Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1562254
MD5:d30bd6bc4ce8e63cd599e4d1b604c815
SHA1:c79f06015669a06f56c7f3ce81e4b5f18c91d867
SHA256:53705aeb862870ba7f20fcbe388077b9b47f049a6132ae4b3fe9a23208f5897f
Tags:exeHealeruser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 716 cmdline: "C:\Users\user\Desktop\file.exe" MD5: D30BD6BC4CE8E63CD599E4D1B604C815)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011B6DCC CryptVerifySignatureA,0_2_011B6DCC
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.2254017111.0000000004840000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmp

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011595D50_2_011595D5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115516B0_2_0115516B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011595F00_2_011595F0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011596060_2_01159606
Source: file.exe, 00000000.00000002.2387287169.000000000072E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000000.2229039941.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exeString found in binary or memory: RtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNeP
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 2846720 > 1048576
Source: file.exeStatic PE information: Raw size of frqkrlxj is bigger than: 0x100000 < 0x2b1000
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.2254017111.0000000004840000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.fd0000.0.unpack :EW;.rsrc:W;.idata :W;frqkrlxj:EW;fygxckij:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x2ba0c9 should be: 0x2c3c2c
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name: frqkrlxj
Source: file.exeStatic PE information: section name: fygxckij
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011595D5 push ebx; mov dword ptr [esp], edx0_2_01159611
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011595D5 push 2529F9DFh; mov dword ptr [esp], ebp0_2_0115968C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01159737 push ebp; mov dword ptr [esp], 7FFF7844h0_2_01159754
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01159737 push ebx; mov dword ptr [esp], 77FDC6EBh0_2_01159780
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01159737 push eax; mov dword ptr [esp], ebp0_2_011597C0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115A119 push esi; mov dword ptr [esp], 2966B134h0_2_0115A1AB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115A119 push esi; mov dword ptr [esp], 2632CD26h0_2_0115A1BF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115A119 push 685C1BB8h; mov dword ptr [esp], edx0_2_0115A21F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDC0DC push ecx; mov dword ptr [esp], esp0_2_00FDC0DD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDC0DC push 107437FAh; mov dword ptr [esp], esi0_2_00FDC0EA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115A12B push esi; mov dword ptr [esp], 2966B134h0_2_0115A1AB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115A12B push esi; mov dword ptr [esp], 2632CD26h0_2_0115A1BF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115A12B push 685C1BB8h; mov dword ptr [esp], edx0_2_0115A21F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0123E16C push ebx; mov dword ptr [esp], esp0_2_0123E1C9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE20A9 push ebx; mov dword ptr [esp], edi0_2_00FE20AA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115C14C push ebp; ret 0_2_0115C15B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE3093 push 6AE1F7C2h; mov dword ptr [esp], edx0_2_00FE30AF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE3093 push 61E197A2h; mov dword ptr [esp], ebp0_2_00FE30BF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115516B push 1C15ACE5h; mov dword ptr [esp], ebx0_2_011551FD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115516B push ecx; mov dword ptr [esp], ebp0_2_0115521E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115516B push edx; mov dword ptr [esp], eax0_2_0115524D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115516B push 3E94A4E6h; mov dword ptr [esp], eax0_2_01155274
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115516B push 5C9B4748h; mov dword ptr [esp], ecx0_2_01155289
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115516B push 1F569CA5h; mov dword ptr [esp], ebx0_2_011552BF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115516B push ecx; mov dword ptr [esp], ebx0_2_0115530B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115516B push 533F9011h; mov dword ptr [esp], ebx0_2_0115538C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115516B push ecx; mov dword ptr [esp], edx0_2_01155396
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115516B push ecx; mov dword ptr [esp], ebp0_2_011553F6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115516B push edx; mov dword ptr [esp], 71D04F01h0_2_0115541A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115516B push ebp; mov dword ptr [esp], eax0_2_01155473
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115516B push edi; mov dword ptr [esp], ebx0_2_011554AA
Source: file.exeStatic PE information: section name: entropy: 7.809790627438205

