Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1562671
MD5:f87ac6c41d36f35ef2b8c6c959ccfe26
SHA1:1af22075b086492c4c254f04a7e06f9cac1f8aa0
SHA256:0fcd2882d307444c83e0f7c26ce048780892df4184db29fd70713cff9a6bde70
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7312 cmdline: "C:\Users\user\Desktop\file.exe" MD5: F87AC6C41D36F35EF2B8C6C959CCFE26)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C181CD CryptVerifySignatureA,0_2_00C181CD
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1782067133.0000000004AE0000.00000004.00001000.00020000.00000000.sdmp

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BBE0000_2_00BBE000
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF01D10_2_00BF01D1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CA344C0_2_00CA344C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BC16AF0_2_00BC16AF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BC16C00_2_00BC16C0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C9A6090_2_00C9A609
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3A71D0_2_00C3A71D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A557530_2_00A55753
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4D9D90_2_00A4D9D9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A559450_2_00A55945
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00C131C2 appears 35 times
Source: file.exe, 00000000.00000000.1753625367.0000000000A46000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000002.1915273824.000000000091E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 2766336 > 1048576
Source: file.exeStatic PE information: Raw size of cjtrgbbx is bigger than: 0x100000 < 0x29d600
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1782067133.0000000004AE0000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.a40000.0.unpack :EW;.rsrc:W;.idata :W;cjtrgbbx:EW;mwfxntjd:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x2ab5b5 should be: 0x2ad3e2
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name: cjtrgbbx
Source: file.exeStatic PE information: section name: mwfxntjd
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BC113F push eax; mov dword ptr [esp], 284C1A2Ch0_2_00BC11C2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BC113F push eax; mov dword ptr [esp], 3426C600h0_2_00BC11E1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BC113F push edx; mov dword ptr [esp], ebp0_2_00BC1209
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BC12A1 push ecx; mov dword ptr [esp], 4CFEAAF7h0_2_00BC12D2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BC12A1 push 73A6984Bh; mov dword ptr [esp], ebp0_2_00BC12F7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BC12A1 push 1C0C78BDh; mov dword ptr [esp], ebx0_2_00BC1313
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4E31C push 4FEC9A29h; mov dword ptr [esp], eax0_2_00A4F3BC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BCF63E push ecx; mov dword ptr [esp], edi0_2_00BD2F81
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A51617 push 6E5B082Bh; mov dword ptr [esp], esi0_2_00A51644
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A51617 push ecx; mov dword ptr [esp], 00714909h0_2_00A51CC8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF10A4 push 35428BC2h; mov dword ptr [esp], ebx0_2_00BF10C2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BD00A3 push 4EAEB341h; mov dword ptr [esp], edx0_2_00BD00C0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A530E4 push 0C3CF9F5h; mov dword ptr [esp], ebp0_2_00A540A2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A530E4 push 5967958Bh; mov dword ptr [esp], edx0_2_00A540C4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BC50FA push edx; mov dword ptr [esp], esi0_2_00BC510D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CA30A8 push ebx; mov dword ptr [esp], edx0_2_00CA30E5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CA30A8 push edx; mov dword ptr [esp], ecx0_2_00CA30FE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BCA0C1 push eax; mov dword ptr [esp], 7EF1AB69h0_2_00BCA0CC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BCA0C1 push edx; mov dword ptr [esp], ecx0_2_00BCA11A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4F01D push edi; mov dword ptr [esp], eax0_2_00A4F176
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BBE000 push 4218F713h; mov dword ptr [esp], ecx0_2_00BBE0A5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BBE000 push ebx; mov dword ptr [esp], 1BD892E0h0_2_00BBE1B2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BBE000 push 332C2141h; mov dword ptr [esp], edi0_2_00BBE213
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BBE000 push esi; mov dword ptr [esp], ebp0_2_00BBE23B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BBE000 push 375B3380h; mov dword ptr [esp], eax0_2_00BBE348
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BBE000 push esi; mov dword ptr [esp], esp0_2_00BBE36E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BBE000 push ebx; mov dword ptr [esp], edi0_2_00BBE380
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BBE000 push ecx; mov dword ptr [esp], ebp0_2_00BBE401
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BBE000 push edx; mov dword ptr [esp], edi0_2_00BBE48A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BBE000 push 63994CB0h; mov dword ptr [esp], esi0_2_00BBE52A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5106C push 078D939Dh; mov dword ptr [esp], esi0_2_00A52469
Source: file.exeStatic PE information: section name: entropy: 7.780992080954283

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4DA9F second address: A4DAA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC1F7F second address: BC1F84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC1F84 second address: BC1F8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC1F8A second address: BC1F90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC1F90 second address: BC1F94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC13DE second address: BC13E4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC13E4 second address: BC13FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pop edx 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c popad 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 jne 00007FE9A4DE4326h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC558A second address: BC55BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A4829B21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE9A4829B26h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC5641 second address: BC5645 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC5738 second address: BC578C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A4829B28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FE9A4829B1Dh 0x0000000f nop 0x00000010 mov esi, dword ptr [ebp+122D2C13h] 0x00000016 push 00000000h 0x00000018 mov edi, 37838B2Ch 0x0000001d mov edx, 7EB483C7h 0x00000022 push 59BF0A61h 0x00000027 pushad 0x00000028 pushad 0x00000029 jmp 00007FE9A4829B1Eh 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC578C second address: BC5795 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC5795 second address: BC5799 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC5799 second address: BC57D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xor dword ptr [esp], 59BF0AE1h 0x0000000e mov dword ptr [ebp+122D1ED4h], ebx 0x00000014 push 00000003h 0x00000016 mov ecx, eax 0x00000018 mov ecx, edi 0x0000001a push 00000000h 0x0000001c movsx ecx, dx 0x0000001f push 00000003h 0x00000021 mov esi, dword ptr [ebp+122D2A7Bh] 0x00000027 or dword ptr [ebp+122D1C4Dh], esi 0x0000002d push E4DEA7A8h 0x00000032 jbe 00007FE9A4DE4334h 