dh] 0x00000012 mov ecx, dword ptr [ebp+122D2C5Ah] 0x00000018 call dword ptr [ebp+122D25F6h] 0x0000001e pushad 0x0000001f mov dword ptr [ebp+122D1DF8h], ebx 0x00000025 xor eax, eax 0x00000027 add dword ptr [ebp+122D1E01h], ebx 0x0000002d mov edx, dword ptr [esp+28h] 0x00000031 pushad 0x00000032 and esi, dword ptr [ebp+122D2D0Eh] 0x00000038 sub eax, dword ptr [ebp+122D2D96h] 0x0000003e popad 0x0000003f mov dword ptr [ebp+122D2CFAh], eax 0x00000045 mov dword ptr [ebp+122D1DF8h], ecx 0x0000004b jmp 00007F64C133C3D4h 0x00000050 mov esi, 0000003Ch 0x00000055 stc 0x00000056 add esi, dword ptr [esp+24h] 0x0000005a jo 00007F64C133C3DDh 0x00000060 jmp 00007F64C133C3D7h 0x00000065 lodsw 0x00000067 jc 00007F64C133C3C7h 0x0000006d clc 0x0000006e add eax, dword ptr [esp+24h] 0x00000072 jns 00007F64C133C3CCh 0x00000078 mov ebx, dword ptr [esp+24h] 0x0000007c jmp 00007F64C133C3CDh 0x00000081 push eax 0x00000082 push eax 0x00000083 push edx 0x00000084 push edx 0x00000085 push eax 0x00000086 pop eax 0x00000087 pop edx 0x00000088 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101A7F8 second address: 101A835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 xor dword ptr [esp], 4576CE63h 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F64C0ADE4E8h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 mov ecx, dword ptr [ebp+122D2DCEh] 0x0000002d push 3D19EAF4h 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101A835 second address: 101A83C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101A962 second address: 101A968 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101A968 second address: 101A96C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101A96C second address: 101A98F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64C0ADE4F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101AACD second address: 101AAD7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101B0C4 second address: 101B0E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F64C0ADE4E6h 0x00000009 jmp 00007F64C0ADE4EAh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101B0E0 second address: 101B0FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 nop 0x00000008 adc edx, 3555D757h 0x0000000e push 0000001Eh 0x00000010 and dl, 00000028h 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jc 00007F64C133C3C6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101B0FE second address: 101B116 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64C0ADE4F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101B228 second address: 101B22C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101B22C second address: 101B230 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101B418 second address: 101B4A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov dword ptr [ebp+122D1D18h], edx 0x00000013 lea eax, dword ptr [ebp+1247FEA1h] 0x00000019 mov di, bx 0x0000001c push eax 0x0000001d push esi 0x0000001e jmp 00007F64C133C3CEh 0x00000023 pop esi 0x00000024 mov dword ptr [esp], eax 0x00000027 push 00000000h 0x00000029 push esi 0x0000002a call 00007F64C133C3C8h 0x0000002f pop esi 0x00000030 mov dword ptr [esp+04h], esi 0x00000034 add dword ptr [esp+04h], 0000001Dh 0x0000003c inc esi 0x0000003d push esi 0x0000003e ret 0x0000003f pop esi 0x00000040 ret 0x00000041 mov ecx, edi 0x00000043 lea eax, dword ptr [ebp+1247FE5Dh] 0x00000049 push 00000000h 0x0000004b push esi 0x0000004c call 00007F64C133C3C8h 0x00000051 pop esi 0x00000052 mov dword ptr [esp+04h], esi 0x00000056 add dword ptr [esp+04h], 00000014h 0x0000005e inc esi 0x0000005f push esi 0x00000060 ret 0x00000061 pop esi 0x00000062 ret 0x00000063 stc 0x00000064 push eax 0x00000065 pushad 0x00000066 jmp 00007F64C133C3CAh 0x0000006b push eax 0x0000006c push edx 0x0000006d ja 00007F64C133C3C6h 0x00000073 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101B4A6 second address: 1001B0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64C0ADE4EFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d or dword ptr [ebp+122D1F05h], edx 0x00000013 call dword ptr [ebp+122D2FF5h] 0x00000019 jbe 00007F64C0ADE4F0h 0x0000001f pushad 0x00000020 pushad 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106148F second address: 1061495 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1061495 second address: 106149F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F64C0ADE4E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106149F second address: 10614B4 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F64C133C3C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push esi 0x00000010 pop esi 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10614B4 second address: 10614BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10614BA second address: 10614BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10614BF second address: 10614C9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F64C0ADE4ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1061613 second address: 1061617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1061617 second address: 1061659 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F64C0ADE4E6h 0x00000008 jmp 00007F64C0ADE4F4h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F64C0ADE4F1h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F64C0ADE4EDh 0x0000001c push esi 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1061659 second address: 106165E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10617B2 second address: 1061808 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F64C0ADE4F5h 0x0000000a push esi 0x0000000b pop esi 0x0000000c jmp 00007F64C0ADE4F2h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jng 00007F64C0ADE502h 0x0000001a jmp 00007F64C0ADE4EDh 0x0000001f jmp 00007F64C0ADE4EFh 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1061808 second address: 106180E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106180E second address: 1061816 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1061816 second address: 106181B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106181B second address: 1061830 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F64C0ADE4E6h 0x0000000a jmp 00007F64C0ADE4EBh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1061DAE second address: 1061DBD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnp 00007F64C133C3C6h 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106717E second address: 1067191 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F64C0ADE4EEh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD48BC second address: FD48C6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F64C133C3CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD48C6 second address: FD48D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F64C0ADE4F0h 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE55DA second address: FE55E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F64C133C3C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE55E4 second address: FE55EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE55EE second address: FE55F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106B393 second address: 106B3B3 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F64C0ADE4E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F64C0ADE4F6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106B3B3 second address: 106B3D9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F64C133C3D8h 0x00000008 jnp 00007F64C133C3C6h 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106B3D9 second address: 106B410 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F64C0ADE4E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f jmp 00007F64C0ADE4F1h 0x00000014 pushad 0x00000015 popad 0x00000016 pop ebx 0x00000017 pushad 0x00000018 jl 00007F64C0ADE4E6h 0x0000001e jl 00007F64C0ADE4E6h 0x00000024 jo 00007F64C0ADE4E6h 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106BA7E second address: 106BA82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106BD8C second address: 106BD96 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F64C0ADE4E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106C00A second address: 106C029 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F64C133C3D3h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007F64C133C3CBh 0x00000013 pop edx 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106C2B5 second address: 106C2CD instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F64C0ADE4E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F64C0ADE4EEh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE1FA2 second address: FE1FA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE1FA7 second address: FE1FBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F64C0ADE4EEh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1071A50 second address: 1071A8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jmp 00007F64C133C3D0h 0x0000000c pushad 0x0000000d jo 00007F64C133C3C6h 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007F64C133C3D7h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d push esi 0x0000001e pop esi 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1071E97 second address: 1071EC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F64C0ADE4EFh 0x00000009 pop ebx 0x0000000a pop edi 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007F64C0ADE4EEh 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1071EC0 second address: 1071ED8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F64C133C3CFh 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107434F second address: 1074359 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10744D2 second address: 10744D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1079135 second address: 107913B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107913B second address: 1079155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F64C133C3CEh 0x0000000b popad 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1079155 second address: 107915B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107894D second address: 1078951 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1078BE5 second address: 1078BE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107C003 second address: 107C032 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64C133C3D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F64C133C3CDh 0x0000000f jp 00007F64C133C3CEh 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107BA24 second address: 107BA40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64C0ADE4F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107BA40 second address: 107BA45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107BA45 second address: 107BA4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107BD7B second address: 107BD80 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107BD80 second address: 107BD86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107BD86 second address: 107BDB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 jmp 00007F64C133C3D8h 0x0000000d push eax 0x0000000e push edx 0x0000000f jo 00007F64C133C3C6h 0x00000015 jne 00007F64C133C3C6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107BDB4 second address: 107BDBA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1080026 second address: 108002A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108002A second address: 1080030 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10802E7 second address: 10802F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F64C133C3C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108044F second address: 1080459 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F64C0ADE4E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1080459 second address: 108046F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007F64C133C3C6h 0x00000010 jbe 00007F64C133C3C6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108046F second address: 1080491 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64C0ADE4EDh 0x00000007 ja 00007F64C0ADE4E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jne 00007F64C0ADE4E6h 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108061A second address: 1080627 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F64C133C3C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101AEC0 second address: 101AF34 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64C0ADE4EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b jg 00007F64C0ADE504h 0x00000011 nop 0x00000012 call 00007F64C0ADE4F7h 0x00000017 mov edi, dword ptr [ebp+1247C29Ah] 0x0000001d pop edx 0x0000001e mov dh, 88h 0x00000020 mov ebx, dword ptr [ebp+1247FE9Ch] 0x00000026 mov dword ptr [ebp+122D1D39h], eax 0x0000002c add eax, ebx 0x0000002e and ecx, 1A9AD2C8h 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 push edx 0x00000038 jng 00007F64C0ADE4E6h 0x0000003e pop edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101AF34 second address: 101AF3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1081376 second address: 108137C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108137C second address: 1081386 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F64C133C3C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1081386 second address: 108138C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108138C second address: 1081392 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1081392 second address: 1081396 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1081396 second address: 10813A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108A473 second address: 108A47F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F64C0ADE4E6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108A47F second address: 108A4BC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F64C133C3D9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F64C133C3D6h 0x00000012 jng 00007F64C133C3C6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD7F02 second address: FD7F06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD7F06 second address: FD7F0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD7F0A second address: FD7F37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F64C0ADE4F1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F64C0ADE4F4h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD7F37 second address: FD7F54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64C133C3D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD7F54 second address: FD7F5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD7F5A second address: FD7F74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F64C133C3D6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD7F74 second address: FD7F88 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64C0ADE4F0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1088493 second address: 10884B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F64C133C3C6h 0x0000000a jns 00007F64C133C3C6h 0x00000010 jmp 00007F64C133C3CDh 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10884B1 second address: 10884DE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F64C0ADE4EBh 0x00000008 pop ebx 0x00000009 pushad 0x0000000a ja 00007F64C0ADE4E6h 0x00000010 pushad 0x00000011 popad 0x00000012 jg 00007F64C0ADE4E6h 0x00000018 jnl 00007F64C0ADE4E6h 0x0000001e popad 0x0000001f pop edx 0x00000020 pop eax 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10884DE second address: 10884E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10884E4 second address: 10884FA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnl 00007F64C0ADE4EEh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1088783 second address: 1088797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F64C133C3CFh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1088A8E second address: 1088A9E instructions: 0x00000000 rdtsc 0x00000002 jc 00007F64C0ADE4EAh 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1088D43 second address: 1088D4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108901D second address: 1089040 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F64C0ADE4E6h 0x00000009 jmp 00007F64C0ADE4F8h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1089040 second address: 108904C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108904C second address: 1089052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1089052 second address: 1089056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1089056 second address: 108905A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10895FE second address: 108960A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 