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDE810 second address: FDE82C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11310835B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDE82C second address: FDE83E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F1131072E1Bh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115A434 second address: 115A43A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114D5F6 second address: 114D5FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114D5FC second address: 114D61B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F11310835B5h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114D61B second address: 114D61F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11599E5 second address: 1159A0B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11310835B8h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F11310835A6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1159A0B second address: 1159A22 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 js 00007F1131072E35h 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007F1131072E16h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1159B74 second address: 1159B78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115BD84 second address: 115BD88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115BD88 second address: 115BD8E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115BDFA second address: 115BEC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1131072E26h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jl 00007F1131072E16h 0x00000010 pop edi 0x00000011 popad 0x00000012 mov dword ptr [esp], eax 0x00000015 jg 00007F1131072E1Ch 0x0000001b mov esi, dword ptr [ebp+122D2EEDh] 0x00000021 mov dword ptr [ebp+122D1DD7h], esi 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push ebx 0x0000002c call 00007F1131072E18h 0x00000031 pop ebx 0x00000032 mov dword ptr [esp+04h], ebx 0x00000036 add dword ptr [esp+04h], 0000001Dh 0x0000003e inc ebx 0x0000003f push ebx 0x00000040 ret 0x00000041 pop ebx 0x00000042 ret 0x00000043 mov dword ptr [ebp+122D5D1Dh], edi 0x00000049 mov edx, dword ptr [ebp+122D3025h] 0x0000004f push E2281EAEh 0x00000054 push esi 0x00000055 pushad 0x00000056 jbe 00007F1131072E16h 0x0000005c jl 00007F1131072E16h 0x00000062 popad 0x00000063 pop esi 0x00000064 add dword ptr [esp], 1DD7E1D2h 0x0000006b sub dword ptr [ebp+122D2C65h], ecx 0x00000071 push 00000003h 0x00000073 mov ch, dl 0x00000075 push 00000000h 0x00000077 call 00007F1131072E20h 0x0000007c jmp 00007F1131072E27h 0x00000081 pop esi 0x00000082 push 00000003h 0x00000084 sub edx, 16DAD08Ch 0x0000008a push 6E3B112Eh 0x0000008f push eax 0x00000090 pushad 0x00000091 push eax 0x00000092 push edx 0x00000093 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115BEC6 second address: 115BF2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop eax 0x00000008 add dword ptr [esp], 51C4EED2h 0x0000000f jmp 00007F11310835B3h 0x00000014 lea ebx, dword ptr [ebp+12451CDDh] 0x0000001a push 00000000h 0x0000001c push eax 0x0000001d call 00007F11310835A8h 0x00000022 pop eax 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 add dword ptr [esp+04h], 00000014h 0x0000002f inc eax 0x00000030 push eax 0x00000031 ret 0x00000032 pop eax 0x00000033 ret 0x00000034 and esi, dword ptr [ebp+122D2C65h] 0x0000003a sbb edi, 50EABCBAh 0x00000040 mov dx, cx 0x00000043 xchg eax, ebx 0x00000044 pushad 0x00000045 jp 00007F11310835ACh 0x0000004b push eax 0x0000004c push edx 0x0000004d pushad 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115BF63 second address: 115BF69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115BF69 second address: 115BFA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 mov edx, dword ptr [ebp+122D2EC9h] 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007F11310835A8h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 00000017h 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a mov cx, ax 0x0000002d push 729DD2C7h 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 pushad 0x00000036 popad 0x00000037 pop eax 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115BFA6 second address: 115BFAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115BFAB second address: 115BFB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115C0A1 second address: 115C0C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1131072E29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007F1131072E16h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115C0C9 second address: 115C0CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115C11D second address: 115C12F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jno 00007F1131072E16h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115C12F second address: 115C134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115C134 second address: 115C139 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115C139 second address: 115C17A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007F11310835A8h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 0000001Ah 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 push 00000000h 0x00000024 sub dword ptr [ebp+122D1D79h], eax 0x0000002a push EDB7CB0Fh 0x0000002f push edx 0x00000030 pushad 0x00000031 jp 00007F11310835A6h 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115C256 second address: 115C26D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1131072E23h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115C26D second address: 115C272 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11434C0 second address: 11434C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11434C4 second address: 11434DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a jmp 00007F11310835AEh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11434DE second address: 11434F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 ja 00007F1131072E20h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117C5F4 second address: 117C622 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11310835ACh 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c jne 00007F11310835BBh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117C93D second address: 117C953 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F1131072E1Bh 0x0000000d push edx 0x0000000e pop edx 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117C953 second address: 117C95D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F11310835A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116FBD1 second address: 116FBD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114BBE4 second address: 114BBEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117D1DB second address: 117D1E3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117D1E3 second address: 117D20C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F11310835B2h 0x00000009 jmp 00007F11310835B3h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11821B9 second address: 11821BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11826E6 second address: 11826EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1182854 second address: 1182867 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1131072E1Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11829AA second address: 11829E0 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F11310835BEh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007F11310835B1h 0x00000013 jmp 00007F11310835ABh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114193C second address: 1141940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1141940 second address: 1141952 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007F11310835A6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1141952 second address: 1141956 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1141956 second address: 114198C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F11310835A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnp 00007F11310835ACh 0x00000010 jns 00007F11310835A6h 0x00000016 jnl 00007F11310835BAh 0x0000001c popad 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114198C second address: 1141990 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1141990 second address: 11419A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c pushad 0x0000000d jg 00007F11310835A6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11419A5 second address: 11419AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113E2E4 second address: 113E2F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113E2F0 second address: 113E2F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113E2F6 second address: 113E2FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113E2FC second address: 113E306 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F1131072E16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11878A5 second address: 11878AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11878AB second address: 11878AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11878AF second address: 11878C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11310835AFh 0x00000007 jno 00007F11310835A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11878C8 second address: 11878E0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F1131072E23h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1187FE4 second address: 1187FEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1187FEC second address: 1187FFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1131072E1Ch 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1187FFF second address: 1188004 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11882DA second address: 11882DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11882DE second address: 11882F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11310835B2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11882F6 second address: 118831D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F1131072E22h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F1131072E21h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B78D second address: 118B7BF instructions: 0x00000000 rdtsc 0x00000002 jl 00007F11310835A8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jbe 00007F11310835B0h 0x00000013 jmp 00007F11310835AAh 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c pushad 0x0000001d jno 00007F11310835ACh 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 pop eax 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B7BF second address: 118B7D2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c jns 00007F1131072E16h 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B7D2 second address: 118B7D7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118BDAB second address: 118BDB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118C3A0 second address: 118C3A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118C87E second address: 118C884 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118C95D second address: 118C961 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118C961 second address: 118C965 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118CFE6 second address: 118D00F instructions: 0x00000000 rdtsc 0x00000002 js 00007F11310835A8h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007F11310835B3h 0x00000013 js 00007F11310835ACh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118D00F second address: 118D076 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 mov edi, dword ptr [ebp+122D1C62h] 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F1131072E18h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 mov esi, dword ptr [ebp+122D1C66h] 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ecx 0x00000033 call 00007F1131072E18h 0x00000038 pop ecx 0x00000039 mov dword ptr [esp+04h], ecx 0x0000003d add dword ptr [esp+04h], 00000018h 0x00000045 inc ecx 0x00000046 push ecx 0x00000047 ret 0x00000048 pop ecx 0x00000049 ret 0x0000004a mov edi, dword ptr [ebp+122D1C66h] 0x00000050 xchg eax, ebx 0x00000051 pushad 0x00000052 jo 00007F1131072E1Ch 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118D076 second address: 118D07E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118D07E second address: 118D096 instructions: 0x00000000 rdtsc 0x00000002 je 00007F1131072E16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jno 00007F1131072E16h 0x00000015 push edi 0x00000016 pop edi 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118DA0C second address: 118DA13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118F2DE second address: 118F2E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118F2E2 second address: 118F2EC instructions: 0x00000000 rdtsc 0x00000002 jo 00007F11310835A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1191F30 second address: 1191F36 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1191F36 second address: 1191FA6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007F11310835A8h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 0000001Ch 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 sbb esi, 1B4EDBFBh 0x00000029 sub dword ptr [ebp+122D2572h], esi 0x0000002f push 00000000h 0x00000031 and si, 2411h 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push edx 0x0000003b call 00007F11310835A8h 0x00000040 pop edx 0x00000041 mov dword ptr [esp+04h], edx 0x00000045 add dword ptr [esp+04h], 00000018h 0x0000004d inc edx 0x0000004e push edx 0x0000004f ret 0x00000050 pop edx 0x00000051 ret 0x00000052 movzx edi, si 0x00000055 xchg eax, ebx 0x00000056 push eax 0x00000057 push edx 0x00000058 jnc 00007F11310835A8h 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1191FA6 second address: 1191FC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1131072E1Ah 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jc 00007F1131072E16h 0x00000017 jc 00007F1131072E16h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1194DBB second address: 1194DBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1194DBF second address: 1194DC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1194EBF second address: 1194EC5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1194EC5 second address: 1194ED9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1131072E1Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1196D24 second address: 1196D29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1194ED9 second address: 1194EDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1197BEC second address: 1197BF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1196FEA second address: 1196FEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1197BF0 second address: 1197BF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1196FEE second address: 1197003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jo 00007F1131072E16h 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1197BF4 second address: 1197C0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F11310835B0h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1197C0D second address: 1197C58 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 cmc 0x0000000a push 00000000h 0x0000000c call 00007F1131072E21h 0x00000011 push edx 0x00000012 jne 00007F1131072E16h 0x00000018 pop edi 0x00000019 pop ebx 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push eax 0x0000001f call 00007F1131072E18h 0x00000024 pop eax 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 add dword ptr [esp+04h], 00000015h 0x00000031 inc eax 0x00000032 push eax 0x00000033 ret 0x00000034 pop eax 0x00000035 ret 0x00000036 xchg eax, esi 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1197C58 second address: 1197C5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1197C5C second address: 1197C6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1197C6F second address: 1197C7E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jg 00007F11310835A6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1199B94 second address: 1199B9F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1197E10 second address: 1197E1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F11310835A6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1199B9F second address: 1199BFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 mov dword ptr [ebp+122D5D58h], ecx 0x0000000d push 00000000h 0x0000000f sbb ebx, 5838A378h 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push esi 0x0000001a call 00007F1131072E18h 0x0000001f pop esi 0x00000020 mov dword ptr [esp+04h], esi 0x00000024 add dword ptr [esp+04h], 00000017h 0x0000002c inc esi 0x0000002d push esi 0x0000002e ret 0x0000002f pop esi 0x00000030 ret 0x00000031 jnc 00007F1131072E1Eh 0x00000037 mov dword ptr [ebp+122D3F5Dh], ebx 0x0000003d xchg eax, esi 0x0000003e jmp 00007F1131072E1Ah 0x00000043 push eax 0x00000044 pushad 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1197E1D second address: 1197E32 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push edi 0x0000000a pushad 0x0000000b popad 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f jp 00007F11310835A6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1199D5C second address: 1199D60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119AC56 second address: 119ACCF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push esi 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jmp 00007F11310835AFh 0x00000010 popad 0x00000011 pop esi 0x00000012 nop 0x00000013 jo 00007F11310835A9h 0x00000019 push edx 0x0000001a cld 0x0000001b pop ebx 0x0000001c push 00000000h 0x0000001e sub dword ptr [ebp+122D2CD5h], edx 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push ebx 0x00000029 call 00007F11310835A8h 0x0000002e pop ebx 0x0000002f mov dword ptr [esp+04h], ebx 0x00000033 add dword ptr [esp+04h], 00000018h 0x0000003b inc ebx 0x0000003c push ebx 0x0000003d ret 0x0000003e pop ebx 0x0000003f ret 0x00000040 push eax 0x00000041 pushad 0x00000042 push edi 0x00000043 jmp 00007F11310835B1h 0x00000048 pop edi 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007F11310835B2h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119CDBC second address: 119CDE7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F1131072E1Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ebx 0x0000000c pushad 0x0000000d jmp 00007F1131072E26h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119CDE7 second address: 119CE46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 nop 0x00000007 jmp 00007F11310835AFh 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007F11310835A8h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 mov edi, dword ptr [ebp+122D3249h] 0x0000002e mov ebx, dword ptr [ebp+122D2FD9h] 0x00000034 push 00000000h 0x00000036 sbb di, 6B1Ah 0x0000003b push eax 0x0000003c pushad 0x0000003d jc 00007F11310835A8h 0x00000043 push esi 0x00000044 pop esi 0x00000045 pushad 0x00000046 push eax 0x00000047 pop eax 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119ED6A second address: 119ED7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1131072E1Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119FC60 second address: 119FC66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119FC66 second address: 119FC7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1131072E1Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119DF7D second address: 119E031 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11310835B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov edi, 00B952BDh 0x00000011 push dword ptr fs:[00000000h] 0x00000018 push 00000000h 0x0000001a push ebp 0x0000001b call 00007F11310835A8h 0x00000020 pop ebp 0x00000021 mov dword ptr [esp+04h], ebp 0x00000025 add dword ptr [esp+04h], 00000019h 0x0000002d inc ebp 0x0000002e push ebp 0x0000002f ret 0x00000030 pop ebp 0x00000031 ret 0x00000032 jmp 00007F11310835B8h 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e cld 0x0000003f mov eax, dword ptr [ebp+122D039Dh] 0x00000045 xor dword ptr [ebp+122D5D58h], edi 0x0000004b push FFFFFFFFh 0x0000004d push 00000000h 0x0000004f push eax 0x00000050 call 00007F11310835A8h 0x00000055 pop eax 0x00000056 mov dword ptr [esp+04h], eax 0x0000005a add dword ptr [esp+04h], 0000001Bh 0x00000062 inc eax 0x00000063 push eax 0x00000064 ret 0x00000065 pop eax 0x00000066 ret 0x00000067 mov dword ptr [ebp+1244BB1Dh], esi 0x0000006d mov ebx, dword ptr [ebp+122D2E6Dh] 0x00000073 mov ebx, dword ptr [ebp+122D3E71h] 0x00000079 nop 0x0000007a push edx 0x0000007b push eax 0x0000007c push edx 0x0000007d je 00007F11310835A6h 0x00000083 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119E031 second address: 119E035 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119E035 second address: 119E058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 js 00007F11310835A8h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F11310835B0h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119EF1C second address: 119EF21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A0A1B second address: 11A0A20 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A2A7F second address: 11A2A85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A4F5D second address: 11A4F63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A4F63 second address: 11A4FCC instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1131072E18h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F1131072E18h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 push esi 0x00000028 pop ebx 0x00000029 push 00000000h 0x0000002b mov edi, dword ptr [ebp+122D34EDh] 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push ebp 0x00000036 call 00007F1131072E18h 0x0000003b pop ebp 0x0000003c mov dword ptr [esp+04h], ebp 0x00000040 add dword ptr [esp+04h], 00000016h 0x00000048 inc ebp 0x00000049 push ebp 0x0000004a ret 0x0000004b pop ebp 0x0000004c ret 0x0000004d cld 0x0000004e xchg eax, esi 0x0000004f push eax 0x00000050 push edx 0x00000051 jno 00007F1131072E20h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AF310 second address: 11AF316 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AF316 second address: 11AF31F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AEB6A second address: 11AEB84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F11310835B5h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AEB84 second address: 11AEB89 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AEB89 second address: 11AEBB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F11310835A6h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F11310835B4h 0x00000012 jne 00007F11310835A6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AEBB0 second address: 11AEBB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AEE77 second address: 11AEE7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BF4F7 second address: 11BF4FD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BF4FD second address: 11BF547 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F11310835AAh 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push edx 0x00000012 push eax 0x00000013 ja 00007F11310835A6h 0x00000019 pop eax 0x0000001a pop edx 0x0000001b mov eax, dword ptr [eax] 0x0000001d jmp 00007F11310835ABh 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 pushad 0x00000027 jmp 00007F11310835B5h 0x0000002c push ecx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BF685 second address: 11BF6A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1131072E24h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F1131072E1Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BF724 second address: 11BF728 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C5B84 second address: 11C5B8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C5B8A second address: 11C5B90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C5B90 second address: 11C5B99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C5B99 second address: 11C5B9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C5B9F second address: 11C5BBB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F1131072E26h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C5D33 second address: 11C5D46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11310835AFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C5D46 second address: 11C5D4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C5EC0 second address: 11C5EC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C5EC6 second address: 11C5ECD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C607D second address: 11C608E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11310835ADh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C61F3 second address: 11C61FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F1131072E16h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C6503 second address: 11C6507 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C6625 second address: 11C6629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118A43D second address: 118A463 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e jmp 00007F11310835B7h 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118A798 second address: 118A7AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1131072E23h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118A7AF second address: 118A7DD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F11310835B0h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c or dword ptr [ebp+122D1C56h], edx 0x00000012 mov dh, 16h 0x00000014 nop 0x00000015 push eax 0x00000016 push edx 0x00000017 jp 00007F11310835ACh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118AB4C second address: 118AB60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1131072E20h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118AB60 second address: 118AB64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B39C second address: 118B3B9 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1131072E1Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1131072E1Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B3B9 second address: 118B446 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F11310835B4h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b jmp 00007F11310835B7h 0x00000010 lea eax, dword ptr [ebp+1247FDB9h] 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007F11310835A8h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 0000001Dh 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 mov dword ptr [ebp+122D31F7h], esi 0x00000036 push edi 0x00000037 jnl 00007F11310835ACh 0x0000003d pop edx 0x0000003e nop 0x0000003f push edx 0x00000040 push ebx 0x00000041 jmp 00007F11310835AAh 0x00000046 pop ebx 0x00000047 pop edx 0x00000048 push eax 0x00000049 js 00007F11310835B2h 0x0000004f jc 00007F11310835ACh 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B446 second address: 118B49E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 nop 0x00000005 push 00000000h 0x00000007 push ecx 0x00000008 call 00007F1131072E18h 0x0000000d pop ecx 0x0000000e mov dword ptr [esp+04h], ecx 0x00000012 add dword ptr [esp+04h], 0000001Ch 0x0000001a inc ecx 0x0000001b push ecx 0x0000001c ret 0x0000001d pop ecx 0x0000001e ret 0x0000001f lea eax, dword ptr [ebp+1247FD75h] 0x00000025 push 00000000h 0x00000027 push eax 0x00000028 call 00007F1131072E18h 0x0000002d pop eax 0x0000002e mov dword ptr [esp+04h], eax 0x00000032 add dword ptr [esp+04h], 0000001Bh 0x0000003a inc eax 0x0000003b push eax 0x0000003c ret 0x0000003d pop eax 0x0000003e ret 0x0000003f nop 0x00000040 push eax 0x00000041 push edx 0x00000042 push edi 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B49E second address: 118B4A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B4A3 second address: 118B4AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CAA5A second address: 11CAA69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11310835ABh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CAA69 second address: 11CAA6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CAA6F second address: 11CAA7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F11310835A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CAA7B second address: 11CAA7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CAA7F second address: 11CAA83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CAA83 second address: 11CAAAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F1131072E28h 0x0000000e js 00007F1131072E16h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CAAAC second address: 11CAAB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CAC11 second address: 11CAC15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B3A6 second address: 118B3B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F11310835AAh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CAD94 second address: 11CAD9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push esi 0x00000007 pop esi 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CD685 second address: 11CD689 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CD689 second address: 11CD6D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F1131072E22h 0x0000000c push edi 0x0000000d jns 00007F1131072E16h 0x00000013 pop edi 0x00000014 push eax 0x00000015 jmp 00007F1131072E27h 0x0000001a pop eax 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F1131072E1Ah 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CD6D1 second address: 11CD6D7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CD6D7 second address: 11CD6DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CD6DF second address: 11CD6E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D2893 second address: 11D28AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F1131072E23h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DC3B5 second address: 11DC3D6 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F11310835AAh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F11310835B3h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DC3D6 second address: 11DC3E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F1131072E16h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DC3E7 second address: 11DC3EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DC3EB second address: 11DC400 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1131072E1Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E0CF6 second address: 11E0D13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F11310835B8h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E0D13 second address: 11E0D1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F1131072E16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E0E64 second address: 11E0E6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E0E6B second address: 11E0E9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F1131072E20h 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007F1131072E27h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E1017 second address: 11E1028 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F11310835A6h 0x00000009 jp 00007F11310835A6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E12C8 second address: 11E12CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E15DD second address: 11E15ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jne 00007F11310835A6h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E190F second address: 11E1914 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E1914 second address: 11E195E instructions: 0x00000000 rdtsc 0x00000002 js 00007F11310835B3h 0x00000008 jmp 00007F11310835ABh 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 jmp 00007F11310835AFh 0x00000017 jl 00007F11310835A6h 0x0000001d popad 0x0000001e pop edx 0x0000001f pop eax 0x00000020 pushad 0x00000021 jbe 00007F11310835B6h 0x00000027 jno 00007F11310835A6h 0x0000002d jmp 00007F11310835AAh 0x00000032 pushad 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E195E second address: 11E196A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F1131072E16h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E1DC9 second address: 11E1DCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E1DCD second address: 11E1DD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E21FB second address: 11E2201 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E0A33 second address: 11E0A38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E0A38 second address: 11E0A44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F11310835A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E0A44 second address: 11E0A58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F1131072E1Dh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E61CE second address: 11E61D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E61D3 second address: 11E61DD instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1131072E2Dh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E7D49 second address: 11E7D67 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F11310835C0h 0x00000008 jmp 00007F11310835B4h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E7D67 second address: 11E7D75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jno 00007F1131072E16h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E7D75 second address: 11E7D79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EA299 second address: 11EA2B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F1131072E1Dh 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E9FCA second address: 11E9FD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EFCEB second address: 11EFCF5 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1131072E16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F004D second address: 11F0073 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11310835B5h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jno 00007F11310835AEh 0x00000012 push esi 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F0416 second address: 11F0424 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1131072E16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F0424 second address: 11F0428 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F3D54 second address: 11F3D5A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F3D5A second address: 11F3D7B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnc 00007F11310835A6h 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F11310835B3h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F33E6 second address: 11F33EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F33EC second address: 11F340A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11310835B8h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F340A second address: 11F3417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F1131072E22h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F3417 second address: 11F3434 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F11310835A6h 0x0000000a push ebx 0x0000000b jg 00007F11310835A6h 0x00000011 pushad 0x00000012 popad 0x00000013 pop ebx 0x00000014 pushad 0x00000015 jnc 00007F11310835A6h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F3A1C second address: 11F3A21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F8757 second address: 11F8766 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 pushad 0x00000009 popad 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F8C6D second address: 11F8C71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F8C71 second address: 11F8C94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F11310835AAh 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 je 00007F11310835A8h 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 je 00007F11310835A6h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F8DE3 second address: 11F8DE8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F8DE8 second address: 11F8DF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F8DF4 second address: 11F8DFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F1131072E16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118ADE2 second address: 118ADF1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118ADF1 second address: 118ADF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F90EA second address: 11F90EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F90EE second address: 11F90F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F90F4 second address: 11F9116 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F11310835ADh 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pop edi 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 js 00007F11310835A6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F9116 second address: 11F9133 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1131072E29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F9133 second address: 11F9138 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F9138 second address: 11F913E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120175F second address: 1201771 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11310835AEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1201771 second address: 1201791 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F1131072E27h 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1201A53 second address: 1201A60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007F11310835A6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1201A60 second address: 1201A64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1201A64 second address: 1201A6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1201D5E second address: 1201D64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1206715 second address: 1206747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F11310835B3h 0x0000000c jmp 00007F11310835B8h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12068A9 second address: 12068AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12068AD second address: 12068D0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F11310835A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007F11310835B9h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12068D0 second address: 12068E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1131072E1Eh 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1206A73 second address: 1206A7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F11310835ACh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1206B9F second address: 1206BB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1131072E1Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1206BB3 second address: 1206BB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1206BB9 second address: 1206BBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1206BBE second address: 1206BC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1206EAD second address: 1206ECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1131072E20h 0x00000009 pop eax 0x0000000a jmp 00007F1131072E1Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121280F second address: 1212815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1212AF2 second address: 1212AF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1212AF6 second address: 1212AFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1212C59 second address: 1212C5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1212DB9 second address: 1212DBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1212DBD second address: 1212DC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1212DC2 second address: 1212DC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1212DC8 second address: 1212DE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007F1131072E1Ah 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007F1131072E1Ch 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1212DE7 second address: 1212DEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1212DEC second address: 1212DF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1212DF2 second address: 1212E02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jns 00007F11310835A6h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1212F7D second address: 1212F9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F1131072E20h 0x0000000f jns 00007F1131072E16h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12133D5 second address: 12133F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F11310835B8h 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1213540 second address: 1213558 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F1131072E20h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1213558 second address: 1213560 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1213560 second address: 1213566 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1213566 second address: 1213570 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F11310835A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1213570 second address: 1213574 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1218809 second address: 1218816 instructions: 0x00000000 rdtsc 0x00000002 js 00007F11310835A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1218816 second address: 1218829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1131072E1Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121D20C second address: 121D211 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121D211 second address: 121D287 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1131072E28h 0x00000008 push eax 0x00000009 pop eax 0x0000000a jmp 00007F1131072E25h 0x0000000f jmp 00007F1131072E26h 0x00000014 popad 0x00000015 jmp 00007F1131072E29h 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f jmp 00007F1131072E1Dh 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121D287 second address: 121D2A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F11310835B6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121D2A7 second address: 121D2B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F1131072E16h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121D2B2 second address: 121D2C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F11310835AFh 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121D2C7 second address: 121D2CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122F9C7 second address: 122F9EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11310835B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F11310835ABh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122F9EF second address: 122F9F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122F5CC second address: 122F5E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11310835B8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12312FD second address: 1231301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1234D32 second address: 1234D52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F11310835B0h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113FE15 second address: 113FE2D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F1131072E1Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124A625 second address: 124A631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jne 00007F11310835A6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124A631 second address: 124A635 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1248DED second address: 1248DF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F11310835A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1248DF7 second address: 1248DFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1248F70 second address: 1248F9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F11310835A6h 0x00000009 jmp 00007F11310835B6h 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 jl 00007F11310835AEh 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1249245 second address: 1249249 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124939E second address: 12493AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12493AC second address: 12493C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jp 00007F1131072E16h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jg 00007F1131072E16h 0x00000015 jno 00007F1131072E16h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124955E second address: 1249563 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1249563 second address: 124956E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12496A0 second address: 12496F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11310835ABh 0x00000007 jmp 00007F11310835B9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f jmp 00007F11310835ADh 0x00000014 jnp 00007F11310835A6h 0x0000001a pop ebx 0x0000001b jmp 00007F11310835ADh 0x00000020 popad 0x00000021 push edi 0x00000022 push eax 0x00000023 push edx 0x00000024 push edx 0x00000025 pop edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124DE11 second address: 124DE19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1255B30 second address: 1255B34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1255B34 second address: 1255B5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F1131072E23h 0x0000000c pushad 0x0000000d ja 00007F1131072E16h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jne 00007F1131072E16h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12570E5 second address: 1257100 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F11310835B7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12699AB second address: 12699B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12699B1 second address: 12699B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12699B7 second address: 12699BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12694AE second address: 12694B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F11310835A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126966C second address: 1269670 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1270BF0 second address: 1270BF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1270BF4 second address: 1270C05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F1131072E1Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1270C05 second address: 1270C0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1270C0C second address: 1270C34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F1131072E25h 0x00000011 jp 00007F1131072E16h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1270C34 second address: 1270C3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1270C3C second address: 1270C40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1270E0C second address: 1270E14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12710D8 second address: 12710DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127139A second address: 12713BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F11310835B4h 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1271501 second address: 127151C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jns 00007F1131072E16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F1131072E1Fh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1271663 second address: 1271690 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11310835B1h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop esi 0x0000000d pushad 0x0000000e pushad 0x0000000f push esi 0x00000010 pop esi 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 jbe 00007F11310835AAh 0x0000001a push edi 0x0000001b pop edi 0x0000001c pushad 0x0000001d popad 0x0000001e push esi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1271690 second address: 12716B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1131072E27h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12716B2 second address: 12716B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12716B6 second address: 12716BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1274A39 second address: 1274A56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11310835B0h 0x00000009 jl 00007F11310835A6h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1274A56 second address: 1274A6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1131072E20h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1274A6B second address: 1274A73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1276713 second address: 1276719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127A399 second address: 127A3B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F11310835AEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128032F second address: 1280333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127FED9 second address: 127FEE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1281EF6 second address: 1281F0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1131072E22h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1274BCF second address: 1274BD9 instructions: 0x00000000 rdtsc 0x00000002 js 00007F11310835ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1274E5E second address: 1274E67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1274E67 second address: 1274E80 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F11310835AEh 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push edi 0x0000000c pop edi 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1277484 second address: 127748B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127748B second address: 127749A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007F11310835A6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127749A second address: 127749E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127749E second address: 12774A8 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F11310835A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118E6EC second address: 118E6FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 jng 00007F1131072E16h 0x0000000b pop ebx 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118E937 second address: 118E93D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118E93D second address: 118E941 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118E941 second address: 118E945 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118E945 second address: 118E957 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007F1131072E16h 0x00000012 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 121EDEC instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 49D0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4C20000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4A60000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115BF09 rdtsc 0_2_0115BF09
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3892Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115BF09 rdtsc 0_2_0115BF09
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDB7DE LdrInitializeThunk,0_2_00FDB7DE
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: nProgram Manager

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping641
Security Software Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		41
Disable or Modify Tools		LSASS Memory2
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Bypass User Account Control		261
Virtualization/Sandbox Evasion		Security Account Manager261
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS22
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
Software Packing		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
Bypass User Account Control		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0035.t-0009.t-msedge.net
13.107.246.63
truefalse
    		high

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1562254
    Start date and time:2024-11-25 12:07:06 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 4m 16s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:14
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:file.exe
    Detection:MAL
    Classification:mal100.evad.winEXE@1/1@0/0
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:Failed
    Cookbook Comments:
    • Found application associated with file extension: .exe

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
    • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, tse1.mm.bing.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com
    • Report size getting too big, too many NtProtectVirtualMemory calls found.
    • VT rate limit hit for: file.exe

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    s-part-0035.t-0009.t-msedge.netfile.exeGet hashmaliciousStealc, VidarBrowse
    • 13.107.246.63
    file.exeGet hashmaliciousLummaC StealerBrowse
    • 13.107.246.63
    XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeGet hashmaliciousFormBook, PureLog StealerBrowse
    • 13.107.246.63
    file.exeGet hashmaliciousCredential FlusherBrowse
    • 13.107.246.63
    file.exeGet hashmaliciousPureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
    • 13.107.246.63
    file.exeGet hashmaliciousCredential FlusherBrowse
    • 13.107.246.63
    file.exeGet hashmaliciousLummaC StealerBrowse
    • 13.107.246.63
    05.Unzipped.obfhotel22-11.jsGet hashmaliciousRHADAMANTHYSBrowse
    • 13.107.246.63
    Ziraat_Bankasi_Swift_Mesaji_BXB04958T.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
    • 13.107.246.63
    fusioncharts.charts.jsGet hashmaliciousUnknownBrowse
    • 13.107.246.63

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

    Download File
    Process:C:\Users\user\Desktop\file.exe
    File Type:CSV text
    Category:dropped
    Size (bytes):226
    Entropy (8bit):5.360398796477698
    Encrypted:false
    SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
    MD5:3A8957C6382192B71471BD14359D0B12
    SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
    SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
    SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
    Malicious:true
    Reputation:high, very likely benign file
    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):6.517887639932633
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.96%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:file.exe
    File size:2'846'720 bytes
    MD5:d30bd6bc4ce8e63cd599e4d1b604c815
    SHA1:c79f06015669a06f56c7f3ce81e4b5f18c91d867
    SHA256:53705aeb862870ba7f20fcbe388077b9b47f049a6132ae4b3fe9a23208f5897f
    SHA512:847adf10aea75d02d7cfb45331946270f97624dc918ced6349c5c4b181fed23508fb67e64384c5d971a38fe4f318fd6ab985982f97a6b7fe483b6de426f612cd
    SSDEEP:24576:WgbYExwjbCl68QV52vzjYStIfac1BgOfuhELyisFa8fYaSHPDJjvjI/xLz3e1SA2:W/tbAq5uj+b/4JFrkLtQv3e9+ssd
    TLSH:C7D54AA2B54972CFE88E37749527CD4B6D6D03BA47244CC3A82D78BA7D63CC125B5C28
    File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............+.. ...`....@.. ....................... ,.......+...`................................

    File Icon

    Icon Hash:00928e8e8686b000

    Static PE Info

    General

    Entrypoint:0x6be000
    Entrypoint Section:.taggant
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
    Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:2eabe9054cad5152567f0699947a2c5b

    Entrypoint Preview

    Instruction
    jmp 00007F1130B9B0CAh
    cmovle ebp, dword ptr [ebx]
    add byte ptr [eax], al
    add byte ptr [eax], al
    add cl, ch
    add byte ptr [eax], ah
    add byte ptr [eax], al
    add byte ptr [ebx], cl
    or al, byte ptr [eax]
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax+1Eh], ah
    adc dword ptr [eax], edx
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    push es
    add byte ptr [eax], 00000000h
    add byte ptr [eax], al
    add byte ptr [eax], al
    adc byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    or ecx, dword ptr [edx]
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    xor byte ptr [esi], bl
    adc dword ptr [eax], edx
    add byte ptr [eax], al
    add byte ptr [eax], al
    cwde
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [ecx], al
    add byte ptr [eax], 00000000h
    add byte ptr [eax], al
    add byte ptr [eax], al
    adc byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    or ecx, dword ptr [edx]
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    and byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    or ecx, dword ptr [edx]
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    push es
    add byte ptr [eax], 00000000h
    add byte ptr [eax], al
    add byte ptr [eax], al
    adc byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    or ecx, dword ptr [edx]
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    xor byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add dword ptr [eax+00000000h], eax
    add byte ptr [eax], al

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    0x20000x40000x12001d3fc6150076ab5123980e4d77990c53False0.9344618055555556data7.809790627438205IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    frqkrlxj0xa0000x2b20000x2b10002bd18149cc641d5bb286d5b55667814eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    fygxckij0x2bc0000x20000x400b0593e80d94dfb1526e4f152948274e7False0.8212890625data6.288643960573603IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .taggant0x2be0000x40000x2200d83071de97578abc10db1a841e7fc349False0.05583639705882353DOS executable (COM)1.1230292077953017IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

    Resources

    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_VERSION0x60900x30cdata0.42948717948717946
    RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

    Imports

    DLLImport
    kernel32.dlllstrcpy

    Network Behavior

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Nov 25, 2024 12:08:05.528350115 CET1.1.1.1192.168.2.60xd87aNo error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
    Nov 25, 2024 12:08:05.528350115 CET1.1.1.1192.168.2.60xd87aNo error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    System Behavior

    General

    Target ID:0
    Start time:06:08:07
    Start date:25/11/2024
    Path:C:\Users\user\Desktop\file.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\file.exe"
    Imagebase:0xfd0000
    File size:2'846'720 bytes
    MD5 hash:D30BD6BC4CE8E63CD599E4D1B604C815
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true

    Disassembly

    Reset < >

      Execution Graph

      Execution Coverage:5.1%
      Dynamic/Decrypted Code Coverage:8.8%
      Signature Coverage:5.8%
      Total number of Nodes:137
      Total number of Limit Nodes:7
      execution_graph 6465 11595d5 LoadLibraryA 6466 11595e4 6465->6466 6550 11b35f9 6553 11b3439 6550->6553 6555 11b3445 6553->6555 6556 11b345a 6555->6556 6557 11b3487 2 API calls 6556->6557 6558 11b3478 6556->6558 6557->6558 6467 11b35d8 6470 11b3420 6467->6470 6473 11b3487 6470->6473 6475 11b3494 6473->6475 6478 11b34aa 6475->6478 6476 11b359c LoadLibraryExW 6479 11b3513 6476->6479 6477 11b35b0 LoadLibraryExA 6477->6479 6478->6476 6478->6477 6478->6479 6559 fdb7de 6560 fdb7e3 6559->6560 6561 fdb94e LdrInitializeThunk 6560->6561 6562 11b65f8 6564 11b6604 6562->6564 6565 11b6610 6564->6565 6566 11b6630 6565->6566 6568 11b6504 6565->6568 6570 11b6510 6568->6570 6571 11b6524 6570->6571 6572 11b6551 6571->6572 6590 11b641d 6571->6590 6576 11b6559 6572->6576 6582 11b64c2 IsBadWritePtr 6572->6582 6577 11b65aa CreateFileW 6576->6577 6578 11b65cd CreateFileA 6576->6578 6580 11b659a 6577->6580 6578->6580 6579 11b6594 6584 11b3d17 6579->6584 6583 11b64e4 6582->6583 6583->6576 6583->6579 6588 11b3d24 6584->6588 6585 11b3e1f 6585->6580 6586 11b3d5d CreateFileA 6587 11b3da9 6586->6587 6587->6585 6592 11b3bda CloseHandle 6587->6592 6588->6585 6588->6586 6594 11b642c GetWindowsDirectoryA 6590->6594 6593 11b3bee 6592->6593 6593->6585 6595 11b6456 6594->6595 6596 11b5e7c 6597 11b5e88 GetCurrentProcess 6596->6597 6598 11b5e98 6597->6598 6599 11b5ed9 DuplicateHandle 6598->6599 6600 11b5ec3 6598->6600 6599->6600 6480 11b6391 6482 11b639d 6480->6482 6483 11b63a9 6482->6483 6485 11b63c9 6483->6485 6486 11b62e8 6483->6486 6488 11b62f4 6486->6488 6490 11b6308 6488->6490 6489 11b634b 6490->6489 6491 11b6378 GetFileAttributesA 6490->6491 6492 11b6367 GetFileAttributesW 6490->6492 6491->6489 6492->6489 6601 11b3930 6603 11b393c 6601->6603 6606 11b3950 6603->6606 6605 11b3978 6606->6605 6607 11b3991 6606->6607 6609 11b399a 6607->6609 6610 11b39a9 6609->6610 6613 11b39e9 6610->6613 6614 11b39b1 6610->6614 6611 11b3a62 GetModuleHandleA 6611->6613 6612 11b3a54 GetModuleHandleW 6612->6613 6614->6611 6614->6612 6493 49d1510 6494 49d1558 ControlService 6493->6494 6495 49d158f 6494->6495 6615 49d10f0 6616 49d1131 6615->6616 6619 11b4b15 6616->6619 6617 49d1151 6620 11b4b21 6619->6620 6621 11b4b4f CloseHandle 6620->6621 6622 11b4b3a 6620->6622 6621->6622 6622->6617 6499 11b3895 6501 11b38a1 6499->6501 6502 11b38ba 6501->6502 6507 11b390d 6502->6507 6508 11b3758 6502->6508 6510 11b3767 6508->6510 6511 11b3773 6510->6511 6512 11b3783 6511->6512 6513 11b3862 GetModuleFileNameA 6511->6513 6514 11b3797 GetModuleFileNameA 6512->6514 6515 11b37e5 GetFullPathNameA 6512->6515 6518 11b3806 6513->6518 6517 11b37b6 6514->6517 6515->6518 6517->6518 6519 11b670b 6521 11b6714 6519->6521 6522 11b6720 6521->6522 6523 11b6739 6522->6523 6524 11b6770 ReadFile 6522->6524 6524->6523 6623 fdf10d 6624 fdf4a3 VirtualAlloc 6623->6624 6626 fdfc2a 6624->6626 6627 11b6eea 6629 11b6ef6 6627->6629 6630 11b6f0e 6629->6630 6632 11b6f38 6630->6632 6633 11b6e24 6630->6633 6635 11b6e30 6633->6635 6636 11b6e43 6635->6636 6637 11b6ebc CreateFileMappingA 6636->6637 6638 11b6e81 6636->6638 6640 11b6e5d 6636->6640 6637->6640 6638->6640 6642 11b44fb 6638->6642 6644 11b4512 6642->6644 6643 11b457b CreateFileA 6646 11b45c0 6643->6646 6644->6643 6645 11b460f 6644->6645 6645->6640 6646->6645 6647 11b3bda CloseHandle 6646->6647 6647->6645 6525 11b7048 6526 11b7054 6525->6526 6527 11b70bc MapViewOfFileEx 6526->6527 6528 11b706d 6526->6528 6527->6528 6529 49d1308 6530 49d1349 ImpersonateLoggedOnUser 6529->6530 6531 49d1376 6530->6531 6532 49d0d48 6533 49d0d93 OpenSCManagerW 6532->6533 6535 49d0ddc 6533->6535 6536 11b3a83 6537 11b3a8f 6536->6537 6538 11b3ade GetModuleHandleExA 6537->6538 6539 11b3ab5 6537->6539 6538->6539 6540 115bf09 6541 115bf21 CreateFileA 6540->6541 6543 115bf51 6541->6543 6544 115c10b 6545 115c0b6 CreateFileA 6544->6545 6547 115c0ee 6544->6547 6545->6547