push ecx 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD7EF7 second address: FD7F02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1089BC7 second address: 1089BCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1089BCD second address: 1089BD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1089BD6 second address: 1089C11 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F64C133C3C6h 0x00000008 jng 00007F64C133C3C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F64C133C3D8h 0x00000018 jmp 00007F64C133C3D0h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1089C11 second address: 1089C35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F64C0ADE4E6h 0x00000009 jmp 00007F64C0ADE4EEh 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 jbe 00007F64C0ADE4EEh 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108A20E second address: 108A212 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108EBE1 second address: 108EBE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109288E second address: 1092892 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1092892 second address: 1092898 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1092898 second address: 10928CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64C133C3D9h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F64C133C3D5h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10919D9 second address: 10919DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10919DE second address: 10919F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F64C133C3CDh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1091B21 second address: 1091B32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007F64C0ADE4E6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1091B32 second address: 1091B43 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F64C133C3C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1091B43 second address: 1091B49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10921F8 second address: 1092248 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F64C133C3CDh 0x00000008 jmp 00007F64C133C3CEh 0x0000000d jnp 00007F64C133C3C6h 0x00000013 jmp 00007F64C133C3CFh 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F64C133C3D8h 0x00000020 push ecx 0x00000021 pop ecx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1092248 second address: 109224C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10923D8 second address: 10923DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1092548 second address: 109256F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64C0ADE4F3h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F64C0ADE4F0h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109B2C3 second address: 109B2F9 instructions: 0x00000000 rdtsc 0x00000002 je 00007F64C133C3CCh 0x00000008 jbe 00007F64C133C3C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F64C133C3D6h 0x00000017 jnc 00007F64C133C3CEh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10998B9 second address: 10998BF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10998BF second address: 10998D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F64C133C3CBh 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F64C133C3C6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10998D8 second address: 109994A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F64C0ADE4E6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jng 00007F64C0ADE4E6h 0x00000013 jmp 00007F64C0ADE4F0h 0x00000018 pop eax 0x00000019 popad 0x0000001a pushad 0x0000001b pushad 0x0000001c jmp 00007F64C0ADE4F6h 0x00000021 pushad 0x00000022 popad 0x00000023 jmp 00007F64C0ADE4F2h 0x00000028 popad 0x00000029 jnl 00007F64C0ADE4FCh 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109994A second address: 109995D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F64C133C3CFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099AD8 second address: 1099ADC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099C3B second address: 1099C3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099C3F second address: 1099C43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099F2D second address: 1099F43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64C133C3D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099F43 second address: 1099F5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F64C0ADE4F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099F5E second address: 1099F82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F64C133C3CBh 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F64C133C3CAh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099F82 second address: 1099F9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F64C0ADE4E6h 0x0000000a jmp 00007F64C0ADE4EEh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099F9A second address: 1099FA7 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F64C133C3C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099FA7 second address: 1099FAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A0EB second address: 109A0EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A0EF second address: 109A127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F64C0ADE4F5h 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop esi 0x0000000f popad 0x00000010 pushad 0x00000011 je 00007F64C0ADE4EEh 0x00000017 pushad 0x00000018 js 00007F64C0ADE4E6h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A127 second address: 109A12D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A12D second address: 109A140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F64C0ADE4EBh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A2CA second address: 109A2CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A82D second address: 109A840 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F64C0ADE4EEh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A840 second address: 109A846 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A846 second address: 109A85E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F64C0ADE4F2h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109B168 second address: 109B170 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109B170 second address: 109B174 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1098EE1 second address: 1098F09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F64C133C3D2h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b jne 00007F64C133C3E8h 0x00000011 push eax 0x00000012 push edx 0x00000013 jnl 00007F64C133C3C6h 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109E410 second address: 109E417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109E417 second address: 109E421 instructions: 0x00000000 rdtsc 0x00000002 je 00007F64C133C3CEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A1411 second address: 10A1418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A3EA3 second address: 10A3EA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A3EA8 second address: 10A3EAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A3EAD second address: 10A3EBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A3EBB second address: 10A3EC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A402D second address: 10A4063 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 jg 00007F64C133C3C6h 0x0000000e push edx 0x0000000f pop edx 0x00000010 jmp 00007F64C133C3D2h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pushad 0x00000019 jmp 00007F64C133C3CEh 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A4063 second address: 10A408C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F64C0ADE4EDh 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F64C0ADE4F3h 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AE627 second address: 10AE636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F64C133C3CBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AE49D second address: 10AE4AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F64C0ADE4E6h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B4E51 second address: 10B4E8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007F64C133C3CEh 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e jmp 00007F64C133C3D2h 0x00000013 jng 00007F64C133C3C6h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push esi 0x0000001d pop esi 0x0000001e jns 00007F64C133C3C6h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B481B second address: 10B4821 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B6537 second address: 10B653C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE0584 second address: FE058A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE058A second address: FE058E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B83C0 second address: 10B83C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B83C5 second address: 10B83CA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B83CA second address: 10B83D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B7FF4 second address: 10B7FFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B7FFD second address: 10B8003 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B8003 second address: 10B801B instructions: 0x00000000 rdtsc 0x00000002 jp 00007F64C133C3CAh 0x00000008 push ebx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop ebx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pushad 0x00000012 popad 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB642 second address: 10BB65E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F64C0ADE4E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007F64C0ADE4F2h 0x00000010 jmp 00007F64C0ADE4ECh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB65E second address: 10BB691 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64C133C3D2h 0x00000007 jmp 00007F64C133C3D8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB691 second address: 10BB6AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64C0ADE4EAh 0x00000007 jns 00007F64C0ADE4E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB6AB second address: 10BB6B5 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F64C133C3C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB6B5 second address: 10BB6C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F64C0ADE4ECh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB840 second address: 10BB848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB848 second address: 10BB855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F64C0ADE4F2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB855 second address: 10BB85B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB85B second address: 10BB87D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edi 0x00000007 pop edi 0x00000008 jns 00007F64C0ADE4E6h 0x0000000e pop eax 0x0000000f jmp 00007F64C0ADE4F0h 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C45D0 second address: 10C45EA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F64C133C3D5h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C8842 second address: 10C884E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C884E second address: 10C8858 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F64C133C3C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CD99A second address: 10CD9B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F64C0ADE4F0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CDB03 second address: 10CDB09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CDB09 second address: 10CDB12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CDB12 second address: 10CDB18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CDB18 second address: 10CDB22 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F64C0ADE4E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CDB22 second address: 10CDB28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CDB28 second address: 10CDB3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F64C0ADE4F3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CDB3F second address: 10CDB51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CDB51 second address: 10CDB65 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F64C0ADE4E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F64C0ADE4EAh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CE3F8 second address: 10CE3FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CE3FD second address: 10CE405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CE405 second address: 10CE40B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CE40B second address: 10CE420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F64C0ADE4EAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CE420 second address: 10CE42E instructions: 0x00000000 rdtsc 0x00000002 jng 00007F64C133C3C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CEEC6 second address: 10CEED1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F64C0ADE4E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D2BB4 second address: 10D2BDA instructions: 0x00000000 rdtsc 0x00000002 je 00007F64C133C3C6h 0x00000008 jmp 00007F64C133C3D9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D2BDA second address: 10D2BE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D2808 second address: 10D2812 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D2812 second address: 10D2818 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DD712 second address: 10DD732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F64C133C3D7h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DD732 second address: 10DD738 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DD738 second address: 10DD785 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F64C133C3D7h 0x00000008 pushad 0x00000009 popad 0x0000000a pop esi 0x0000000b jmp 00007F64C133C3CAh 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 jmp 00007F64C133C3D1h 0x00000018 jnc 00007F64C133C3CAh 0x0000001e push eax 0x0000001f push edx 0x00000020 jc 00007F64C133C3C6h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DD785 second address: 10DD78B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DFCDC second address: 10DFD10 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F64C133C3D2h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jno 00007F64C133C3C6h 0x00000013 jmp 00007F64C133C3CAh 0x00000018 push esi 0x00000019 pop esi 0x0000001a popad 0x0000001b jnl 00007F64C133C3C8h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDCEE5 second address: FDCEF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F64C1328A56h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E1224 second address: 10E1228 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E1228 second address: 10E1231 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F9639 second address: 10F9662 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F64C0BCCAC7h 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007F64C0BCCAB6h 0x00000011 jl 00007F64C0BCCAB6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD2CDD second address: FD2CE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11037D5 second address: 11037F3 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F64C0BCCAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F64C0BCCAC0h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F919A second address: 10F91B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F64C1328A67h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F91B5 second address: 10F91EA instructions: 0x00000000 rdtsc 0x00000002 jns 00007F64C0BCCAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b pushad 0x0000000c jmp 00007F64C0BCCAC2h 0x00000011 push ecx 0x00000012 jmp 00007F64C0BCCABCh 0x00000017 jnc 00007F64C0BCCAB6h 0x0000001d pop ecx 0x0000001e push ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FA571 second address: 10FA577 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E6DE93 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 103E533 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 10A8E0C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E73345 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 5550000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 57B0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 55C0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01024000 rdtsc 0_2_01024000
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5336Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exeBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exeBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01024000 rdtsc 0_2_01024000
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: $Program Manager