      Executed Functions

      Function 011595D5 Relevance: 1.6, APIs: 1, Instructions: 104libraryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 224 11595d5-11595d7 LoadLibraryA 225 11595e4-11595e5 224->225 226 11595fd-1159731 225->226 227 11595eb 225->227 231 1159732 226->231 227->226 231->231
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2387889184.0000000001155000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
      • Associated: 00000000.00000002.2387653002.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387693220.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387711539.0000000000FDA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387738840.0000000000FE6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387846344.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387865487.000000000113F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387932528.0000000001166000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387950210.0000000001167000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387970058.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387988202.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388038737.000000000117C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388065007.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388084206.000000000117E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388099463.000000000117F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388123896.0000000001192000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388138389.0000000001193000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388174818.000000000119B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388192414.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388241047.00000000011A2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388282757.00000000011B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388301871.00000000011B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388605346.00000000011C8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388656508.00000000011CC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388674495.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388691750.00000000011DC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388708925.00000000011DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388726785.00000000011E3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388747649.00000000011EB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388768240.00000000011EC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388810847.00000000011F3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388831576.00000000011F4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388847710.00000000011F5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388865293.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388886350.00000000011F7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388908493.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388929568.0000000001204000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388950047.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388965577.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388982872.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389011185.0000000001225000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389031601.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389051455.0000000001234000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389071487.0000000001237000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389118000.0000000001269000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389260975.000000000126A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.0000000001273000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.000000000127E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389550287.000000000128C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389628175.000000000128E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID:
      • API String ID: 1029625771-0
      • Opcode ID: c0c28e1bd7184e91e017a642326850400b7da721efe46a5d71fe0efd177e226f
      • Instruction ID: 35884f55c6fae95ee1a32e8f75de02292d15e8b9400f00688e4788905fb8fe34
      • Opcode Fuzzy Hash: c0c28e1bd7184e91e017a642326850400b7da721efe46a5d71fe0efd177e226f
      • Instruction Fuzzy Hash: 2A315CB251C604EFE30DAF28D8816BAFBE5FB58314F02491EE6D583650D73154408A97
      Function 0115BF09 Relevance: 1.6, APIs: 1, Instructions: 64fileCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2387889184.0000000001155000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
      • Associated: 00000000.00000002.2387653002.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387693220.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387711539.0000000000FDA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387738840.0000000000FE6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387846344.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387865487.000000000113F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387932528.0000000001166000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387950210.0000000001167000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387970058.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387988202.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388038737.000000000117C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388065007.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388084206.000000000117E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388099463.000000000117F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388123896.0000000001192000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388138389.0000000001193000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388174818.000000000119B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388192414.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388241047.00000000011A2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388282757.00000000011B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388301871.00000000011B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388605346.00000000011C8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388656508.00000000011CC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388674495.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388691750.00000000011DC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388708925.00000000011DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388726785.00000000011E3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388747649.00000000011EB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388768240.00000000011EC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388810847.00000000011F3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388831576.00000000011F4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388847710.00000000011F5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388865293.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388886350.00000000011F7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388908493.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388929568.0000000001204000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388950047.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388965577.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388982872.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389011185.0000000001225000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389031601.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389051455.0000000001234000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389071487.0000000001237000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389118000.0000000001269000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389260975.000000000126A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.0000000001273000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.000000000127E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389550287.000000000128C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389628175.000000000128E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: dc551032563d6bd8354f8528c6fe5536402b70922b829d525c71af45d42df895
      • Instruction ID: 7e2b0e70967945ac3a1ba3d6e3f416c9ccfc2b81a11c2da2c0c2e2355dd7976c
      • Opcode Fuzzy Hash: dc551032563d6bd8354f8528c6fe5536402b70922b829d525c71af45d42df895
      • Instruction Fuzzy Hash: B50147B314C21A7CE38A8D981E61BFE775ED382630F314126FD25E7583D3810C09067A
      Function 00FDB7DE Relevance: 1.3, Strings: 1, Instructions: 18COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2387711539.0000000000FDA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
      • Associated: 00000000.00000002.2387653002.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387693220.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387738840.0000000000FE6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387846344.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387865487.000000000113F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387932528.0000000001166000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387950210.0000000001167000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387970058.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387988202.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388038737.000000000117C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388065007.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388084206.000000000117E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388099463.000000000117F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388123896.0000000001192000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388138389.0000000001193000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388174818.000000000119B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388192414.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388241047.00000000011A2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388282757.00000000011B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388301871.00000000011B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388605346.00000000011C8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388656508.00000000011CC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388674495.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388691750.00000000011DC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388708925.00000000011DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388726785.00000000011E3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388747649.00000000011EB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388768240.00000000011EC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388810847.00000000011F3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388831576.00000000011F4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388847710.00000000011F5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388865293.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388886350.00000000011F7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388908493.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388929568.0000000001204000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388950047.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388965577.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388982872.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389011185.0000000001225000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389031601.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389051455.0000000001234000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389071487.0000000001237000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389118000.0000000001269000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389260975.000000000126A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.0000000001273000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.000000000127E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389550287.000000000128C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389628175.000000000128E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
      Similarity
      • API ID:
      • String ID: !!iH
      • API String ID: 0-3430752988
      • Opcode ID: 408a3377716eef83c080ea2a69a783bfcb0d24b5383ba35d423aa5fa4647ea54
      • Instruction ID: 3a1de66f9b0a1c6aeb9e67eda870b6e4b95bf13198a904ce3badd7dda35f7321
      • Opcode Fuzzy Hash: 408a3377716eef83c080ea2a69a783bfcb0d24b5383ba35d423aa5fa4647ea54
      • Instruction Fuzzy Hash: A9E0C2B22048C5CACB16AF608C2179D770FDF40700F9D0116FB419AF85CB2E0D12E756
      Function 011B3494 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 83libraryCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • LoadLibraryExW.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 011B35A5
      • LoadLibraryExA.KERNELBASE(?,?,?,?,?,?,?,?,00000000), ref: 011B35B9
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2388282757.00000000011B3000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
      • Associated: 00000000.00000002.2387653002.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387693220.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387711539.0000000000FDA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387738840.0000000000FE6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387846344.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387865487.000000000113F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387932528.0000000001166000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387950210.0000000001167000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387970058.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387988202.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388038737.000000000117C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388065007.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388084206.000000000117E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388099463.000000000117F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388123896.0000000001192000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388138389.0000000001193000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388174818.000000000119B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388192414.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388241047.00000000011A2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388301871.00000000011B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388605346.00000000011C8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388656508.00000000011CC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388674495.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388691750.00000000011DC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388708925.00000000011DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388726785.00000000011E3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388747649.00000000011EB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388768240.00000000011EC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388810847.00000000011F3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388831576.00000000011F4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388847710.00000000011F5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388865293.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388886350.00000000011F7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388908493.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388929568.0000000001204000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388950047.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388965577.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388982872.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389011185.0000000001225000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389031601.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389051455.0000000001234000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389071487.0000000001237000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389118000.0000000001269000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389260975.000000000126A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.0000000001273000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.000000000127E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389550287.000000000128C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389628175.000000000128E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID: .exe$1002
      • API String ID: 1029625771-4238571270
      • Opcode ID: 99c21d5f2bd46d11ce3fe87b80e19302b8618082a6020dd0bc6d42dc553c64ea
      • Instruction ID: 50d542b227717188f34a6866f564f4a617585f11a1a9c200b9233ba1c6221ed2
      • Opcode Fuzzy Hash: 99c21d5f2bd46d11ce3fe87b80e19302b8618082a6020dd0bc6d42dc553c64ea
      • Instruction Fuzzy Hash: 1F31897541010AEFDF2EAF54E984AEE7BB5FF18304F018169F92296060D7319AB0DB91
      Function 011B62F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 34 11b62f4-11b6302 35 11b6308-11b630f 34->35 36 11b6314 34->36 37 11b631b-11b6331 35->37 36->37 40 11b6350 37->40 41 11b6337-11b6345 37->41 42 11b6354-11b6357 40->42 45 11b634b 41->45 46 11b635c-11b6361 41->46 44 11b6387-11b638e 42->44 45->42 48 11b6378-11b637b GetFileAttributesA 46->48 49 11b6367-11b6373 GetFileAttributesW 46->49 50 11b6381-11b6382 48->50 49->50 50->44
      APIs
      • GetFileAttributesW.KERNELBASE(00765234,-112F5FEC), ref: 011B636D
      • GetFileAttributesA.KERNEL32(00000000,-112F5FEC), ref: 011B637B
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2388282757.00000000011B3000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
      • Associated: 00000000.00000002.2387653002.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387693220.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387711539.0000000000FDA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387738840.0000000000FE6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387846344.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387865487.000000000113F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387932528.0000000001166000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387950210.0000000001167000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387970058.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387988202.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388038737.000000000117C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388065007.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388084206.000000000117E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388099463.000000000117F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388123896.0000000001192000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388138389.0000000001193000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388174818.000000000119B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388192414.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388241047.00000000011A2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388301871.00000000011B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388605346.00000000011C8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388656508.00000000011CC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388674495.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388691750.00000000011DC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388708925.00000000011DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388726785.00000000011E3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388747649.00000000011EB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388768240.00000000011EC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388810847.00000000011F3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388831576.00000000011F4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388847710.00000000011F5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388865293.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388886350.00000000011F7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388908493.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388929568.0000000001204000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388950047.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388965577.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388982872.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389011185.0000000001225000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389031601.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389051455.0000000001234000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389071487.0000000001237000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389118000.0000000001269000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389260975.000000000126A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.0000000001273000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.000000000127E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389550287.000000000128C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389628175.000000000128E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
      Similarity
      • API ID: AttributesFile
      • String ID: @
      • API String ID: 3188754299-2726393805
      • Opcode ID: fcf500126c490f217968285ec11c24646cee0c79bd84438a2976363fb5990122
      • Instruction ID: eb7d9a5900c7323a9631b50e8c027745f8d1269fc3c86634059bd17befaae0b4
      • Opcode Fuzzy Hash: fcf500126c490f217968285ec11c24646cee0c79bd84438a2976363fb5990122
      • Instruction Fuzzy Hash: FA01FF3110D206FAEF2EDF68C889BEC7F70AF20348F058160E50B660B0C7749A85CB01
      Function 011B3767 Relevance: 4.6, APIs: 3, Instructions: 87COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • GetModuleFileNameA.KERNEL32(00000000,?,0000028B,-112F5FEC,00000000,?), ref: 011B37A7
      • GetFullPathNameA.KERNEL32(?,0000028B,?,00000000,-112F5FEC,?), ref: 011B37F7
      • GetModuleFileNameA.KERNELBASE(?,?,?), ref: 011B3870
      Memory Dump Source
      • Source File: 00000000.00000002.2388282757.00000000011B3000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
      • Associated: 00000000.00000002.2387653002.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387693220.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387711539.0000000000FDA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387738840.0000000000FE6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387846344.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387865487.000000000113F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387932528.0000000001166000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387950210.0000000001167000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387970058.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387988202.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388038737.000000000117C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388065007.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388084206.000000000117E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388099463.000000000117F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388123896.0000000001192000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388138389.0000000001193000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388174818.000000000119B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388192414.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388241047.00000000011A2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388301871.00000000011B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388605346.00000000011C8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388656508.00000000011CC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388674495.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388691750.00000000011DC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388708925.00000000011DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388726785.00000000011E3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388747649.00000000011EB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388768240.00000000011EC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388810847.00000000011F3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388831576.00000000011F4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388847710.00000000011F5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388865293.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388886350.00000000011F7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388908493.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388929568.0000000001204000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388950047.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388965577.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388982872.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389011185.0000000001225000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389031601.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389051455.0000000001234000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389071487.0000000001237000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389118000.0000000001269000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389260975.000000000126A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.0000000001273000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.000000000127E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389550287.000000000128C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389628175.000000000128E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
      Similarity
      • API ID: Name$FileModule$FullPath
      • String ID:
      • API String ID: 3489545109-0
      • Opcode ID: 6130736a7b28b75b03ae6a74a9133ef24875858ead04a3bbe73ea4011dbd2a59
      • Instruction ID: 0644007b50ca07b901e61e6957313cf260ab89bcf53108c3727fd302d8c7cef7
      • Opcode Fuzzy Hash: 6130736a7b28b75b03ae6a74a9133ef24875858ead04a3bbe73ea4011dbd2a59
      • Instruction Fuzzy Hash: 6731547160021AFFEB2AEF58DC88FDEBBB8BF05244F004694E11A96150C7305AA5CB21
      Function 011B6510 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 74 11b6510-11b651e 75 11b6530 74->75 76 11b6524-11b652b 74->76 77 11b6537-11b6543 75->77 76->77 79 11b6549-11b6553 call 11b641d 77->79 80 11b655e-11b656e call 11b64c2 77->80 79->80 87 11b6559 79->87 85 11b6580-11b658e 80->85 86 11b6574-11b657b 80->86 88 11b659f-11b65a4 85->88 92 11b6594-11b6595 call 11b3d17 85->92 86->88 87->88 90 11b65aa-11b65c8 CreateFileW 88->90 91 11b65cd-11b65e2 CreateFileA 88->91 93 11b65e8-11b65e9 90->93 91->93 96 11b659a 92->96 95 11b65ee-11b65f5 93->95 96->95
      APIs
      • CreateFileW.KERNELBASE(00765234,?,-112F5FEC,?,?,?,?,-112F5FEC), ref: 011B65C2
        • Part of subcall function 011B64C2: IsBadWritePtr.KERNEL32(?,00000004), ref: 011B64D0
      • CreateFileA.KERNEL32(?,?,-112F5FEC,?,?,?,?,-112F5FEC), ref: 011B65E2
      Memory Dump Source
      • Source File: 00000000.00000002.2388282757.00000000011B3000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
      • Associated: 00000000.00000002.2387653002.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387693220.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387711539.0000000000FDA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387738840.0000000000FE6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387846344.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387865487.000000000113F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387932528.0000000001166000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387950210.0000000001167000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387970058.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387988202.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388038737.000000000117C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388065007.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388084206.000000000117E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388099463.000000000117F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388123896.0000000001192000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388138389.0000000001193000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388174818.000000000119B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388192414.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388241047.00000000011A2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388301871.00000000011B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388605346.00000000011C8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388656508.00000000011CC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388674495.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388691750.00000000011DC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388708925.00000000011DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388726785.00000000011E3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388747649.00000000011EB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388768240.00000000011EC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388810847.00000000011F3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388831576.00000000011F4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388847710.00000000011F5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388865293.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388886350.00000000011F7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388908493.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388929568.0000000001204000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388950047.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388965577.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388982872.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389011185.0000000001225000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389031601.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389051455.0000000001234000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389071487.0000000001237000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389118000.0000000001269000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389260975.000000000126A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.0000000001273000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.000000000127E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389550287.000000000128C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389628175.000000000128E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
      Similarity
      • API ID: CreateFile$Write
      • String ID:
      • API String ID: 1125675974-0
      • Opcode ID: 5ab6aabceaef31cd30fdd50f5419ae76be6c601b19ce3fb5cb4e16981e70fcb0
      • Instruction ID: 79f9ffe31e6c0b912003b5bde522251071451cca32c1f5cbf9a9836703c67253
      • Opcode Fuzzy Hash: 5ab6aabceaef31cd30fdd50f5419ae76be6c601b19ce3fb5cb4e16981e70fcb0
      • Instruction Fuzzy Hash: CE11EA3110414AFBDF2A9F94DD88BDE3E62BF24284F054115FA06654A4C376C6B5EB51
      Function 011B399A Relevance: 3.0, APIs: 2, Instructions: 47COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 98 11b399a-11b39ab call 11b32fe 101 11b39b1 98->101 102 11b39b6-11b39bf 98->102 103 11b3a4a-11b3a4e 101->103 108 11b39f3-11b39fa 102->108 109 11b39c5-11b39ce 102->109 104 11b3a62-11b3a65 GetModuleHandleA 103->104 105 11b3a54-11b3a5d GetModuleHandleW 103->105 107 11b3a6b 104->107 105->107 110 11b3a75-11b3a77 107->110 111 11b3a00-11b3a07 108->111 112 11b3a45 108->112 113 11b39d6-11b39d8 109->113 111->112 114 11b3a0d-11b3a14 111->114 112->103 113->112 115 11b39de-11b39e3 113->115 114->112 116 11b3a1a-11b3a21 114->116 115->112 117 11b39e9-11b3a70 115->117 116->112 118 11b3a27-11b3a3b 116->118 117->110 118->112
      APIs
      • GetModuleHandleW.KERNEL32(?,?,?,011B392C,?,00000000,00000000), ref: 011B3A57
      • GetModuleHandleA.KERNEL32(00000000,?,?,011B392C,?,00000000,00000000), ref: 011B3A65
      Memory Dump Source
      • Source File: 00000000.00000002.2388282757.00000000011B3000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