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping641
Security Software Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		41
Disable or Modify Tools		LSASS Memory2
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Bypass User Account Control		261
Virtualization/Sandbox Evasion		Security Account Manager261
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS22
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
Software Packing		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
Bypass User Account Control		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0035.t-0009.t-msedge.net
13.107.246.63
truefalse
    		high

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1562131
    Start date and time:2024-11-25 08:43:08 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 2m 37s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:3
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:file.exe
    Detection:MAL
    Classification:mal100.evad.winEXE@1/1@0/0
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:Failed
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Stop behavior analysis, all processes terminated

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
    • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net
    • Report size getting too big, too many NtProtectVirtualMemory calls found.
    • VT rate limit hit for: file.exe

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    s-part-0035.t-0009.t-msedge.netsomes.exeGet hashmaliciousRedLineBrowse
    • 13.107.246.63
    segura.vbsGet hashmaliciousRemcosBrowse
    • 13.107.246.63
    file.exeGet hashmaliciousLummaC StealerBrowse
    • 13.107.246.63
    Cargo Invoice_pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
    • 13.107.246.63
    P0-4856383648383364838364836483.xlsGet hashmaliciousUnknownBrowse
    • 13.107.246.63
    DHL AWB_004673321.vbeGet hashmaliciousFormBookBrowse
    • 13.107.246.63
    RFQ Nr. 201124559-201124569-201175771.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
    • 13.107.246.63
    Readouts.bat.exeGet hashmaliciousGuLoaderBrowse
    • 13.107.246.63
    file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
    • 13.107.246.63
    file.exeGet hashmaliciousLummaC StealerBrowse
    • 13.107.246.63

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

    Download File
    Process:C:\Users\user\Desktop\file.exe
    File Type:CSV text
    Category:dropped
    Size (bytes):226
    Entropy (8bit):5.360398796477698
    Encrypted:false
    SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
    MD5:3A8957C6382192B71471BD14359D0B12
    SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
    SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
    SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
    Malicious:true
    Reputation:high, very likely benign file
    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):6.462565047229498
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.96%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:file.exe
    File size:2'787'328 bytes
    MD5:2279cb27373137620622b50c8252e7f7
    SHA1:6aa22e3f08223831d0fe1cd4c203314a4597ae82
    SHA256:5a046fdbee1b681fe3ea9fba1367efce36b3f6b6a88339651f93ce8496d1728b
    SHA512:b00d3f819833e8670c05ae36d7a1f18bfd6d7fcd78e07e7585cff262dc82b1fc4185200664cf35b63e403c618e45f0555ef7755ead5afde810c594d61a121f98
    SSDEEP:49152:2hCERqYTaq1RqcIq2RjfB8xAHVeJ2odMfO0:tERqYTaq1RyqA+ug2odMB
    TLSH:57D549A2A50972CFE8CE16B485A7CE86995D03F54F1308C39C6CB4BE7D63DC511BAD28
    File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............+.. ...`....@.. .......................@+.....a.*...`................................

    File Icon

    Icon Hash:00928e8e8686b000

    Static PE Info

    General

    Entrypoint:0x6b0000
    Entrypoint Section:.taggant
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
    Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:2eabe9054cad5152567f0699947a2c5b

    Entrypoint Preview

    Instruction
    jmp 00007F64C0D9B1CAh
    pcmpgtd mm5, qword ptr [edx]
    add byte ptr [eax], al
    add byte ptr [eax], al
    add cl, ch
    add byte ptr [eax], ah
    add byte ptr [eax], al
    add byte ptr [esi], al
    or al, byte ptr [eax]
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], dh
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [esi], al
    or al, byte ptr [eax]
    add byte ptr [ecx], cl
    or al, byte ptr [eax]
    add byte ptr [edx], cl
    or al, byte ptr [eax]
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [ecx], al
    add byte ptr [eax], 00000000h
    add byte ptr [eax], al
    add byte ptr [eax], al
    adc byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    push es
    or al, byte ptr [eax]
    add byte ptr [eax], al
    add byte ptr [eax], al

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    0x20000x40000x1200fbed143f52c7329fd2d7cfac36948ad3False0.9314236111111112data7.779883397377464IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    jbfodduo0xa0000x2a40000x2a28006fb7602392ddeefbcf4311c6ea590dcdunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    xtxfamsb0x2ae0000x20000x400fc39e5540f20a8a2c8d1da6c5d86294bFalse0.8681640625data6.584351880094142IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .taggant0x2b00000x40000x22002a241106d434e73fea66cd1ada931d9dFalse0.060776654411764705DOS executable (COM)0.771561917279972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

    Resources

    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_VERSION0x60900x30cdata0.42948717948717946
    RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

    Imports

    DLLImport
    kernel32.dlllstrcpy

    Network Behavior

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Nov 25, 2024 08:44:09.423300028 CET1.1.1.1192.168.2.60x4da0No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
    Nov 25, 2024 08:44:09.423300028 CET1.1.1.1192.168.2.60x4da0No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    System Behavior

    General

    Target ID:0
    Start time:02:44:12
    Start date:25/11/2024
    Path:C:\Users\user\Desktop\file.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\file.exe"
    Imagebase:0xe60000
    File size:2'787'328 bytes
    MD5 hash:2279CB27373137620622B50C8252E7F7
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true

    Disassembly

    Reset < >

      Execution Graph

      Execution Coverage:3.2%
      Dynamic/Decrypted Code Coverage:9.2%
      Signature Coverage:0%
      Total number of Nodes:98
      Total number of Limit Nodes:8
      execution_graph 12699 e6e7a6 12700 e6e9d7 VirtualAlloc 12699->12700 12702 e6ef08 12700->12702 12708 e6e7e4 VirtualAlloc 12709 e6e7fc 12708->12709 12710 1044846 12711 1044852 12710->12711 12712 10448ba MapViewOfFileEx 12711->12712 12713 104486b 12711->12713 12712->12713 12719 5591510 12720 5591558 ControlService 12719->12720 12721 559158f 12720->12721 12722 5590d48 12723 5590d93 OpenSCManagerW 12722->12723 12725 5590ddc 12723->12725 12726 102f893 12727 102f8a1 CreateThread 12726->12727 12728 102f8bd 12727->12728 12729 e6ad13 12727->12729 12730 5591308 12731 5591349 ImpersonateLoggedOnUser 12730->12731 12732 5591376 12731->12732 12733 1030818 12734 103081a CreateThread 12733->12734 12735 103082c 12734->12735 12736 e6ad13 12734->12736 12737 103379f 12738 10337a1 CreateThread 12737->12738 12740 10337b7 12738->12740 12741 fe9861 LoadLibraryA 12742 fe9877 12741->12742 12742->12742 12745 104f4a5 12747 104f4b1 12745->12747 12748 104f4c3 12747->12748 12749 104f4eb 12748->12749 12751 104f062 12748->12751 12752 104f0f6 12751->12752 12753 104f073 12751->12753 12752->12749 12753->12752 12755 104f01c VirtualProtect 12753->12755 12756 104f02a 12755->12756 12757 101e9a3 FindWindowA 12758 101e9b3 12757->12758 12762 100dd2b CloseHandle 12763 100dd3f 12762->12763 12764 10446e8 12766 10446f4 12764->12766 12767 104470c 12766->12767 12769 1044736 12767->12769 12770 1044622 12767->12770 12772 104462e 12770->12772 12773 1044641 12772->12773 12774 10446bf CreateFileMappingA 12773->12774 12775 104465b 12773->12775 12774->12775 12776 10317ac 12777 10317be 12776->12777 12780 10317d3 CreateThread 12777->12780 12781 10317e8 12780->12781 12782 e6ad13 12780->12782 12783 101e36e Sleep 12784 101e3a3 12783->12784 12785 10327b3 12786 10327c2 12785->12786 12787 10327c6 CreateThread 12785->12787 12786->12787 12788 10327d4 12787->12788 12789 e6ad13 12787->12789 12790 1024033 12791 1024016 Sleep 12790->12791 12793 102405f 12791->12793 12794 fe99cd LoadLibraryA 12795 fe99e3 12794->12795 12796 104f4f1 12798 104f4fd 12796->12798 12799 104f50f 12798->12799 12800 104f537 12799->12800 12801 104f062 VirtualProtect 12799->12801 12801->12800 12802 101e637 12803 101e628 12802->12803 12804 101e63f FindWindowA 12802->12804 12806 101e654 12804->12806 12807 101e77c 12808 101e788 FindWindowA 12807->12808 12810 101e7b4 12808->12810 12811 ff6640 12812 ff666a 12811->12812 12813 ff6679 RegOpenKeyA 12812->12813 12814 ff66a0 RegOpenKeyA 12812->12814 12813->12814 12815 ff6696 12813->12815 12816 ff66bd 12814->12816 12815->12814 12817 ff6701 GetNativeSystemInfo 12816->12817 12818 ff670c 12816->12818 12817->12818 12819 102ea3d CreateThread 12820 102ea6a 12819->12820 12821 e6ad13 12819->12821 12822 104f43b 12824 104f447 12822->12824 12825 104f459 12824->12825 12826 104f062 VirtualProtect 12825->12826 12827 104f46b 12826->12827