      • Associated: 00000000.00000002.2387653002.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387693220.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387711539.0000000000FDA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387738840.0000000000FE6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387846344.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387865487.000000000113F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387932528.0000000001166000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387950210.0000000001167000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387970058.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387988202.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388038737.000000000117C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388065007.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388084206.000000000117E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388099463.000000000117F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388123896.0000000001192000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388138389.0000000001193000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388174818.000000000119B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388192414.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388241047.00000000011A2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388301871.00000000011B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388605346.00000000011C8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388656508.00000000011CC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388674495.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388691750.00000000011DC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388708925.00000000011DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388726785.00000000011E3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388747649.00000000011EB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388768240.00000000011EC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388810847.00000000011F3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388831576.00000000011F4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388847710.00000000011F5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388865293.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388886350.00000000011F7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388908493.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388929568.0000000001204000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388950047.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388965577.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388982872.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389011185.0000000001225000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389031601.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389051455.0000000001234000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389071487.0000000001237000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389118000.0000000001269000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389260975.000000000126A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.0000000001273000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.000000000127E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389550287.000000000128C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389628175.000000000128E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
      Similarity
      • API ID: HandleModule
      • String ID:
      • API String ID: 4139908857-0
      • Opcode ID: 057f127f0861e7d406e49b2b48fd25903d246e490e619ab23f08608bcd780cf6
      • Instruction ID: aad243522afbcbd3728e07797d01393b074d19908739075d1265376f19afa44d
      • Opcode Fuzzy Hash: 057f127f0861e7d406e49b2b48fd25903d246e490e619ab23f08608bcd780cf6
      • Instruction Fuzzy Hash: FD112A30514606FFEB7DDF29C8887D97A71BB00745F104215E922894E0D77995B4CA92
      Function 011B5E7C Relevance: 3.0, APIs: 2, Instructions: 41COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 121 11b5e7c-11b5e92 GetCurrentProcess 123 11b5e98-11b5e9b 121->123 124 11b5ed4-11b5ef6 DuplicateHandle 121->124 123->124 125 11b5ea1-11b5ea4 123->125 128 11b5f00-11b5f02 124->128 125->124 126 11b5eaa-11b5ebd 125->126 126->124 130 11b5ec3-11b5efb call 11b3c19 126->130 130->128
      APIs
      • GetCurrentProcess.KERNEL32(-112F5FEC), ref: 011B5E89
      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011B5EEF
      Memory Dump Source
      • Source File: 00000000.00000002.2388282757.00000000011B3000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
      • Associated: 00000000.00000002.2387653002.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387693220.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387711539.0000000000FDA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387738840.0000000000FE6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387846344.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387865487.000000000113F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387932528.0000000001166000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387950210.0000000001167000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387970058.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387988202.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388038737.000000000117C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388065007.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388084206.000000000117E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388099463.000000000117F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388123896.0000000001192000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388138389.0000000001193000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388174818.000000000119B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388192414.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388241047.00000000011A2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388301871.00000000011B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388605346.00000000011C8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388656508.00000000011CC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388674495.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388691750.00000000011DC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388708925.00000000011DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388726785.00000000011E3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388747649.00000000011EB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388768240.00000000011EC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388810847.00000000011F3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388831576.00000000011F4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388847710.00000000011F5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388865293.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388886350.00000000011F7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388908493.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388929568.0000000001204000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388950047.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388965577.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388982872.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389011185.0000000001225000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389031601.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389051455.0000000001234000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389071487.0000000001237000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389118000.0000000001269000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389260975.000000000126A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.0000000001273000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.000000000127E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389550287.000000000128C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389628175.000000000128E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
      Similarity
      • API ID: CurrentDuplicateHandleProcess
      • String ID:
      • API String ID: 1009649615-0
      • Opcode ID: fd7f7f9cfeb5db0740ec25b0fdd42b95d76f3a7745960c66128b0125bbcca2ce
      • Instruction ID: 93ba927661e00a7b807c473d1ca077f1851bec6362f0154d57a890804073e112
      • Opcode Fuzzy Hash: fd7f7f9cfeb5db0740ec25b0fdd42b95d76f3a7745960c66128b0125bbcca2ce
      • Instruction Fuzzy Hash: 0001FB3210015AFA8F2AAFA8DC94CDF7F7ABF686587018515FA1295054D731D0A2EB71
      Function 011B38A1 Relevance: 3.0, APIs: 2, Instructions: 39COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 134 11b38a1-11b38bf 136 11b3915-11b391a 134->136 137 11b38c5-11b38cc call 11b3758 134->137 139 11b38d1-11b38d7 137->139 140 11b38dd-11b38f1 GetModuleFileNameW 139->140 141 11b38f6-11b390c MultiByteToWideChar 139->141 142 11b390d 140->142 141->142 142->136
      APIs
      • GetModuleFileNameW.KERNEL32(?,?,00000000,-112F5FEC,?,00000000,?), ref: 011B38E7
      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000000,-112F5FEC,?,00000000,?), ref: 011B3906
      Memory Dump Source
      • Source File: 00000000.00000002.2388282757.00000000011B3000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
      • Associated: 00000000.00000002.2387653002.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387693220.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387711539.0000000000FDA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387738840.0000000000FE6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387846344.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387865487.000000000113F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387932528.0000000001166000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387950210.0000000001167000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387970058.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387988202.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388038737.000000000117C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388065007.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388084206.000000000117E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388099463.000000000117F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388123896.0000000001192000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388138389.0000000001193000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388174818.000000000119B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388192414.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388241047.00000000011A2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388301871.00000000011B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388605346.00000000011C8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388656508.00000000011CC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388674495.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388691750.00000000011DC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388708925.00000000011DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388726785.00000000011E3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388747649.00000000011EB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388768240.00000000011EC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388810847.00000000011F3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388831576.00000000011F4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388847710.00000000011F5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388865293.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388886350.00000000011F7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388908493.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388929568.0000000001204000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388950047.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388965577.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388982872.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389011185.0000000001225000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389031601.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389051455.0000000001234000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389071487.0000000001237000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389118000.0000000001269000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389260975.000000000126A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.0000000001273000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.000000000127E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389550287.000000000128C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389628175.000000000128E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
      Similarity
      • API ID: ByteCharFileModuleMultiNameWide
      • String ID:
      • API String ID: 1532159127-0
      • Opcode ID: 4dffdb0089d62b6f6dcb2e09e67b0cd5c974e2ac56d092f1bb08322a3b43c7f9
      • Instruction ID: 36bc1426bd12532fa83de73ba36400cfab056053930c32766efbc38fe3965217
      • Opcode Fuzzy Hash: 4dffdb0089d62b6f6dcb2e09e67b0cd5c974e2ac56d092f1bb08322a3b43c7f9
      • Instruction Fuzzy Hash: 9E01163250024AFBDF169F94CC48ADE7F72FF44354F108168FA21651A0C7318661EB10
      Function 0115BFDA Relevance: 1.6, APIs: 1, Instructions: 131fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 143 115bfda-115bfdc 144 115bfde-115bff3 call 115bff6 143->144 145 115c019-115c03b 143->145 144->145 148 115c041-115c04a 145->148 149 115c04b-115c07d 145->149 148->149 154 115c087-115c088 149->154 155 115c083-115c086 149->155 156 115c091-115c0ef CreateFileA 154->156 157 115c08e 154->157 155->154 161 115c0f5-115c120 156->161 162 115c2ec-115c307 call 115c30a 156->162 157->156 167 115c126-115c149 call 115c14c 161->167 168 115c121 161->168 168->167
      APIs
      • CreateFileA.KERNELBASE(?,0115C01A,00000003), ref: 0115C0D8
      Memory Dump Source
      • Source File: 00000000.00000002.2387889184.0000000001155000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
      • Associated: 00000000.00000002.2387653002.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387693220.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387711539.0000000000FDA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387738840.0000000000FE6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387846344.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387865487.000000000113F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387932528.0000000001166000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387950210.0000000001167000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387970058.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387988202.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388038737.000000000117C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388065007.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388084206.000000000117E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388099463.000000000117F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388123896.0000000001192000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388138389.0000000001193000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388174818.000000000119B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388192414.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388241047.00000000011A2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388282757.00000000011B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388301871.00000000011B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388605346.00000000011C8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388656508.00000000011CC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388674495.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388691750.00000000011DC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388708925.00000000011DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388726785.00000000011E3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388747649.00000000011EB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388768240.00000000011EC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388810847.00000000011F3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388831576.00000000011F4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388847710.00000000011F5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388865293.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388886350.00000000011F7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388908493.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388929568.0000000001204000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388950047.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388965577.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388982872.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389011185.0000000001225000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389031601.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389051455.0000000001234000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389071487.0000000001237000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389118000.0000000001269000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389260975.000000000126A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.0000000001273000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.000000000127E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389550287.000000000128C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389628175.000000000128E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: 40568d2d11b3ddf1d6de8e716672cfac9312cc93914bac6cc4f0b330a14cc69f
      • Instruction ID: f769a193face4cead04216fab926b772960e7ffe42e262aa7cd3e306c61ff890
      • Opcode Fuzzy Hash: 40568d2d11b3ddf1d6de8e716672cfac9312cc93914bac6cc4f0b330a14cc69f
      • Instruction Fuzzy Hash: D621C0AB20C365BDE7AA8D45AD60BFB6B6CD7C3630F318027FD55D6042D354090982B5
      Function 01159737 Relevance: 1.6, APIs: 1, Instructions: 109libraryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 172 1159737-1159740 LoadLibraryA 173 1159751-115988d 172->173
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2387889184.0000000001155000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
      • Associated: 00000000.00000002.2387653002.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387693220.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387711539.0000000000FDA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387738840.0000000000FE6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387846344.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387865487.000000000113F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387932528.0000000001166000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387950210.0000000001167000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387970058.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387988202.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388038737.000000000117C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388065007.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388084206.000000000117E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388099463.000000000117F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388123896.0000000001192000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388138389.0000000001193000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388174818.000000000119B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388192414.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388241047.00000000011A2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388282757.00000000011B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388301871.00000000011B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388605346.00000000011C8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388656508.00000000011CC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388674495.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388691750.00000000011DC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388708925.00000000011DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388726785.00000000011E3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388747649.00000000011EB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388768240.00000000011EC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388810847.00000000011F3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388831576.00000000011F4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388847710.00000000011F5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388865293.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388886350.00000000011F7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388908493.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388929568.0000000001204000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388950047.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388965577.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388982872.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389011185.0000000001225000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389031601.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389051455.0000000001234000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389071487.0000000001237000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389118000.0000000001269000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389260975.000000000126A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.0000000001273000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.000000000127E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389550287.000000000128C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389628175.000000000128E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID:
      • API String ID: 1029625771-0
      • Opcode ID: 9771bd54dd979f417b51e0dabba4cb6cdf68add516240d24ee59917e1183cab2
      • Instruction ID: 8b9def98e0d8ec15a90dd466e7f842a9df0f8be092131118fdca9af317aebb85
      • Opcode Fuzzy Hash: 9771bd54dd979f417b51e0dabba4cb6cdf68add516240d24ee59917e1183cab2
      • Instruction Fuzzy Hash: F03137B250D704AFD7067F19D88567AFBE9FF94320F26482DE6C483250EA719850CA87
      Function 0115C01E Relevance: 1.6, APIs: 1, Instructions: 107fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 174 115c01e-115c03b 177 115c041-115c04a 174->177 178 115c04b-115c07d 174->178 177->178 182 115c087-115c088 178->182 183 115c083-115c086 178->183 184 115c091-115c0ef CreateFileA 182->184 185 115c08e 182->185 183->182 189 115c0f5-115c120 184->189 190 115c2ec-115c307 call 115c30a 184->190 185->184 195 115c126-115c149 call 115c14c 189->195 196 115c121 189->196 196->195
      APIs
      • CreateFileA.KERNELBASE(?,0115C01A,00000003), ref: 0115C0D8
      Memory Dump Source
      • Source File: 00000000.00000002.2387889184.0000000001155000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
      • Associated: 00000000.00000002.2387653002.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387693220.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387711539.0000000000FDA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387738840.0000000000FE6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387846344.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387865487.000000000113F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387932528.0000000001166000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387950210.0000000001167000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387970058.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387988202.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388038737.000000000117C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388065007.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388084206.000000000117E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388099463.000000000117F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388123896.0000000001192000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388138389.0000000001193000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388174818.000000000119B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388192414.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388241047.00000000011A2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388282757.00000000011B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388301871.00000000011B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388605346.00000000011C8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388656508.00000000011CC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388674495.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388691750.00000000011DC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388708925.00000000011DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388726785.00000000011E3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388747649.00000000011EB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388768240.00000000011EC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388810847.00000000011F3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388831576.00000000011F4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388847710.00000000011F5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388865293.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388886350.00000000011F7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388908493.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388929568.0000000001204000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388950047.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388965577.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388982872.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389011185.0000000001225000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389031601.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389051455.0000000001234000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389071487.0000000001237000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389118000.0000000001269000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389260975.000000000126A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.0000000001273000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.000000000127E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389550287.000000000128C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389628175.000000000128E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: 66f1a18f27712fdc7a4b93883a1755e675bfc11dce3052f7dc8057edb5c15cf0
      • Instruction ID: 6b3c8fa0c6c3b22e83d54f91b838f1c71e63e72356004524422a58bf1fa6238c
      • Opcode Fuzzy Hash: 66f1a18f27712fdc7a4b93883a1755e675bfc11dce3052f7dc8057edb5c15cf0
      • Instruction Fuzzy Hash: 33118EBF208221BC76A9CD4ABE50FFBA76DE5C7A70731842BFC16D2102D3510D0991B1
      Function 0115C030 Relevance: 1.6, APIs: 1, Instructions: 106fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 200 115c030-115c03b 201 115c041-115c04a 200->201 202 115c04b-115c07d 200->202 201->202 206 115c087-115c088 202->206 207 115c083-115c086 202->207 208 115c091-115c0ef CreateFileA 206->208 209 115c08e 206->209 207->206 213 115c0f5-115c120 208->213 214 115c2ec-115c307 call 115c30a 208->214 209->208 219 115c126-115c149 call 115c14c 213->219 220 115c121 213->220 220->219
      APIs
      • CreateFileA.KERNELBASE(?,0115C01A,00000003), ref: 0115C0D8
      Memory Dump Source
      • Source File: 00000000.00000002.2387889184.0000000001155000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
      • Associated: 00000000.00000002.2387653002.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387693220.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387711539.0000000000FDA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387738840.0000000000FE6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387846344.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387865487.000000000113F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387932528.0000000001166000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387950210.0000000001167000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387970058.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387988202.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388038737.000000000117C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388065007.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388084206.000000000117E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388099463.000000000117F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388123896.0000000001192000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388138389.0000000001193000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388174818.000000000119B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388192414.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388241047.00000000011A2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388282757.00000000011B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388301871.00000000011B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388605346.00000000011C8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388656508.00000000011CC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388674495.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388691750.00000000011DC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388708925.00000000011DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388726785.00000000011E3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388747649.00000000011EB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388768240.00000000011EC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388810847.00000000011F3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388831576.00000000011F4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388847710.00000000011F5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388865293.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388886350.00000000011F7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388908493.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388929568.0000000001204000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388950047.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388965577.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388982872.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389011185.0000000001225000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389031601.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389051455.0000000001234000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389071487.0000000001237000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389118000.0000000001269000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389260975.000000000126A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.0000000001273000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.000000000127E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389550287.000000000128C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389628175.000000000128E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: ba4ca5dbb148bc0fa73f08bd7fe66319c58f9d2ac06882f6dca3270bd9d3e64c
      • Instruction ID: 1469ed63a7e242ed352d7ce984ac971b52c3137527aeeb327743e4a6fea14d80
      • Opcode Fuzzy Hash: ba4ca5dbb148bc0fa73f08bd7fe66319c58f9d2ac06882f6dca3270bd9d3e64c
      • Instruction Fuzzy Hash: BA118EBB208225BC77A9CD4A7E54FFBAB2DD5C3A70731842BFC56D2002E351094A41B1
      Function 011B44FB Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 232 11b44fb-11b450c 233 11b453b-11b4544 232->233 234 11b4512-11b4526 232->234 237 11b454a-11b455b call 11b3cdd 233->237 238 11b4621 233->238 242 11b4629 234->242 243 11b452c-11b453a 234->243 244 11b457b-11b45ba CreateFileA 237->244 245 11b4561-11b4565 237->245 238->242 246 11b4630-11b4634 242->246 243->233 249 11b45de-11b45e1 244->249 250 11b45c0-11b45dd 244->250 247 11b456b-11b4577 call 11b8d65 245->247 248 11b4578 245->248 247->248 248->244 253 11b45e7-11b45fe 249->253 254 11b4614-11b461c call 11b3b6c 249->254 250->249 253->246 260 11b4604-11b460f call 11b3bda 253->260 254->242 260->242
      APIs
      • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 011B45B0
      Memory Dump Source
      • Source File: 00000000.00000002.2388282757.00000000011B3000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
      • Associated: 00000000.00000002.2387653002.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387693220.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387711539.0000000000FDA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387738840.0000000000FE6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387846344.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387865487.000000000113F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387932528.0000000001166000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387950210.0000000001167000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387970058.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387988202.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388038737.000000000117C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388065007.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388084206.000000000117E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388099463.000000000117F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388123896.0000000001192000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388138389.0000000001193000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388174818.000000000119B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388192414.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388241047.00000000011A2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388301871.00000000011B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388605346.00000000011C8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388656508.00000000011CC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388674495.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388691750.00000000011DC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388708925.00000000011DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388726785.00000000011E3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388747649.00000000011EB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388768240.00000000011EC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388810847.00000000011F3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388831576.00000000011F4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388847710.00000000011F5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388865293.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388886350.00000000011F7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388908493.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388929568.0000000001204000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388950047.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388965577.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388982872.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389011185.0000000001225000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389031601.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389051455.0000000001234000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389071487.0000000001237000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389118000.0000000001269000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389260975.000000000126A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.0000000001273000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.000000000127E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389550287.000000000128C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389628175.000000000128E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: 95b1683f2bad4a80ee31aedbb5994c2175bb94474c279d0a6db47a064095c03a
      • Instruction ID: e7d1e21782fd5a27e42e8ef8dbb1adce1e9847201aea510ae89eef506d09a5bb
      • Opcode Fuzzy Hash: 95b1683f2bad4a80ee31aedbb5994c2175bb94474c279d0a6db47a064095c03a
      • Instruction Fuzzy Hash: 44318D71A00209FAEB29DFA4DC84FEDBBB8FF44318F208169F916AA591C7719651CB10
      Function 0115C06A Relevance: 1.6, APIs: 1, Instructions: 99fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 263 115c06a-115c076 264 115c048-115c065 263->264 265 115c078-115c07d 263->265 264->265 266 115c087-115c088 265->266 267 115c083-115c086 265->267 269 115c091-115c0ef CreateFileA 266->269 270 115c08e 266->270 267->266 275 115c0f5-115c120 269->275 276 115c2ec-115c307 call 115c30a 269->276 270->269 281 115c126-115c149 call 115c14c 275->281 282 115c121 275->282 282->281
      APIs
      • CreateFileA.KERNELBASE(?,0115C01A,00000003), ref: 0115C0D8
      Memory Dump Source
      • Source File: 00000000.00000002.2387889184.0000000001155000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
      • Associated: 00000000.00000002.2387653002.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387693220.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387711539.0000000000FDA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387738840.0000000000FE6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387846344.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387865487.000000000113F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387932528.0000000001166000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387950210.0000000001167000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387970058.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387988202.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388038737.000000000117C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388065007.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388084206.000000000117E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388099463.000000000117F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388123896.0000000001192000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388138389.0000000001193000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388174818.000000000119B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388192414.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388241047.00000000011A2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388282757.00000000011B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388301871.00000000011B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388605346.00000000011C8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388656508.00000000011CC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388674495.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388691750.00000000011DC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388708925.00000000011DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388726785.00000000011E3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388747649.00000000011EB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388768240.00000000011EC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388810847.00000000011F3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388831576.00000000011F4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388847710.00000000011F5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388865293.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388886350.00000000011F7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388908493.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388929568.0000000001204000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388950047.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388965577.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388982872.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389011185.0000000001225000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389031601.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389051455.0000000001234000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389071487.0000000001237000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389118000.0000000001269000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389260975.000000000126A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.0000000001273000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.000000000127E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389550287.000000000128C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389628175.000000000128E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: 012daae8054e0b87349043f0c9ac17b3edd2c61e5648cc967f4842bc30e92b32
      • Instruction ID: 03b34274dae3acd2edb44fb09a5fc5166a357f30b7ff86b2684a593704361705
      • Opcode Fuzzy Hash: 012daae8054e0b87349043f0c9ac17b3edd2c61e5648cc967f4842bc30e92b32
      • Instruction Fuzzy Hash: 30119DBB248226BC76A9CD4A6E50FFBA76DE5C3A70731842BFC16D6102E3400D0951B1
      Function 0115C054 Relevance: 1.6, APIs: 1, Instructions: 96fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 286 115c054-115c07d 289 115c087-115c088 286->289 290 115c083-115c086 286->290 291 115c091-115c0ef CreateFileA 289->291 292 115c08e 289->292 290->289 296 115c0f5-115c120 291->296 297 115c2ec-115c307 call 115c30a 291->297 292->291 302 115c126-115c149 call 115c14c 296->302 303 115c121 296->303 303->302
      APIs
      • CreateFileA.KERNELBASE(?,0115C01A,00000003), ref: 0115C0D8
      Memory Dump Source
      • Source File: 00000000.00000002.2387889184.0000000001155000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
      • Associated: 00000000.00000002.2387653002.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387693220.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387711539.0000000000FDA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387738840.0000000000FE6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387846344.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387865487.000000000113F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387932528.0000000001166000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387950210.0000000001167000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387970058.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387988202.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388038737.000000000117C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388065007.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388084206.000000000117E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388099463.000000000117F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388123896.0000000001192000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388138389.0000000001193000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388174818.000000000119B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388192414.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388241047.00000000011A2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388282757.00000000011B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388301871.00000000011B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388605346.00000000011C8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388656508.00000000011CC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388674495.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388691750.00000000011DC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388708925.00000000011DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388726785.00000000011E3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388747649.00000000011EB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388768240.00000000011EC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388810847.00000000011F3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388831576.00000000011F4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388847710.00000000011F5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388865293.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388886350.00000000011F7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388908493.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388929568.0000000001204000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388950047.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388965577.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388982872.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389011185.0000000001225000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389031601.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389051455.0000000001234000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389071487.0000000001237000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389118000.0000000001269000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389260975.000000000126A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.0000000001273000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.000000000127E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389550287.000000000128C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389628175.000000000128E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: c3a7e1b11c6c3eacdb31b4d38c7b80170f11f5010bde4e85c4cdf2735cffeb57
      • Instruction ID: f6623392da32fe92e1b9dbb9916f1f130c774f973936bb89c780f1859f6313d8
      • Opcode Fuzzy Hash: c3a7e1b11c6c3eacdb31b4d38c7b80170f11f5010bde4e85c4cdf2735cffeb57
      • Instruction Fuzzy Hash: 7A11BCBB24C226BC7669CD46AE54EFBAB2DD5C3670731842BFC66C2542E350090E91B1
      Function 011B3D17 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
      Download Yara Rule
      APIs
      • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 011B3D99
      Memory Dump Source
      • Source File: 00000000.00000002.2388282757.00000000011B3000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
      • Associated: 00000000.00000002.2387653002.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387693220.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387711539.0000000000FDA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387738840.0000000000FE6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387846344.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387865487.000000000113F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387932528.0000000001166000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387950210.0000000001167000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387970058.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387988202.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388038737.000000000117C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388065007.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388084206.000000000117E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388099463.000000000117F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388123896.0000000001192000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388138389.0000000001193000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388174818.000000000119B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388192414.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388241047.00000000011A2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388301871.00000000011B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388605346.00000000011C8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388656508.00000000011CC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388674495.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388691750.00000000011DC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388708925.00000000011DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388726785.00000000011E3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388747649.00000000011EB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388768240.00000000011EC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388810847.00000000011F3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388831576.00000000011F4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388847710.00000000011F5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388865293.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388886350.00000000011F7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388908493.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388929568.0000000001204000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388950047.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388965577.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388982872.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389011185.0000000001225000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389031601.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389051455.0000000001234000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389071487.0000000001237000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389118000.0000000001269000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389260975.000000000126A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.0000000001273000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.000000000127E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389550287.000000000128C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389628175.000000000128E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: be376f0aa648225c8581f5a3221ea5e91b7973e2a1c943c01845717136311d92
      • Instruction ID: dade70525040434fc69f69dd1dd3fb2f8a4f788bb2c1f385648eeeb7c32d2bf3
      • Opcode Fuzzy Hash: be376f0aa648225c8581f5a3221ea5e91b7973e2a1c943c01845717136311d92
      • Instruction Fuzzy Hash: 38318171640205BEEB359F68DC85FDDBBB8BF04728F20425AF621AA1D1D3B1A551CB14
      Function 0115C0E3 Relevance: 1.6, APIs: 1, Instructions: 82fileCOMMON
      Download Yara Rule
      APIs
      • CreateFileA.KERNELBASE(?,0115C01A,00000003), ref: 0115C0D8
      Memory Dump Source
      • Source File: 00000000.00000002.2387889184.0000000001155000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
      • Associated: 00000000.00000002.2387653002.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387693220.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387711539.0000000000FDA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387738840.0000000000FE6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387846344.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387865487.000000000113F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387932528.0000000001166000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387950210.0000000001167000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387970058.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387988202.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388038737.000000000117C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388065007.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388084206.000000000117E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388099463.000000000117F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388123896.0000000001192000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388138389.0000000001193000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388174818.000000000119B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388192414.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388241047.00000000011A2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388282757.00000000011B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388301871.00000000011B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388605346.00000000011C8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388656508.00000000011CC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388674495.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388691750.00000000011DC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388708925.00000000011DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388726785.00000000011E3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388747649.00000000011EB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388768240.00000000011EC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388810847.00000000011F3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388831576.00000000011F4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388847710.00000000011F5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388865293.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388886350.00000000011F7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388908493.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388929568.0000000001204000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388950047.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388965577.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388982872.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389011185.0000000001225000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389031601.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389051455.0000000001234000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389071487.0000000001237000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389118000.0000000001269000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389260975.000000000126A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.0000000001273000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.000000000127E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389550287.000000000128C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389628175.000000000128E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: 26da82695301d857c0bec744ca25c11ef2c3626d3d32849d69ffa5f8eb257f69
      • Instruction ID: 217e13258fdf7b806981413a5e6f501e9a3a7c09f94de523c6a010e8f4bd731f
      • Opcode Fuzzy Hash: 26da82695301d857c0bec744ca25c11ef2c3626d3d32849d69ffa5f8eb257f69
      • Instruction Fuzzy Hash: 4901ADBB20C265BCB766CC466E50FFB6B2CD6C6A70B31842BFC56C2442D305090E82B1
      Function 0115C10B Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
      Download Yara Rule
      APIs
      • CreateFileA.KERNELBASE(?,0115C01A,00000003), ref: 0115C0D8
      Memory Dump Source
      • Source File: 00000000.00000002.2387889184.0000000001155000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
      • Associated: 00000000.00000002.2387653002.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387693220.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387711539.0000000000FDA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387738840.0000000000FE6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387846344.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387865487.000000000113F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387932528.0000000001166000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387950210.0000000001167000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387970058.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387988202.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388038737.000000000117C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388065007.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388084206.000000000117E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388099463.000000000117F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388123896.0000000001192000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388138389.0000000001193000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388174818.000000000119B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388192414.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388241047.00000000011A2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388282757.00000000011B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388301871.00000000011B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388605346.00000000011C8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388656508.00000000011CC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388674495.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388691750.00000000011DC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388708925.00000000011DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388726785.00000000011E3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388747649.00000000011EB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388768240.00000000011EC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388810847.00000000011F3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388831576.00000000011F4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388847710.00000000011F5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388865293.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388886350.00000000011F7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388908493.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388929568.0000000001204000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388950047.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388965577.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388982872.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389011185.0000000001225000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389031601.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389051455.0000000001234000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389071487.0000000001237000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389118000.0000000001269000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389260975.000000000126A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.0000000001273000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.000000000127E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389550287.000000000128C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389628175.000000000128E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: 5d3b85f7f81d4ac37b2705a3912318ba1da9a466bbaba9546152d5b9485f5368
      • Instruction ID: 664d05cb21e2cbc81398fefd6fb5b1463f87c6e72f45e7d70fdbc7dbe49a0d43
      • Opcode Fuzzy Hash: 5d3b85f7f81d4ac37b2705a3912318ba1da9a466bbaba9546152d5b9485f5368
      • Instruction Fuzzy Hash: AC0180BB20C395FDB755C996AE50FFB7B6CD6C6630731942BF812C6442C350080A86B5
      Function 0115C0B6 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
      Download Yara Rule
      APIs
      • CreateFileA.KERNELBASE(?,0115C01A,00000003), ref: 0115C0D8
      Memory Dump Source
      • Source File: 00000000.00000002.2387889184.0000000001155000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
      • Associated: 00000000.00000002.2387653002.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387693220.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387711539.0000000000FDA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387738840.0000000000FE6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387846344.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387865487.000000000113F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387932528.0000000001166000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387950210.0000000001167000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387970058.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387988202.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388038737.000000000117C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388065007.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388084206.000000000117E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388099463.000000000117F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388123896.0000000001192000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388138389.0000000001193000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388174818.000000000119B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388192414.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388241047.00000000011A2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388282757.00000000011B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388301871.00000000011B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388605346.00000000011C8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388656508.00000000011CC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388674495.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388691750.00000000011DC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388708925.00000000011DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388726785.00000000011E3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388747649.00000000011EB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388768240.00000000011EC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388810847.00000000011F3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388831576.00000000011F4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388847710.00000000011F5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388865293.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388886350.00000000011F7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388908493.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388929568.0000000001204000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388950047.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388965577.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388982872.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389011185.0000000001225000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389031601.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389051455.0000000001234000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389071487.0000000001237000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389118000.0000000001269000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389260975.000000000126A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.0000000001273000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.000000000127E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389550287.000000000128C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389628175.000000000128E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: bf0a2e1615ad6c88fffaa46e7841389d9f139c070fed3a0e59cdf43a2feb48a6
      • Instruction ID: 747928f74e88748c5d7977a27c5893fc60a74fe6996e09d7a7480b0b9c5a4308
      • Opcode Fuzzy Hash: bf0a2e1615ad6c88fffaa46e7841389d9f139c070fed3a0e59cdf43a2feb48a6
      • Instruction Fuzzy Hash: 7DF0A9BB20C265BCB664C98ABE24FFBBB2CD1C6A30731842BFC16C2042D3540D0E81B0
      Function 049D0D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
      Download Yara Rule
      APIs
      • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 049D0DCD
      Memory Dump Source
      • Source File: 00000000.00000002.2392655172.00000000049D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_49d0000_file.jbxd
      Similarity
      • API ID: ManagerOpen
      • String ID:
      • API String ID: 1889721586-0
      • Opcode ID: f306bf4b0f3399e1d912b9d7a8f35ce994b686946f0eb851760ffc8de51f5524
      • Instruction ID: ffd5a0d6ef3d03a1e7d2114a4a05d11e1bf63f42d4d9a434436cc500dd7aa95a
      • Opcode Fuzzy Hash: f306bf4b0f3399e1d912b9d7a8f35ce994b686946f0eb851760ffc8de51f5524
      • Instruction Fuzzy Hash: 7F2135B6C00309DFCB50CF99D884ADEFBF4FB88710F14822AD809AB204C734A540CBA4
      Function 049D0D43 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
      Download Yara Rule
      APIs
      • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 049D0DCD
      Memory Dump Source
      • Source File: 00000000.00000002.2392655172.00000000049D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_49d0000_file.jbxd
      Similarity
      • API ID: ManagerOpen
      • String ID:
      • API String ID: 1889721586-0
      • Opcode ID: 8ad933fdc6b53d54e38405b314cc1a383db48b3e96c0e915df5bad30452846ea
      • Instruction ID: bc87e8312d6ba48c50642fdb437ea049d19f3d7ff80b6550e3c266888f7798f1
      • Opcode Fuzzy Hash: 8ad933fdc6b53d54e38405b314cc1a383db48b3e96c0e915df5bad30452846ea
      • Instruction Fuzzy Hash: 3A2132B6800309CFDB40CF99D484ADEFBF1BB88320F15822AD909AB204C734A941CFA4
      Function 049D1510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
      Download Yara Rule
      APIs
      • ControlService.ADVAPI32(?,?,?), ref: 049D1580
      Memory Dump Source
      • Source File: 00000000.00000002.2392655172.00000000049D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_49d0000_file.jbxd
      Similarity
      • API ID: ControlService
      • String ID:
      • API String ID: 253159669-0
      • Opcode ID: da19137f72bafc5a63792b9235f30e69f778db866ed4dd8bb0e488ce28a50ea8
      • Instruction ID: 03c312a1b4c2c56b1d5b2ef67b5267267ad1b83d44f6c823fa876682560c9c73
      • Opcode Fuzzy Hash: da19137f72bafc5a63792b9235f30e69f778db866ed4dd8bb0e488ce28a50ea8
      • Instruction Fuzzy Hash: 9411D3B5900749DFDB10CF9AC585BDEFBF4AB48320F10802AE559A7250D378A644CFA5
      Function 049D1509 Relevance: 1.6, APIs: 1, Instructions: 51serviceCOMMON
      Download Yara Rule
      APIs
      • ControlService.ADVAPI32(?,?,?), ref: 049D1580
      Memory Dump Source
      • Source File: 00000000.00000002.2392655172.00000000049D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_49d0000_file.jbxd
      Similarity
      • API ID: ControlService
      • String ID:
      • API String ID: 253159669-0
      • Opcode ID: c84d19c91c3149ae14beb04ffaa8db28263f460150d5eed94a9205fbe3f2178f
      • Instruction ID: 2915a5cdbfd77bfee3d7da130ee6611f7eb81dd476ce998ecf482d94134aecc2
      • Opcode Fuzzy Hash: c84d19c91c3149ae14beb04ffaa8db28263f460150d5eed94a9205fbe3f2178f
      • Instruction Fuzzy Hash: 521100B6900309CFDB10CF9AC585BDEFBF4BB48320F10842AE558A7250D778AA44CFA5
      Function 011B7048 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
      Download Yara Rule
      APIs
      • MapViewOfFileEx.KERNELBASE(?,?,?,?,?,?), ref: 011B70CF
      Memory Dump Source
      • Source File: 00000000.00000002.2388282757.00000000011B3000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