      Executed Functions

      Function 01024000 Relevance: 1.3, APIs: 1, Instructions: 29sleepCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID: Sleep
      • String ID:
      • API String ID: 3472027048-0
      • Opcode ID: 7cc05b2068f1be8de0fac6bb838fb2c83c6c7eda2aaa24aa50077fef15a04372
      • Instruction ID: 09e5c4f6b68a92f052192165988ed282d6aa6c55cbf9dc8d2bd9b3a74158f7ca
      • Opcode Fuzzy Hash: 7cc05b2068f1be8de0fac6bb838fb2c83c6c7eda2aaa24aa50077fef15a04372
      • Instruction Fuzzy Hash: F5E0687B90C23A8DD7008F31AB8819D7B29FA94720F31A422F0C3D3442C2B80C8A4A24
      Function 00FF6640 Relevance: 4.6, APIs: 3, Instructions: 69registryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 0 ff6640-ff6677 2 ff6679-ff6694 RegOpenKeyA 0->2 3 ff66a0-ff66bb RegOpenKeyA 0->3 2->3 6 ff6696 2->6 4 ff66bd-ff66c7 3->4 5 ff66d3-ff66ff 3->5 4->5 9 ff670c-ff6716 5->9 10 ff6701-ff670a GetNativeSystemInfo 5->10 6->3 11 ff6718 9->11 12 ff6722-ff6730 9->12 10->9 11->12 14 ff673c-ff6743 12->14 15 ff6732 12->15 16 ff6749-ff6750 14->16 17 ff6756 14->17 15->14 16->17 18 ffb7a4-ffb7ab 16->18 17->18 19 ffbbab-ffbbb6 18->19 20 ffb7b1-ffb7b8 18->20 20->19
      APIs
      • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00FF668C
      • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00FF66B3
      • GetNativeSystemInfo.KERNELBASE(?), ref: 00FF670A
      Memory Dump Source
      • Source File: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID: Open$InfoNativeSystem
      • String ID:
      • API String ID: 1247124224-0
      • Opcode ID: ff2be331d20a3ff6a216ce4884276cc126d4da5d91196e85f6739c32fde99738
      • Instruction ID: 5a3516009a3128584f5d93b27ec4b7112e78ce72ebb5639b477395fe4229445e
      • Opcode Fuzzy Hash: ff2be331d20a3ff6a216ce4884276cc126d4da5d91196e85f6739c32fde99738
      • Instruction Fuzzy Hash: 0031E97280010E9FEF11DF50C849BEF3BA8EF15314F000526EA41C6961EBB65DA9AF5D
      Function 0100DD2B Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 105COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 160 100dd2b-100dd2d CloseHandle 161 100dd3f-100dd41 160->161 162 100dd47-100dd4c 161->162 163 100dd4d-100dd4f 161->163 162->163 164 100dd55 163->164 165 100dd5b-100de94 163->165 164->165
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID: CloseHandle
      • String ID: tQIN
      • API String ID: 2962429428-414725259
      • Opcode ID: 00aef759c0198b90bbe363c1d4ead928906431e3d8a96599732657c518be1c7e
      • Instruction ID: ad8823040939668964e60518dee4f91cd060467a8d96e3c3ab990c13f40b577a
      • Opcode Fuzzy Hash: 00aef759c0198b90bbe363c1d4ead928906431e3d8a96599732657c518be1c7e
      • Instruction Fuzzy Hash: 423106B250C300AFE755AF58E882B7EFBE8EF44720F124C2DE2D586250D6394581CB6B
      Function 00FE9861 Relevance: 1.6, APIs: 1, Instructions: 121libraryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 166 fe9861-fe9869 LoadLibraryA 167 fe9877-fe987d 166->167 168 fe9883 167->168 169 fe9891-fe99c7 167->169 168->169 171 fe99c8 169->171 171->171
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID:
      • API String ID: 1029625771-0
      • Opcode ID: 02fafcb8751151244ac6eefe620e3889f555e6f20099c7cf11af30e13cae03e1
      • Instruction ID: 9116b1bd6401277baf70448d5c93c04ae317ba95f5869da23ffe4b26c314ad6a
      • Opcode Fuzzy Hash: 02fafcb8751151244ac6eefe620e3889f555e6f20099c7cf11af30e13cae03e1
      • Instruction Fuzzy Hash: 4A3150F250C200AFE705AF19D885ABEB7E9EFD4720F16482EE6C5C3650D6348944DA67
      Function 00FE99CD Relevance: 1.6, APIs: 1, Instructions: 101libraryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 172 fe99cd-fe99d0 LoadLibraryA 173 fe99e3-fe9afd 172->173
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID:
      • API String ID: 1029625771-0
      • Opcode ID: 3c205df11154b78a9e9e2f57fafd917c4204c5eaaf630c99a880c4f0aacd8ddb
      • Instruction ID: 130325a5682b5bc42c3795c0c05c1c6a131dfba327f0df01b4eba6979618199d
      • Opcode Fuzzy Hash: 3c205df11154b78a9e9e2f57fafd917c4204c5eaaf630c99a880c4f0aacd8ddb
      • Instruction Fuzzy Hash: E2313AB250C304AFD7166F58D882B7AF7E8EF14320F12092DEAD5C3600E67658509B97
      Function 05590D41 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 175 5590d41-5590d97 177 5590d99-5590d9c 175->177 178 5590d9f-5590da3 175->178 177->178 179 5590dab-5590dda OpenSCManagerW 178->179 180 5590da5-5590da8 178->180 181 5590ddc-5590de2 179->181 182 5590de3-5590df7 179->182 180->179 181->182
      APIs
      • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 05590DCD
      Memory Dump Source
      • Source File: 00000000.00000002.2380403122.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5590000_file.jbxd
      Similarity
      • API ID: ManagerOpen
      • String ID:
      • API String ID: 1889721586-0
      • Opcode ID: 04b53258dfa353112484d85cc3ebfb7cd08d9f178218246b942bccd60e8dc22f
      • Instruction ID: fc4b73594f7ffe24208d4b947dbf5d5b82440be046b675d1c8cfd5ab8d7bfff2
      • Opcode Fuzzy Hash: 04b53258dfa353112484d85cc3ebfb7cd08d9f178218246b942bccd60e8dc22f
      • Instruction Fuzzy Hash: 182134B68002188FCF54CF99D984ADEBBF0BF88310F14861AD808AB244D734A501CBA5
      Function 05590D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 184 5590d48-5590d97 186 5590d99-5590d9c 184->186 187 5590d9f-5590da3 184->187 186->187 188 5590dab-5590dda OpenSCManagerW 187->188 189 5590da5-5590da8 187->189 190 5590ddc-5590de2 188->190 191 5590de3-5590df7 188->191 189->188 190->191
      APIs
      • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 05590DCD
      Memory Dump Source
      • Source File: 00000000.00000002.2380403122.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5590000_file.jbxd
      Similarity
      • API ID: ManagerOpen
      • String ID:
      • API String ID: 1889721586-0
      • Opcode ID: a77dec586c4c3b9332a705339744a5c2b80476d5ef55ba486e8243f76de24b7c
      • Instruction ID: 8f7d68c2bee9f9914f1a692c54daff93eaab5a49748f1a1227b5c99a71d4fb4b
      • Opcode Fuzzy Hash: a77dec586c4c3b9332a705339744a5c2b80476d5ef55ba486e8243f76de24b7c
      • Instruction Fuzzy Hash: 752134B68013189FCF54CF99D884ADEFBF4FB88710F14851AD809AB244C738A540CBA5
      Function 05591510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 198 5591510-559158d ControlService 200 559158f-5591595 198->200 201 5591596-55915b7 198->201 200->201
      APIs
      • ControlService.ADVAPI32(?,?,?), ref: 05591580
      Memory Dump Source
      • Source File: 00000000.00000002.2380403122.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5590000_file.jbxd
      Similarity
      • API ID: ControlService
      • String ID:
      • API String ID: 253159669-0
      • Opcode ID: ffb95b5a35de3d322667c7bb20c874f036acd3a5fc04525be684762b58fc87b3
      • Instruction ID: 8c694b18e997b78d4e9f3d6de098ce5380273a691f9f92580c648be3b910bbe9
      • Opcode Fuzzy Hash: ffb95b5a35de3d322667c7bb20c874f036acd3a5fc04525be684762b58fc87b3
      • Instruction Fuzzy Hash: C511D3B1900749DFDB10CF9AD584BDEFBF4BB48320F108429E559A7250D778A644CFA5
      Function 05591509 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 193 5591509-5591550 194 5591558-559158d ControlService 193->194 195 559158f-5591595 194->195 196 5591596-55915b7 194->196 195->196
      APIs
      • ControlService.ADVAPI32(?,?,?), ref: 05591580
      Memory Dump Source
      • Source File: 00000000.00000002.2380403122.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5590000_file.jbxd
      Similarity
      • API ID: ControlService
      • String ID:
      • API String ID: 253159669-0
      • Opcode ID: 494aae367ffe84e71fd48a1ad42f27f1028329704b55c0f1e008f2dbdc4c2db0
      • Instruction ID: 9631c82348c17a1119c28157b8a9b80df77ced77d6fc4bd14696955a22bf88df
      • Opcode Fuzzy Hash: 494aae367ffe84e71fd48a1ad42f27f1028329704b55c0f1e008f2dbdc4c2db0
      • Instruction Fuzzy Hash: 222103B5900649CFDB10CF9AC585BDEBBF4BB48310F10842AE559A7240D738A644CFA5
      Function 01044846 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 214 1044846-1044865 217 10448b5-10448db MapViewOfFileEx 214->217 218 104486b-1044871 214->218 224 10448e7 217->224 225 10448e1-10448e2 call 10447dd 217->225 219 1044877-104487a 218->219 220 104489e-10448b0 218->220 222 1044897-1044899 219->222 223 1044880-1044892 219->223 226 10448ec 220->226 222->226 223->226 229 10448f1-10448f3 224->229 225->224 226->229
      APIs
      • MapViewOfFileEx.KERNELBASE(?,?,?,?,?,?), ref: 010448CD
      Memory Dump Source
      • Source File: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID: FileView
      • String ID:
      • API String ID: 3314676101-0
      • Opcode ID: 21d0a56178d6fe6684b1fa58fa701c26fc0330235cb7351fc3360aff87d08154
      • Instruction ID: a0adc4158a1b31438b991bc6f57eb48ff49decd7dea0efda9ba60f581d8ae849
      • Opcode Fuzzy Hash: 21d0a56178d6fe6684b1fa58fa701c26fc0330235cb7351fc3360aff87d08154
      • Instruction Fuzzy Hash: E711BAB650018BEBDF129FA4DC44EDE3EAABF69341B044469FA9195420C736C471EB61
      Function 0102F863 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 203 102f863-102f867 204 102f812-102f84f call 102f852 203->204 205 102f869-102f895 203->205 209 102f8a1-102f8bd CreateThread call 102f8c0 205->209 210 102f89b 205->210 210->209
      APIs
      • CreateThread.KERNELBASE(00000000,00000000), ref: 0102F8AF
      Memory Dump Source
      • Source File: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID: CreateThread
      • String ID:
      • API String ID: 2422867632-0
      • Opcode ID: f8e1526bccd3cc586c7921936f54a1668767282181ac4901a0e1d5f654d7c37a
      • Instruction ID: b8eff6b36cb6bb06170078db016cef1d80973da330bb9de5e355c7916e3bbafe
      • Opcode Fuzzy Hash: f8e1526bccd3cc586c7921936f54a1668767282181ac4901a0e1d5f654d7c37a
      • Instruction Fuzzy Hash: 2E01D1B329423B3CE30199305E24BFFB66CEB95BA0F154425F545D78C2C3D119044736
      Function 0104462E Relevance: 1.6, APIs: 1, Instructions: 50COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 231 104462e-1044645 233 1044666-1044679 231->233 234 104464b-1044655 231->234 237 104467f-1044686 233->237 238 10446ba-10446d9 CreateFileMappingA 233->238 234->233 239 104465b-1044661 234->239 240 1044693-1044699 237->240 241 104468c 237->241 247 10446e3-10446e5 238->247 246 10446de 239->246 242 10446a6-10446af 240->242 243 104469f-10446a1 240->243 241->240 248 10446b5 242->248 243->246 246->247 248->246
      Memory Dump Source
      • Source File: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b9451f868efe79ce6e4721cbf3931515b63ffae76b4fd0414aadf2fc46a805ca
      • Instruction ID: 6e25a7d14db916571f48265b64f72d00d74d137371cbae8b1e4495ff7fa6dca2
      • Opcode Fuzzy Hash: b9451f868efe79ce6e4721cbf3931515b63ffae76b4fd0414aadf2fc46a805ca
      • Instruction Fuzzy Hash: 6D110CB260014BEFDF119FA8D848FDE3BAAAF98244F008065F98596060CB75C5A1DB52
      Function 05591301 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 249 5591301-5591341 250 5591349-5591374 ImpersonateLoggedOnUser 249->250 251 559137d-559139e 250->251 252 5591376-559137c 250->252 252->251
      APIs
      • ImpersonateLoggedOnUser.KERNELBASE(?), ref: 05591367
      Memory Dump Source
      • Source File: 00000000.00000002.2380403122.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5590000_file.jbxd
      Similarity
      • API ID: ImpersonateLoggedUser
      • String ID:
      • API String ID: 2216092060-0
      • Opcode ID: 63479c84b291de9e086bf5330dc724fe86c225129cc6d342e3152e0ba9ec9cb1
      • Instruction ID: 376632dd05f8c450bd4c4cafa297b4e8421b1e8ae03a38b924f8999a465c8c94
      • Opcode Fuzzy Hash: 63479c84b291de9e086bf5330dc724fe86c225129cc6d342e3152e0ba9ec9cb1
      • Instruction Fuzzy Hash: B41113B1800649CFDB14CF9AD485BEEBBF4EB49320F24846AD518A3250C778A584CFA5
      Function 05591308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 254 5591308-5591374 ImpersonateLoggedOnUser 256 559137d-559139e 254->256 257 5591376-559137c 254->257 257->256
      APIs
      • ImpersonateLoggedOnUser.KERNELBASE(?), ref: 05591367
      Memory Dump Source
      • Source File: 00000000.00000002.2380403122.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_5590000_file.jbxd
      Similarity
      • API ID: ImpersonateLoggedUser
      • String ID:
      • API String ID: 2216092060-0
      • Opcode ID: fbd5314ad4d29aa76d35315128571875437024ab3d37761fa34b6c19b5a9ad6b
      • Instruction ID: 5fe377451e9cf6d69887d451264c4c92cf4c38cb60e442ec56bebd48efefa9b9
      • Opcode Fuzzy Hash: fbd5314ad4d29aa76d35315128571875437024ab3d37761fa34b6c19b5a9ad6b
      • Instruction Fuzzy Hash: 831133B1800749CFDB20CF9AD845BDEFBF8EB48320F24846AD518A3240C778A944CFA5
      Function 01036701 Relevance: 1.5, APIs: 1, Instructions: 44threadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 259 1036701-1036710 260 1036716-103671b 259->260 261 103671c-1036735 259->261 260->261 262 103674b-1036751 CreateThread 261->262 263 103673b 261->263 264 103675d-1036764 262->264 263->262 265 103676a-1036770 264->265 266 1036799-103763b call 103763e 264->266 265->266 267 1036776-103677e call 1036781 265->267 267->266
      APIs
      • CreateThread.KERNELBASE(00000000,00000000), ref: 0103674B
      Memory Dump Source
      • Source File: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID: CreateThread
      • String ID:
      • API String ID: 2422867632-0
      • Opcode ID: 6dc8ce91cdb3c3d5be84d2d03badc8f11f84f0d2d10c7d57ccff6aad15fcf71f
      • Instruction ID: f05973c4774814a0cbad47ab50962dceb50aebdb0c2274782dbf71dbb7cc1d4a
      • Opcode Fuzzy Hash: 6dc8ce91cdb3c3d5be84d2d03badc8f11f84f0d2d10c7d57ccff6aad15fcf71f
      • Instruction Fuzzy Hash: A4012B718483566AE706DF2448997FE3BACEF85710F74400DE6C04A4C2C79B5D44C608
      Function 0102EA3D Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID: CreateThread
      • String ID:
      • API String ID: 2422867632-0
      • Opcode ID: b4913b56b0c50767de3303be25c20dcf439f8bc2aa76ac2b796957aebac35880
      • Instruction ID: 2016759c211e812209316e5a4f2f80d79fd5dfea437bb7706777fa6d1df5a52b
      • Opcode Fuzzy Hash: b4913b56b0c50767de3303be25c20dcf439f8bc2aa76ac2b796957aebac35880
      • Instruction Fuzzy Hash: 7EF0E9718C42376FDF02DE1449186EF3B69FF03271F340164ED8BA7982D7A52C109654
      Function 0101E74D Relevance: 1.5, APIs: 1, Instructions: 28COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID: FindWindow
      • String ID:
      • API String ID: 134000473-0
      • Opcode ID: 31f0c1c728b4dff1f1c3d402b587d8c84679c456aaedbc29b421072fb230c3f7
      • Instruction ID: 155d02c0f4cd356c1c0b61e4ecead77faa8cf0418434424e1cc2751520c6fdaa
      • Opcode Fuzzy Hash: 31f0c1c728b4dff1f1c3d402b587d8c84679c456aaedbc29b421072fb230c3f7
      • Instruction Fuzzy Hash: 0DE0223204914A5AF7024E748988AFFFF3CFF27330B240581D8C11680B82881D198710
      Function 01033758 Relevance: 1.5, APIs: 1, Instructions: 28threadCOMMON
      Download Yara Rule
      APIs
      • CreateThread.KERNELBASE(00000000,00000000), ref: 010337A9
      Memory Dump Source
      • Source File: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID: CreateThread
      • String ID:
      • API String ID: 2422867632-0
      • Opcode ID: a36da72919ad12a548da064055d6220b8a3d3730e65af2e0b3a9d217d31045cb
      • Instruction ID: 2a3b8e19f748d6daa0119789f72ac05a3e6ea792890167a9e4f8deb16dd13bb3
      • Opcode Fuzzy Hash: a36da72919ad12a548da064055d6220b8a3d3730e65af2e0b3a9d217d31045cb
      • Instruction Fuzzy Hash: 30E022B0244237BFD7275E3508E57EE7DACBF82B00F4801188982AEA83C28488058682
      Function 0101E637 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID: FindWindow
      • String ID:
      • API String ID: 134000473-0
      • Opcode ID: bc671c9b63c00d5494ee75f1a6e061d188e7bc42529ce1b49b9319bb039491e9
      • Instruction ID: f7554b6246c6e375305f38dcf4060ac56c95e9922fe4a16ea9e6e542d8464c65
      • Opcode Fuzzy Hash: bc671c9b63c00d5494ee75f1a6e061d188e7bc42529ce1b49b9319bb039491e9
      • Instruction Fuzzy Hash: B5F0657040631AABDF168F20C42579F7B64EF55754F64884CE9841B982C3BB6C13DB45
      Function 0101E774 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID: FindWindow
      • String ID:
      • API String ID: 134000473-0
      • Opcode ID: 2fab8521caa63909df21f28bf92ce5cfcc0621542bb74a82fea5b2a8bf8c215b
      • Instruction ID: 2a63cb7795863cf8073877577ca73ca065d7834e510e1620f1df10048d8439b0
      • Opcode Fuzzy Hash: 2fab8521caa63909df21f28bf92ce5cfcc0621542bb74a82fea5b2a8bf8c215b
      • Instruction Fuzzy Hash: 34D02BB398826635F64355F0CAC4BEDBF657F2B130F241050EDC51349752C409064341
      Function 00FFB479 Relevance: 1.5, APIs: 1, Instructions: 22libraryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID:
      • API String ID: 1029625771-0
      • Opcode ID: 3dbe3e5f0efb2b239c5fb43e83cbb0b68240d378203740e24471fd030a1cfe25
      • Instruction ID: 50d5f9650011ca874043b376fb2ecea715c7227779414c44323e959b21eac304
      • Opcode Fuzzy Hash: 3dbe3e5f0efb2b239c5fb43e83cbb0b68240d378203740e24471fd030a1cfe25
      • Instruction Fuzzy Hash: 33E0E5B250C604CFD7102F28E84577EBBF0EF84720F1A092CDAC407710D23514A4DA47
      Function 0101E77C Relevance: 1.5, APIs: 1, Instructions: 21COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID: FindWindow
      • String ID:
      • API String ID: 134000473-0
      • Opcode ID: aa699889a12ac1e2f840b6b63bed481151e394e54e52828f094ce5b289e64841
      • Instruction ID: d109cc8bbeb77e75e49b56f0fbe88ba1b333ad7439ac7517130d46b54ad54ddd
      • Opcode Fuzzy Hash: aa699889a12ac1e2f840b6b63bed481151e394e54e52828f094ce5b289e64841
      • Instruction Fuzzy Hash: D1D02B736C415679D3039BF0CF80B9D7F25BF5A230F301464E5891346397D0080A9340
      Function 0104F01C Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
      Download Yara Rule
      APIs
      • VirtualProtect.KERNELBASE(?,00000004,00000040), ref: 0104F024
      Memory Dump Source
      • Source File: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID: ProtectVirtual
      • String ID:
      • API String ID: 544645111-0
      • Opcode ID: 22a89359cd9a2855c77e634d4b9ed61086902f59dbc123a198eb79db1b6c347b
      • Instruction ID: 65f761998a424ca6bfd0f61831e1835de522ddd2d1a61035d3371c0c1c77055c
      • Opcode Fuzzy Hash: 22a89359cd9a2855c77e634d4b9ed61086902f59dbc123a198eb79db1b6c347b
      • Instruction Fuzzy Hash: 43E046B0E4020AFFEB204E44CC80BBDBB70FB88710F1080A0FB11A9190D73699008A14
      Function 01033772 Relevance: 1.5, APIs: 1, Instructions: 19threadCOMMON
      Download Yara Rule
      APIs
      • CreateThread.KERNELBASE(00000000,00000000), ref: 010337A9
      Memory Dump Source
      • Source File: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID: CreateThread
      • String ID:
      • API String ID: 2422867632-0
      • Opcode ID: 90e9521135ca391e7f66aff0b89e8797e7acd77ae5e64eb39d19080de3058b67
      • Instruction ID: 61ef89137ba38f4472d589eaf062d73e28f5f7d7ccba3d83973063f7c4c3f01d
      • Opcode Fuzzy Hash: 90e9521135ca391e7f66aff0b89e8797e7acd77ae5e64eb39d19080de3058b67
      • Instruction Fuzzy Hash: D5D02BB068431779E362AE244CC5B9D7A2C7F88B00F140019D6404F4C1C79548194711
      Function 01030818 Relevance: 1.5, APIs: 1, Instructions: 14threadCOMMON
      Download Yara Rule
      APIs
      • CreateThread.KERNELBASE(00000000), ref: 0103081E
      Memory Dump Source
      • Source File: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID: CreateThread
      • String ID:
      • API String ID: 2422867632-0
      • Opcode ID: c08f1e188be6b6bf6442bcb3a3dc341c63c45c39bde95fc866abadfd30cac677
      • Instruction ID: eb200bbfb1cc2a7fcafa65c3c141ec063c4256c489e36defb85259c3965c82e2
      • Opcode Fuzzy Hash: c08f1e188be6b6bf6442bcb3a3dc341c63c45c39bde95fc866abadfd30cac677
      • Instruction Fuzzy Hash: 7FD05E3054552A9BC7515F30484A7DE7698DF4A721F040200E9C9069829BB64D14879A
      Function 010348A6 Relevance: 1.5, APIs: 1, Instructions: 14threadCOMMON
      Download Yara Rule
      APIs
      • CreateThread.KERNELBASE(00000000,00000000), ref: 010348C0
      Memory Dump Source
      • Source File: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID: CreateThread
      • String ID:
      • API String ID: 2422867632-0
      • Opcode ID: a45f0a79db494b0372c7029fc4d2d5b96a776cb774686762de1363603ccf8b1f