      • Associated: 00000000.00000002.2387653002.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387693220.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387711539.0000000000FDA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387738840.0000000000FE6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387846344.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387865487.000000000113F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387932528.0000000001166000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387950210.0000000001167000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387970058.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387988202.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388038737.000000000117C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388065007.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388084206.000000000117E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388099463.000000000117F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388123896.0000000001192000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388138389.0000000001193000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388174818.000000000119B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388192414.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388241047.00000000011A2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388301871.00000000011B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388605346.00000000011C8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388656508.00000000011CC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388674495.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388691750.00000000011DC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388708925.00000000011DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388726785.00000000011E3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388747649.00000000011EB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388768240.00000000011EC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388810847.00000000011F3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388831576.00000000011F4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388847710.00000000011F5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388865293.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388886350.00000000011F7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388908493.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388929568.0000000001204000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388950047.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388965577.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388982872.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389011185.0000000001225000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389031601.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389051455.0000000001234000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389071487.0000000001237000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389118000.0000000001269000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389260975.000000000126A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.0000000001273000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.000000000127E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389550287.000000000128C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389628175.000000000128E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
      Similarity
      • API ID: FileView
      • String ID:
      • API String ID: 3314676101-0
      • Opcode ID: b5791c1c39eb378e7f89f38fe2132e759de129e1ae8c74534b290a593d146958
      • Instruction ID: 04de45b0654f14960d265762b3fa8a4290d5980fe700f363986405258fa5d1c2
      • Opcode Fuzzy Hash: b5791c1c39eb378e7f89f38fe2132e759de129e1ae8c74534b290a593d146958
      • Instruction Fuzzy Hash: 0211BA3650010BFFDF2A6FA4DC95DDF3F66AFA9244B018512F612550A0C736C5B2EB62
      Function 011B6E30 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2388282757.00000000011B3000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
      • Associated: 00000000.00000002.2387653002.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387693220.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387711539.0000000000FDA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387738840.0000000000FE6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387846344.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387865487.000000000113F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387932528.0000000001166000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387950210.0000000001167000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387970058.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387988202.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388038737.000000000117C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388065007.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388084206.000000000117E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388099463.000000000117F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388123896.0000000001192000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388138389.0000000001193000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388174818.000000000119B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388192414.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388241047.00000000011A2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388301871.00000000011B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388605346.00000000011C8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388656508.00000000011CC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388674495.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388691750.00000000011DC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388708925.00000000011DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388726785.00000000011E3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388747649.00000000011EB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388768240.00000000011EC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388810847.00000000011F3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388831576.00000000011F4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388847710.00000000011F5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388865293.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388886350.00000000011F7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388908493.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388929568.0000000001204000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388950047.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388965577.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388982872.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389011185.0000000001225000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389031601.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389051455.0000000001234000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389071487.0000000001237000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389118000.0000000001269000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389260975.000000000126A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.0000000001273000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.000000000127E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389550287.000000000128C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389628175.000000000128E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 4ab86c22357bbdc0008f5d28452a58d060dd74b6473ac666d53bbfd7335428b7
      • Instruction ID: 5dd3e87044ad5e3ed161a345cf2b9fceec4af577bcc9cab47d151050c7d0d819
      • Opcode Fuzzy Hash: 4ab86c22357bbdc0008f5d28452a58d060dd74b6473ac666d53bbfd7335428b7
      • Instruction Fuzzy Hash: FC111B3210025AFADF1EEFA8DC88ADF3B76AF64344F058414F91256060C736D671DB61
      Function 049D1301 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
      Download Yara Rule
      APIs
      • ImpersonateLoggedOnUser.KERNELBASE ref: 049D1367
      Memory Dump Source
      • Source File: 00000000.00000002.2392655172.00000000049D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_49d0000_file.jbxd
      Similarity
      • API ID: ImpersonateLoggedUser
      • String ID:
      • API String ID: 2216092060-0
      • Opcode ID: 08b9d85ab7dcc91bf0ca2efd7b6cbcb3ff44bc31ed35b60bda99de64c560b263
      • Instruction ID: 19fb1949c14b580ca9e85c0934eb9c97994f9e0d2bd7219a4e0793cd3e712ab3
      • Opcode Fuzzy Hash: 08b9d85ab7dcc91bf0ca2efd7b6cbcb3ff44bc31ed35b60bda99de64c560b263
      • Instruction Fuzzy Hash: CB1113B1800649CFDB10CF9AC485BDEFBF4EB48320F20846AD558A7641D778A544CFA5
      Function 049D1308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
      Download Yara Rule
      APIs
      • ImpersonateLoggedOnUser.KERNELBASE ref: 049D1367
      Memory Dump Source
      • Source File: 00000000.00000002.2392655172.00000000049D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 049D0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_49d0000_file.jbxd
      Similarity
      • API ID: ImpersonateLoggedUser
      • String ID:
      • API String ID: 2216092060-0
      • Opcode ID: 428c460cf5f6d7caa67713e3bf61e66a78d5de4b3d0ec392a2cd6312062cd722
      • Instruction ID: feb9d198854942d326a821b9c7ec1184e4bda85dbd81515121468bed665c410e
      • Opcode Fuzzy Hash: 428c460cf5f6d7caa67713e3bf61e66a78d5de4b3d0ec392a2cd6312062cd722
      • Instruction Fuzzy Hash: C01133B1800349CFDB10CF9AC445BDEFBF8EB48320F20842AE558A3640D778A944CFA5
      Function 011B6714 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
      Download Yara Rule
      APIs
      • ReadFile.KERNELBASE(?,00000000,?,00000400,?,?,?,011B4443,?,?,00000400,?,00000000,?,00000000), ref: 011B6780
      Memory Dump Source
      • Source File: 00000000.00000002.2388282757.00000000011B3000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
      • Associated: 00000000.00000002.2387653002.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387693220.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387711539.0000000000FDA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387738840.0000000000FE6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387846344.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387865487.000000000113F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387932528.0000000001166000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387950210.0000000001167000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387970058.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387988202.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388038737.000000000117C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388065007.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388084206.000000000117E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388099463.000000000117F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388123896.0000000001192000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388138389.0000000001193000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388174818.000000000119B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388192414.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388241047.00000000011A2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388301871.00000000011B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388605346.00000000011C8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388656508.00000000011CC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388674495.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388691750.00000000011DC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388708925.00000000011DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388726785.00000000011E3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388747649.00000000011EB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388768240.00000000011EC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388810847.00000000011F3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388831576.00000000011F4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388847710.00000000011F5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388865293.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388886350.00000000011F7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388908493.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388929568.0000000001204000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388950047.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388965577.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388982872.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389011185.0000000001225000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389031601.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389051455.0000000001234000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389071487.0000000001237000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389118000.0000000001269000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389260975.000000000126A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.0000000001273000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.000000000127E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389550287.000000000128C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389628175.000000000128E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
      Similarity
      • API ID: FileRead
      • String ID:
      • API String ID: 2738559852-0
      • Opcode ID: e03a17e162b441b45903a6315034253f5aab44f002fe3e2fa56b62ca103b4d29
      • Instruction ID: fd4f01a3675a0da55a3d94039910a874af7adf3617531630cf3a7ff121f61360
      • Opcode Fuzzy Hash: e03a17e162b441b45903a6315034253f5aab44f002fe3e2fa56b62ca103b4d29
      • Instruction Fuzzy Hash: 18F0373610450AFBCF1AAF98DC98DDF3F66BF64644F018411FA124A060D732C8B2EB61
      Function 011B3A83 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
      Download Yara Rule
      APIs
      • GetModuleHandleExA.KERNELBASE(?,?,?), ref: 011B3AE7
      Memory Dump Source
      • Source File: 00000000.00000002.2388282757.00000000011B3000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
      • Associated: 00000000.00000002.2387653002.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387693220.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387711539.0000000000FDA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387738840.0000000000FE6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387846344.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387865487.000000000113F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387932528.0000000001166000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387950210.0000000001167000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387970058.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387988202.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388038737.000000000117C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388065007.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388084206.000000000117E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388099463.000000000117F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388123896.0000000001192000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388138389.0000000001193000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388174818.000000000119B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388192414.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388241047.00000000011A2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388301871.00000000011B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388605346.00000000011C8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388656508.00000000011CC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388674495.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388691750.00000000011DC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388708925.00000000011DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388726785.00000000011E3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388747649.00000000011EB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388768240.00000000011EC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388810847.00000000011F3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388831576.00000000011F4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388847710.00000000011F5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388865293.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388886350.00000000011F7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388908493.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388929568.0000000001204000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388950047.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388965577.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388982872.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389011185.0000000001225000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389031601.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389051455.0000000001234000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389071487.0000000001237000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389118000.0000000001269000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389260975.000000000126A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.0000000001273000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.000000000127E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389550287.000000000128C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389628175.000000000128E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
      Similarity
      • API ID: HandleModule
      • String ID:
      • API String ID: 4139908857-0
      • Opcode ID: e05ed35309558100c809018780c6d2e258d861175e005a8e3d69b7d0dba8367b
      • Instruction ID: 4737785b9f1f8f6eecf73bdbfa6d23364fc6731e9df9dfec7eb81fc408977e4f
      • Opcode Fuzzy Hash: e05ed35309558100c809018780c6d2e258d861175e005a8e3d69b7d0dba8367b
      • Instruction Fuzzy Hash: 03F09075600205AFDF19EF68D8C9AEE7BA4FF14354F218415FE26C6151C331C5A0DA51
      Function 0115C298 Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2387889184.0000000001155000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
      • Associated: 00000000.00000002.2387653002.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387693220.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387711539.0000000000FDA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387738840.0000000000FE6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387846344.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387865487.000000000113F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387932528.0000000001166000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387950210.0000000001167000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387970058.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387988202.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388038737.000000000117C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388065007.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388084206.000000000117E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388099463.000000000117F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388123896.0000000001192000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388138389.0000000001193000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388174818.000000000119B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388192414.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388241047.00000000011A2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388282757.00000000011B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388301871.00000000011B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388605346.00000000011C8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388656508.00000000011CC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388674495.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388691750.00000000011DC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388708925.00000000011DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388726785.00000000011E3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388747649.00000000011EB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388768240.00000000011EC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388810847.00000000011F3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388831576.00000000011F4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388847710.00000000011F5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388865293.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388886350.00000000011F7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388908493.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388929568.0000000001204000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388950047.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388965577.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388982872.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389011185.0000000001225000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389031601.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389051455.0000000001234000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389071487.0000000001237000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389118000.0000000001269000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389260975.000000000126A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.0000000001273000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.000000000127E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389550287.000000000128C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389628175.000000000128E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: 3ec28ef3c199eb7b19af9ac82238ed21b428f4062b1bcd97511c113230dac3bb
      • Instruction ID: e7668cdc53fcb5005db92703b109111c3b21c4d5877873aa27ae62b2b3447b4d
      • Opcode Fuzzy Hash: 3ec28ef3c199eb7b19af9ac82238ed21b428f4062b1bcd97511c113230dac3bb
      • Instruction Fuzzy Hash: 05E0262366837EB8E3EC5AF818627BA2748C790264F20012AAA68EA0C2C158080542A9
      Function 011B4B15 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
      Download Yara Rule
      APIs
      • CloseHandle.KERNELBASE(011B44D8,?,?,011B44D8,?), ref: 011B4B53
      Memory Dump Source
      • Source File: 00000000.00000002.2388282757.00000000011B3000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
      • Associated: 00000000.00000002.2387653002.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387693220.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387711539.0000000000FDA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387738840.0000000000FE6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387846344.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387865487.000000000113F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387932528.0000000001166000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387950210.0000000001167000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387970058.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387988202.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388038737.000000000117C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388065007.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388084206.000000000117E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388099463.000000000117F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388123896.0000000001192000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388138389.0000000001193000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388174818.000000000119B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388192414.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388241047.00000000011A2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388301871.00000000011B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388605346.00000000011C8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388656508.00000000011CC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388674495.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388691750.00000000011DC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388708925.00000000011DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388726785.00000000011E3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388747649.00000000011EB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388768240.00000000011EC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388810847.00000000011F3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388831576.00000000011F4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388847710.00000000011F5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388865293.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388886350.00000000011F7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388908493.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388929568.0000000001204000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388950047.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388965577.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388982872.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389011185.0000000001225000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389031601.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389051455.0000000001234000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389071487.0000000001237000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389118000.0000000001269000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389260975.000000000126A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.0000000001273000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.000000000127E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389550287.000000000128C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389628175.000000000128E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
      Similarity
      • API ID: CloseHandle
      • String ID:
      • API String ID: 2962429428-0
      • Opcode ID: 4b7a68cd39360f1191843dd4de55639f72f70d1d65d556545be846c0fae99707
      • Instruction ID: 1ada096879c308b102574f18fde937efa6a423af837da7e0670e5c075a22eefb
      • Opcode Fuzzy Hash: 4b7a68cd39360f1191843dd4de55639f72f70d1d65d556545be846c0fae99707
      • Instruction Fuzzy Hash: 0DE04872104153B5CE2D7E69E998ECFAE796FA06487014521F51346411C721C092D561
      Function 00FDF10D Relevance: 1.3, APIs: 1, Instructions: 16memoryCOMMON
      Download Yara Rule
      APIs
      • VirtualAlloc.KERNELBASE(00000000), ref: 00FDFC18
      Memory Dump Source
      • Source File: 00000000.00000002.2387711539.0000000000FDA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
      • Associated: 00000000.00000002.2387653002.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387693220.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387738840.0000000000FE6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387846344.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387865487.000000000113F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387932528.0000000001166000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387950210.0000000001167000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387970058.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387988202.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388038737.000000000117C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388065007.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388084206.000000000117E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388099463.000000000117F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388123896.0000000001192000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388138389.0000000001193000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388174818.000000000119B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388192414.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388241047.00000000011A2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388282757.00000000011B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388301871.00000000011B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388605346.00000000011C8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388656508.00000000011CC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388674495.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388691750.00000000011DC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388708925.00000000011DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388726785.00000000011E3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388747649.00000000011EB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388768240.00000000011EC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388810847.00000000011F3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388831576.00000000011F4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388847710.00000000011F5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388865293.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388886350.00000000011F7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388908493.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388929568.0000000001204000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388950047.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388965577.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388982872.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389011185.0000000001225000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389031601.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389051455.0000000001234000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389071487.0000000001237000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389118000.0000000001269000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389260975.000000000126A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.0000000001273000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.000000000127E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389550287.000000000128C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389628175.000000000128E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 5dbe43114c7b7197ab245d2b199a04a472bfbebd245abce07c3f7e18a3889333
      • Instruction ID: cceb448f01a1f9436ff5aa7a80da039c5bde762af596c00bb4949b8ef52fe051
      • Opcode Fuzzy Hash: 5dbe43114c7b7197ab245d2b199a04a472bfbebd245abce07c3f7e18a3889333
      • Instruction Fuzzy Hash: EBE04F7244C28ACBC744AF30C419A6E77B1EF00360F14052ADD9386390D7328C64EE06
      Function 011B3BDA Relevance: 1.3, APIs: 1, Instructions: 8COMMON
      Download Yara Rule
      APIs
      • CloseHandle.KERNELBASE(?), ref: 011B3BE0
      Memory Dump Source
      • Source File: 00000000.00000002.2388282757.00000000011B3000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
      • Associated: 00000000.00000002.2387653002.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387693220.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387711539.0000000000FDA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387738840.0000000000FE6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387846344.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387865487.000000000113F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387932528.0000000001166000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387950210.0000000001167000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387970058.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387988202.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388038737.000000000117C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388065007.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388084206.000000000117E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388099463.000000000117F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388123896.0000000001192000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388138389.0000000001193000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388174818.000000000119B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388192414.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388241047.00000000011A2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388301871.00000000011B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388605346.00000000011C8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388656508.00000000011CC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388674495.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388691750.00000000011DC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388708925.00000000011DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388726785.00000000011E3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388747649.00000000011EB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388768240.00000000011EC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388810847.00000000011F3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388831576.00000000011F4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388847710.00000000011F5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388865293.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388886350.00000000011F7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388908493.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388929568.0000000001204000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388950047.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388965577.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388982872.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389011185.0000000001225000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389031601.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389051455.0000000001234000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389071487.0000000001237000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389118000.0000000001269000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389260975.000000000126A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.0000000001273000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.000000000127E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389550287.000000000128C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389628175.000000000128E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
      Similarity
      • API ID: CloseHandle
      • String ID:
      • API String ID: 2962429428-0
      • Opcode ID: 2685606a32d9a5b43b2319700d854d2f299d15cfdfa6e009d8f0f4b95b1d8122
      • Instruction ID: 391443f616482690001b56401fd919ed89d69d60289f4f51675f1dfadcde7e9f
      • Opcode Fuzzy Hash: 2685606a32d9a5b43b2319700d854d2f299d15cfdfa6e009d8f0f4b95b1d8122
      • Instruction Fuzzy Hash: 09B09231014109BBCB15BF55ED0698DFF7ABF21298B008121F916444218BB2E970ABD4