      • Instruction ID: d163d2238dda31844381bd8a9c4d6d2f5bb62c43f71a0c3fd985527e6b4c4347
      • Opcode Fuzzy Hash: a45f0a79db494b0372c7029fc4d2d5b96a776cb774686762de1363603ccf8b1f
      • Instruction Fuzzy Hash: 6ED05E3094435E6FCB106F3088997CF3A10EF22721F104314FD400AAC1CAB34C218798
      Function 010327B3 Relevance: 1.5, APIs: 1, Instructions: 13threadCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID: CreateThread
      • String ID:
      • API String ID: 2422867632-0
      • Opcode ID: f6795fd0ddb88e9caa1e860089dce92a73494e672a57b1b653726b885f7a8a96
      • Instruction ID: 43e0b41470d062c33275bdc3c8442bf5ee84a67cf42b5e6c8b7a18e35273bc53
      • Opcode Fuzzy Hash: f6795fd0ddb88e9caa1e860089dce92a73494e672a57b1b653726b885f7a8a96
      • Instruction Fuzzy Hash: 30C012210556A52AD3266BB00A5ABCE7A98BF57603F540449D7C90A592D75051418355
      Function 0102F893 Relevance: 1.5, APIs: 1, Instructions: 13threadCOMMON
      Download Yara Rule
      APIs
      • CreateThread.KERNELBASE(00000000,00000000), ref: 0102F8AF
      Memory Dump Source
      • Source File: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID: CreateThread
      • String ID:
      • API String ID: 2422867632-0
      • Opcode ID: d7b5f5bbb31dc75c0c03406810740f07b6182b4ab8e4b109c6c89bd2cc3cc39b
      • Instruction ID: 95a85315669bcc861d1cbef37664a41c5406ac944292444d08243d2fe8e1a6c6
      • Opcode Fuzzy Hash: d7b5f5bbb31dc75c0c03406810740f07b6182b4ab8e4b109c6c89bd2cc3cc39b
      • Instruction Fuzzy Hash: 5CD0A7725993AA1EC7032A300C7D74F3F104F27610F0444C2EA409E4C3D1D508044727
      Function 01035787 Relevance: 1.5, APIs: 1, Instructions: 12threadCOMMON
      Download Yara Rule
      APIs
      • CreateThread.KERNELBASE(00000000,00000000), ref: 01035796
      Memory Dump Source
      • Source File: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID: CreateThread
      • String ID:
      • API String ID: 2422867632-0
      • Opcode ID: 1864f305cd7691ebf6c2dd1c274b7fe6a6505df10d8ff4aee5af45dcd8fdb4df
      • Instruction ID: 0ed784bf850a5451ac58fcfe1d71bd23326f2d8d60aaedcc99986f7c74c7181a
      • Opcode Fuzzy Hash: 1864f305cd7691ebf6c2dd1c274b7fe6a6505df10d8ff4aee5af45dcd8fdb4df
      • Instruction Fuzzy Hash: 53D0A73158628F5FD7125F30CC6479E7B20EF4A610F108510EE4046CD3C7921C61CB45
      Function 01033785 Relevance: 1.5, APIs: 1, Instructions: 12threadCOMMON
      Download Yara Rule
      APIs
      • CreateThread.KERNELBASE(00000000,00000000), ref: 010337A9
      Memory Dump Source
      • Source File: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID: CreateThread
      • String ID:
      • API String ID: 2422867632-0
      • Opcode ID: f9a31ef02a6d2680d20e77661164b4976d1a888cfba5a5abbb492910fcb0f37b
      • Instruction ID: 1fb0bf4d7d119608766dde398db5eef4cb90e230cc418d065ac762cb1f3db240
      • Opcode Fuzzy Hash: f9a31ef02a6d2680d20e77661164b4976d1a888cfba5a5abbb492910fcb0f37b
      • Instruction Fuzzy Hash: A2D080B154435A77E7153F3148E0B9E7D2ABF45710F100519DA555EBC3C6A64C144B05
      Function 01035780 Relevance: 1.5, APIs: 1, Instructions: 11threadCOMMON
      Download Yara Rule
      APIs
      • CreateThread.KERNELBASE(00000000,00000000), ref: 01035796
      Memory Dump Source
      • Source File: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID: CreateThread
      • String ID:
      • API String ID: 2422867632-0
      • Opcode ID: ce9838494f6a4e82e2459af6fdcc076423cf033ae75ca767d311749a9ead8925
      • Instruction ID: 663b2acd78958e79e300f58ffb88782954372bbcf549603bee721070c30bb1ea
      • Opcode Fuzzy Hash: ce9838494f6a4e82e2459af6fdcc076423cf033ae75ca767d311749a9ead8925
      • Instruction Fuzzy Hash: 6AD0C93125524EABD7015F20CD99B9E3624FF86A20F004610EA411A9E3CBA21CA18B1A
      Function 0103379F Relevance: 1.5, APIs: 1, Instructions: 8threadCOMMON
      Download Yara Rule
      APIs
      • CreateThread.KERNELBASE(00000000,00000000), ref: 010337A9
      Memory Dump Source
      • Source File: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID: CreateThread
      • String ID:
      • API String ID: 2422867632-0
      • Opcode ID: ccd4cc4969c6e7c3f5dd2f0fe1dbabd2f913d02d4ea8654c5be7e2b820a714f6
      • Instruction ID: c44ffc64fa3c2775513d93dcb47e8e451a5edd2bb00e3020f9afb4485cf5e673
      • Opcode Fuzzy Hash: ccd4cc4969c6e7c3f5dd2f0fe1dbabd2f913d02d4ea8654c5be7e2b820a714f6
      • Instruction Fuzzy Hash: 25C08C7104030A6AC311AF208891B8E7A30AF46600F000408E2444A9C2CBA648108705
      Function 010317D3 Relevance: 1.5, APIs: 1, Instructions: 7threadCOMMON
      Download Yara Rule
      APIs
      • CreateThread.KERNELBASE(00000000), ref: 010317DA
      Memory Dump Source
      • Source File: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID: CreateThread
      • String ID:
      • API String ID: 2422867632-0
      • Opcode ID: 3fb07a7c34b6d3aed2188ea26471c2e1d9a9bcc64f5515b869f142db7254164d
      • Instruction ID: f73e10fcfffa5ee722dd567c2436351a2d499fd64d48a4cee50834714c6b0d6c
      • Opcode Fuzzy Hash: 3fb07a7c34b6d3aed2188ea26471c2e1d9a9bcc64f5515b869f142db7254164d
      • Instruction Fuzzy Hash: AEC02B3200112956C3012F200C047CD3B20DF2A130F140C40D184134828B356C00430C
      Function 0101E9A3 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID: FindWindow
      • String ID:
      • API String ID: 134000473-0
      • Opcode ID: 7974824750a564320f9d7a169583390fe064f177125d480ab612cb37e6af7572
      • Instruction ID: d20638614a7e41c568efe1cf2efaf9891f96bb152f0b3a22723dd6de8cf494a5
      • Opcode Fuzzy Hash: 7974824750a564320f9d7a169583390fe064f177125d480ab612cb37e6af7572
      • Instruction Fuzzy Hash: 74B012720552D936C3226B308C98F8D3D00CF11204F20054CB584044D744D754004B19
      Function 0100DE9F Relevance: 1.4, APIs: 1, Instructions: 164COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID: CloseHandle
      • String ID:
      • API String ID: 2962429428-0
      • Opcode ID: c9eb184b94e2c288131984543c3c02af51794afc917c994c81243bb4ed71440b
      • Instruction ID: 60d0ff983e13751ad57b7523e4aae617fd1a211d0fe16ae5918c184a78117aa9
      • Opcode Fuzzy Hash: c9eb184b94e2c288131984543c3c02af51794afc917c994c81243bb4ed71440b
      • Instruction Fuzzy Hash: 0B41A4F344C314AFE3017E59ED856FAFBECEB85730F22482DE6C182601E674194896A7
      Function 0101E353 Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID: Sleep
      • String ID:
      • API String ID: 3472027048-0
      • Opcode ID: 7df3b8b5ee83735553efda9624dbd168138ee1c87442299393ce7c8050701bde
      • Instruction ID: 2d3b07c9d981417038c816112be1b52c534085555f2ca0591dd52738b475f732
      • Opcode Fuzzy Hash: 7df3b8b5ee83735553efda9624dbd168138ee1c87442299393ce7c8050701bde
      • Instruction Fuzzy Hash: 1CF0F6A304D2967CF21346688EA8BFE7F5DAB52331F288898E9C509487868C15459325
      Function 0101E336 Relevance: 1.3, APIs: 1, Instructions: 33sleepCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID: Sleep
      • String ID:
      • API String ID: 3472027048-0
      • Opcode ID: e85a9fa654b596fa69b9a976c2a8f719e9f715f7e9b403cbad88f0ee28155617
      • Instruction ID: fa6c7c019424eeaf28e312e539bb1eda64f17d6db1e777e711ca13e74964f788
      • Opcode Fuzzy Hash: e85a9fa654b596fa69b9a976c2a8f719e9f715f7e9b403cbad88f0ee28155617
      • Instruction Fuzzy Hash: F2E08CE71882667CF5038A558A18BFEBB9D9B87B31B30C829F982D584B838A05492170
      Function 01024033 Relevance: 1.3, APIs: 1, Instructions: 32COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2b166c208a2f23460fa3d8ae590c1fe3a6db74992ff3d515a6aba170f847981d
      • Instruction ID: 7995aa22b9a9f891782a522e0a68a7a03dd2d6c386a9de0574f622c52d3f6352
      • Opcode Fuzzy Hash: 2b166c208a2f23460fa3d8ae590c1fe3a6db74992ff3d515a6aba170f847981d
      • Instruction Fuzzy Hash: 8EE0223394C27A8DDB01EE31ADD40ED3B59EE59B20B006952F0CAC3043C57A18859A99
      Function 0102401B Relevance: 1.3, APIs: 1, Instructions: 23sleepCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID: Sleep
      • String ID:
      • API String ID: 3472027048-0
      • Opcode ID: 131d502bdf59790f9c8f24a846a49edc900e6658fa3f23aeda493e541294930c
      • Instruction ID: 15937d5b00a69d527e3b9b4bfbfd90fe719fd056773784477db93bc3431a7534
      • Opcode Fuzzy Hash: 131d502bdf59790f9c8f24a846a49edc900e6658fa3f23aeda493e541294930c
      • Instruction Fuzzy Hash: 8EE0CD7B90C1399CE700DF31BA9429E7B15E655334F215522F493D348196BD1D984E29
      Function 00E6E7A6 Relevance: 1.3, APIs: 1, Instructions: 22memoryCOMMON
      Download Yara Rule
      APIs
      • VirtualAlloc.KERNELBASE(00000000), ref: 00E6ECD6
      Memory Dump Source
      • Source File: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 9b6e151a691d43860c6769cf75581a9c0a8062928ebcecfbfaf86d4991db1fd3
      • Instruction ID: cf5e80b5cc1595bc46589ba38743764c8337c664bf3f6340c2e820abb1d54b5e
      • Opcode Fuzzy Hash: 9b6e151a691d43860c6769cf75581a9c0a8062928ebcecfbfaf86d4991db1fd3
      • Instruction Fuzzy Hash: D0E06DF4648640DFD7109F18E0487BEB6E0EB44340F11882DE5C6963C4E2325C04DB47
      Function 0101E36E Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID: Sleep
      • String ID:
      • API String ID: 3472027048-0
      • Opcode ID: fd6552796e1e239e6245831970021cdb1af65d397d4c9b39df3f91089f231ea5
      • Instruction ID: c078a155bc1ee3294ed04afdcd537e4fae14265f2633308116e870fdf3de907a
      • Opcode Fuzzy Hash: fd6552796e1e239e6245831970021cdb1af65d397d4c9b39df3f91089f231ea5
      • Instruction Fuzzy Hash: C2E0C23604D3439BE3518FB8D809768BB62FB24B01F10897DC1D6D7A92CB2A84009B46
      Function 00E6E7E4 Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON
      Download Yara Rule
      APIs
      • VirtualAlloc.KERNELBASE(00000000), ref: 00E6E7EA
      Memory Dump Source
      • Source File: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 0359c379e068a402e3ba9bf23713c908514737892583e46ae9f9d85fbed8ad99
      • Instruction ID: 5e8958ec417bf4c08536982668713b195791cd857da6859ffcad7fbef9e7500f
      • Opcode Fuzzy Hash: 0359c379e068a402e3ba9bf23713c908514737892583e46ae9f9d85fbed8ad99
      • Instruction Fuzzy Hash: 55D017B425864EDFDB406F7494496FE7BB0EF06311F104B08F8A19AAC0C7324C60DA1A