      Non-executed Functions

      Function 0115516B Relevance: 4.3, Strings: 3, Instructions: 536COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2387889184.0000000001155000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
      • Associated: 00000000.00000002.2387653002.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387693220.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387711539.0000000000FDA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387738840.0000000000FE6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387846344.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387865487.000000000113F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387932528.0000000001166000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387950210.0000000001167000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387970058.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387988202.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388038737.000000000117C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388065007.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388084206.000000000117E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388099463.000000000117F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388123896.0000000001192000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388138389.0000000001193000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388174818.000000000119B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388192414.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388241047.00000000011A2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388282757.00000000011B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388301871.00000000011B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388605346.00000000011C8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388656508.00000000011CC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388674495.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388691750.00000000011DC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388708925.00000000011DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388726785.00000000011E3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388747649.00000000011EB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388768240.00000000011EC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388810847.00000000011F3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388831576.00000000011F4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388847710.00000000011F5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388865293.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388886350.00000000011F7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388908493.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388929568.0000000001204000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388950047.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388965577.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388982872.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389011185.0000000001225000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389031601.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389051455.0000000001234000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389071487.0000000001237000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389118000.0000000001269000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389260975.000000000126A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.0000000001273000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.000000000127E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389550287.000000000128C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389628175.000000000128E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
      Similarity
      • API ID:
      • String ID: Ql?|$U~/o$^-}
      • API String ID: 0-4118198975
      • Opcode ID: d88e5f58a318e79f8d36db00bd35485e550a0028d23dd1261b7e480f947838a9
      • Instruction ID: ab95f96eec6333e59b9091bee28f3bedf65354d3945ed0a83d54635bb5276ec6
      • Opcode Fuzzy Hash: d88e5f58a318e79f8d36db00bd35485e550a0028d23dd1261b7e480f947838a9
      • Instruction Fuzzy Hash: A6F1D1F260C2049FE304AF29EC8567AFBE5EF98720F16493DEAC487740EA3558458797
      Function 011B6DCC Relevance: 1.5, APIs: 1, Instructions: 24encryptionCOMMON
      Download Yara Rule
      APIs
      • CryptVerifySignatureA.ADVAPI32(?,?,?,?,?,?), ref: 011B6E13
      Memory Dump Source
      • Source File: 00000000.00000002.2388282757.00000000011B3000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
      • Associated: 00000000.00000002.2387653002.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387693220.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387711539.0000000000FDA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387738840.0000000000FE6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387846344.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387865487.000000000113F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387932528.0000000001166000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387950210.0000000001167000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387970058.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387988202.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388038737.000000000117C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388065007.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388084206.000000000117E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388099463.000000000117F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388123896.0000000001192000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388138389.0000000001193000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388174818.000000000119B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388192414.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388241047.00000000011A2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388301871.00000000011B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388605346.00000000011C8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388656508.00000000011CC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388674495.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388691750.00000000011DC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388708925.00000000011DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388726785.00000000011E3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388747649.00000000011EB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388768240.00000000011EC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388810847.00000000011F3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388831576.00000000011F4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388847710.00000000011F5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388865293.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388886350.00000000011F7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388908493.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388929568.0000000001204000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388950047.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388965577.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388982872.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389011185.0000000001225000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389031601.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389051455.0000000001234000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389071487.0000000001237000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389118000.0000000001269000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389260975.000000000126A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.0000000001273000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.000000000127E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389550287.000000000128C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389628175.000000000128E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
      Similarity
      • API ID: CryptSignatureVerify
      • String ID:
      • API String ID: 1015439381-0
      • Opcode ID: e59cf84a6bfc671be4bce69cdbec13b1cf3b76c9e578478daea6f260a24bec3a
      • Instruction ID: 44c69af0f5ff3f7c41510d7c9cb28eaf0013eb370d227fe6dd7b5eaa84e73380
      • Opcode Fuzzy Hash: e59cf84a6bfc671be4bce69cdbec13b1cf3b76c9e578478daea6f260a24bec3a
      • Instruction Fuzzy Hash: 19F0F83260120AEFCF05CF94C9459CD7BB1FF19304B108029F916AA251D7769AB0EF80
      Function 011595F0 Relevance: .1, Instructions: 105COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2387889184.0000000001155000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
      • Associated: 00000000.00000002.2387653002.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387693220.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387711539.0000000000FDA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387738840.0000000000FE6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387846344.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387865487.000000000113F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387932528.0000000001166000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387950210.0000000001167000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387970058.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387988202.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388038737.000000000117C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388065007.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388084206.000000000117E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388099463.000000000117F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388123896.0000000001192000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388138389.0000000001193000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388174818.000000000119B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388192414.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388241047.00000000011A2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388282757.00000000011B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388301871.00000000011B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388605346.00000000011C8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388656508.00000000011CC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388674495.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388691750.00000000011DC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388708925.00000000011DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388726785.00000000011E3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388747649.00000000011EB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388768240.00000000011EC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388810847.00000000011F3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388831576.00000000011F4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388847710.00000000011F5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388865293.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388886350.00000000011F7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388908493.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388929568.0000000001204000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388950047.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388965577.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388982872.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389011185.0000000001225000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389031601.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389051455.0000000001234000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389071487.0000000001237000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389118000.0000000001269000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389260975.000000000126A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.0000000001273000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.000000000127E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389550287.000000000128C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389628175.000000000128E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2f8d5978833354d8c35ae6dd6da9f3659f6a338e5413a6be2d551d107486ffc2
      • Instruction ID: 746f4ed4b3f45c7930a4f506217f4c6997f1fae19e3363828df7403c2dd889ee
      • Opcode Fuzzy Hash: 2f8d5978833354d8c35ae6dd6da9f3659f6a338e5413a6be2d551d107486ffc2
      • Instruction Fuzzy Hash: 76314DB251C604EFE309AF29DC86ABAFBE5FB58310F42492DE6C583650E7315840CB97
      Function 01159606 Relevance: .1, Instructions: 100COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2387889184.0000000001155000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
      • Associated: 00000000.00000002.2387653002.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387693220.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387711539.0000000000FDA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387738840.0000000000FE6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387846344.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387865487.000000000113F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387932528.0000000001166000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387950210.0000000001167000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387970058.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387988202.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388038737.000000000117C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388065007.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388084206.000000000117E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388099463.000000000117F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388123896.0000000001192000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388138389.0000000001193000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388174818.000000000119B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388192414.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388241047.00000000011A2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388282757.00000000011B3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388301871.00000000011B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388605346.00000000011C8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388656508.00000000011CC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388674495.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388691750.00000000011DC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388708925.00000000011DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388726785.00000000011E3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388747649.00000000011EB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388768240.00000000011EC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388810847.00000000011F3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388831576.00000000011F4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388847710.00000000011F5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388865293.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388886350.00000000011F7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388908493.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388929568.0000000001204000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388950047.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388965577.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388982872.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389011185.0000000001225000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389031601.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389051455.0000000001234000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389071487.0000000001237000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389118000.0000000001269000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389260975.000000000126A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.0000000001273000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.000000000127E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389550287.000000000128C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389628175.000000000128E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 0df611d212996a5528f69901c34581783a925248463d9984a41dfcd362ee2244
      • Instruction ID: 7e210c85db22d78ff80c09daaca34bb24ac4b47a6aec4eee073faad263d86600
      • Opcode Fuzzy Hash: 0df611d212996a5528f69901c34581783a925248463d9984a41dfcd362ee2244
      • Instruction Fuzzy Hash: 023149B250C600EFE309AF29D886ABAFBE5FB58310F02492DE6C583654D7316840CB97
      Function 011B5444 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 011B64C2: IsBadWritePtr.KERNEL32(?,00000004), ref: 011B64D0
      • wsprintfA.USER32 ref: 011B548A
      • LoadImageA.USER32(?,?,?,?,?,?), ref: 011B554E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2388282757.00000000011B3000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
      • Associated: 00000000.00000002.2387653002.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387693220.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387711539.0000000000FDA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387738840.0000000000FE6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387846344.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387865487.000000000113F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387932528.0000000001166000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387950210.0000000001167000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387970058.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387988202.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388038737.000000000117C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388065007.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388084206.000000000117E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388099463.000000000117F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388123896.0000000001192000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388138389.0000000001193000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388174818.000000000119B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388192414.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388241047.00000000011A2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388301871.00000000011B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388605346.00000000011C8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388656508.00000000011CC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388674495.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388691750.00000000011DC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388708925.00000000011DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388726785.00000000011E3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388747649.00000000011EB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388768240.00000000011EC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388810847.00000000011F3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388831576.00000000011F4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388847710.00000000011F5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388865293.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388886350.00000000011F7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388908493.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388929568.0000000001204000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388950047.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388965577.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388982872.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389011185.0000000001225000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389031601.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389051455.0000000001234000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389071487.0000000001237000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389118000.0000000001269000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389260975.000000000126A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.0000000001273000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.000000000127E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389550287.000000000128C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389628175.000000000128E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
      Similarity
      • API ID: ImageLoadWritewsprintf
      • String ID: %8x$%8x
      • API String ID: 416453052-2046107164
      • Opcode ID: 0d04cc7792d2fae1821bb8f4460daf0fc56d0ff25a46464607fccfb278222f24
      • Instruction ID: 7252209dd36582d902f1c11464ffc1a0735beabd859c4de10311d2ca269080ae
      • Opcode Fuzzy Hash: 0d04cc7792d2fae1821bb8f4460daf0fc56d0ff25a46464607fccfb278222f24
      • Instruction Fuzzy Hash: 3131067290010AFBDF15DF94DC89EEEBBBAFF54700F108125F512A6160D7319A61DB60
      Function 011B6015 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
      Download Yara Rule
      APIs
      • GetFileAttributesExW.KERNEL32(00765234,00004020,00000000,-112F5FEC), ref: 011B6102
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2388282757.00000000011B3000.00000080.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
      • Associated: 00000000.00000002.2387653002.0000000000FD0000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387668716.0000000000FD2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387693220.0000000000FD6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387711539.0000000000FDA000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387738840.0000000000FE6000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387846344.000000000113C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387865487.000000000113F000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001155000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387889184.0000000001164000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387932528.0000000001166000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387950210.0000000001167000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387970058.000000000116C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2387988202.000000000116D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388038737.000000000117C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388065007.000000000117D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388084206.000000000117E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388099463.000000000117F000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388123896.0000000001192000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388138389.0000000001193000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388174818.000000000119B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388192414.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388241047.00000000011A2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388262935.00000000011A7000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388301871.00000000011B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388605346.00000000011C8000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388656508.00000000011CC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388674495.00000000011D4000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388691750.00000000011DC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388708925.00000000011DD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388726785.00000000011E3000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388747649.00000000011EB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388768240.00000000011EC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388810847.00000000011F3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388831576.00000000011F4000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388847710.00000000011F5000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388865293.00000000011F6000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388886350.00000000011F7000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388908493.00000000011FB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388929568.0000000001204000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388950047.000000000120C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388965577.000000000120D000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2388982872.0000000001215000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389011185.0000000001225000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389031601.0000000001227000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389051455.0000000001234000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389071487.0000000001237000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389118000.0000000001269000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389260975.000000000126A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.0000000001273000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389380065.000000000127E000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389550287.000000000128C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2389628175.000000000128E000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_fd0000_file.jbxd
      Similarity
      • API ID: AttributesFile
      • String ID: @
      • API String ID: 3188754299-2726393805
      • Opcode ID: 0dd33179857245e95a0478ea31a613a8f1ed5152a577a6169fd2ab843d4f2b77
      • Instruction ID: ef5bb38a94158eb425993ea0734815a46cdceb769c008b9fd99c252028c10a46
      • Opcode Fuzzy Hash: 0dd33179857245e95a0478ea31a613a8f1ed5152a577a6169fd2ab843d4f2b77
      • Instruction Fuzzy Hash: 123157B1504206EFDB29CF59C888BCEBFB1FF18354F008529E956676A0C375A6A5CF90