      Non-executed Functions

      Function 00E6DDA5 Relevance: 1.5, Strings: 1, Instructions: 291COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID:
      • String ID: NTDL
      • API String ID: 0-3662016964
      • Opcode ID: 34c82da6a358d9a2a390552a61b5ef47d084799c23c39141e51f3ff1fc984854
      • Instruction ID: 54ff34c2676582d606457468117b6caf18c071e8645c3fb55d157f83b82d1973
      • Opcode Fuzzy Hash: 34c82da6a358d9a2a390552a61b5ef47d084799c23c39141e51f3ff1fc984854
      • Instruction Fuzzy Hash: A4A1EF76A8821E8FCB05CF34D8415EF3BE1EF96360F24512AE842A7A41C2F24D21DB59
      Function 010445CA Relevance: 1.5, APIs: 1, Instructions: 24encryptionCOMMON
      Download Yara Rule
      APIs
      • CryptVerifySignatureA.ADVAPI32(?,?,?,?,?,?), ref: 01044611
      Memory Dump Source
      • Source File: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID: CryptSignatureVerify
      • String ID:
      • API String ID: 1015439381-0
      • Opcode ID: a1c605816f2d9fdcb1e51874839f034411079888c4a8d7543915e40c55d64beb
      • Instruction ID: 1540a860cff1623b5cbf8762b44fa192021d667877690ae8206995b5d086fdc8
      • Opcode Fuzzy Hash: a1c605816f2d9fdcb1e51874839f034411079888c4a8d7543915e40c55d64beb
      • Instruction Fuzzy Hash: 6DF01C7660114AFFCF01CFA4C944A8C7BB2FF18315B00C22AFA0696A51D776D665EF85
      Function 0100D499 Relevance: .1, Instructions: 127COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2378127889.000000000100D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
      • Associated: 00000000.00000002.2377764966.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377780808.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377798502.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377815565.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377836576.0000000000E76000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377939164.0000000000FCC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377957815.0000000000FCE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377980373.0000000000FE7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2377997886.0000000000FE9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FEA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378016868.0000000000FF3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378053980.0000000000FF7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378072056.0000000000FF8000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378088870.0000000000FFB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378105083.0000000000FFC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378146873.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378166210.000000000101E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378183144.0000000001020000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378201734.0000000001024000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378219513.0000000001025000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378237374.000000000102E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378257033.0000000001039000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378276303.0000000001044000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378291882.0000000001047000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378313348.000000000104F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378328778.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378347257.000000000105A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378363967.000000000105E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378381180.000000000105F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378402889.0000000001063000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378422686.000000000106B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378439859.000000000106F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378457089.0000000001070000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378475963.0000000001075000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378492334.000000000107D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378509890.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378527090.000000000108A000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378544935.000000000108C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378560708.000000000108D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378575688.000000000108F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378594196.0000000001090000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378610743.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378626723.0000000001092000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378643020.0000000001093000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378660443.000000000109B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378674636.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378695057.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378711692.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378741968.00000000010ED000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378759273.00000000010EF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010F8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378776452.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378811117.000000000110E000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2378831083.0000000001110000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_e60000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b91b15c8540ec6b81373f1cf4d79f7dbef0daf033f7ca63a2cf94ce0814eed31
      • Instruction ID: 0e5738fda2bd8f1136632b82e66895ba96d90eb0f9006e1c8903d832cd188f08
      • Opcode Fuzzy Hash: b91b15c8540ec6b81373f1cf4d79f7dbef0daf033f7ca63a2cf94ce0814eed31
      • Instruction Fuzzy Hash: 02314DF240C304AFE701BF69D841ABAFBE8EB84360F16482EE6D5C2611EB3555449B67