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC57D5 second address: BC57D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BC58D9 second address: BC58DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBCC93 second address: BBCC99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBCC99 second address: BBCC9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBCC9D second address: BBCCD4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FE9A4829B32h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FE9A4829B1Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBCCD4 second address: BBCCD9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBCCD9 second address: BBCCDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBCCDF second address: BBCCEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 je 00007FE9A4DE4341h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE3D6F second address: BE3DA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FE9A4829B16h 0x0000000a jmp 00007FE9A4829B1Bh 0x0000000f popad 0x00000010 pushad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 jmp 00007FE9A4829B28h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE473F second address: BE476E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A4DE4338h 0x00000007 jmp 00007FE9A4DE432Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e js 00007FE9A4DE4332h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE476E second address: BE477C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FE9A4829B16h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE477C second address: BE4782 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE4782 second address: BE4786 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE4C0D second address: BE4C11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE56CA second address: BE56D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pushad 0x00000006 popad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE798B second address: BE798F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE798F second address: BE799B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BE799B second address: BE79A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAD951 second address: BAD95B instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE9A4829B16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEF8B5 second address: BEF8BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEFCCF second address: BEFCD5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BEFCD5 second address: BEFCDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF318A second address: BF318E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF3466 second address: BF3477 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a je 00007FE9A4DE4326h 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF3477 second address: BF347E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF35F3 second address: BF35FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FE9A4DE4326h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF35FE second address: BF3603 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF3FD6 second address: BF3FDB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF41F3 second address: BF41F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF41F7 second address: BF4201 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF4201 second address: BF4205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF5217 second address: BF521B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF521B second address: BF5228 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE9A4829B16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF5228 second address: BF52A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007FE9A4DE4328h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 0000001Ch 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 pushad 0x00000024 add ecx, dword ptr [ebp+122D2BCFh] 0x0000002a popad 0x0000002b push 00000000h 0x0000002d jmp 00007FE9A4DE432Ah 0x00000032 mov esi, dword ptr [ebp+122D2E26h] 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push eax 0x0000003d call 00007FE9A4DE4328h 0x00000042 pop eax 0x00000043 mov dword ptr [esp+04h], eax 0x00000047 add dword ptr [esp+04h], 00000017h 0x0000004f inc eax 0x00000050 push eax 0x00000051 ret 0x00000052 pop eax 0x00000053 ret 0x00000054 sub dword ptr [ebp+122D1EE4h], ebx 0x0000005a push eax 0x0000005b pushad 0x0000005c push eax 0x0000005d push edx 0x0000005e je 00007FE9A4DE4326h 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF635F second address: BF6374 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE9A4829B1Ah 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF6374 second address: BF6378 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF6DC3 second address: BF6DCD instructions: 0x00000000 rdtsc 0x00000002 js 00007FE9A4829B1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF83FE second address: BF8405 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF8122 second address: BF8151 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007FE9A4829B28h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e ja 00007FE9A4829B22h 0x00000014 jnp 00007FE9A4829B1Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFD04D second address: BFD05C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFD66B second address: BFD66F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFD66F second address: BFD68E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE9A4DE4331h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFD68E second address: BFD692 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFD692 second address: BFD698 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFA1D2 second address: BFA1EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9A4829B26h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C03A26 second address: C03A2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFD872 second address: BFD879 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C03A2A second address: C03A8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a pushad 0x0000000b je 00007FE9A4DE4329h 0x00000011 mov si, ax 0x00000014 call 00007FE9A4DE4332h 0x00000019 mov edx, 6267A16Eh 0x0000001e pop ebx 0x0000001f popad 0x00000020 push 00000000h 0x00000022 ja 00007FE9A4DE432Ch 0x00000028 push 00000000h 0x0000002a mov edi, ecx 0x0000002c mov edi, ecx 0x0000002e xchg eax, esi 0x0000002f jmp 00007FE9A4DE4331h 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007FE9A4DE432Ch 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFE906 second address: BFE914 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE9A4829B16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BFF81C second address: BFF8A6 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE9A4DE4326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b je 00007FE9A4DE4326h 0x00000011 pop ecx 0x00000012 popad 0x00000013 nop 0x00000014 mov dword ptr [ebp+124689CEh], ebx 0x0000001a push dword ptr fs:[00000000h] 0x00000021 push 00000000h 0x00000023 push edx 0x00000024 call 00007FE9A4DE4328h 0x00000029 pop edx 0x0000002a mov dword ptr [esp+04h], edx 0x0000002e add dword ptr [esp+04h], 00000019h 0x00000036 inc edx 0x00000037 push edx 0x00000038 ret 0x00000039 pop edx 0x0000003a ret 0x0000003b cld 0x0000003c mov dword ptr fs:[00000000h], esp 0x00000043 mov edi, dword ptr [ebp+122D295Fh] 0x00000049 mov eax, dword ptr [ebp+122D145Dh] 0x0000004f mov dword ptr [ebp+122D28E9h], esi 0x00000055 push FFFFFFFFh 0x00000057 push 00000000h 0x00000059 push ebx 0x0000005a call 00007FE9A4DE4328h 0x0000005f pop ebx 0x00000060 mov dword ptr [esp+04h], ebx 0x00000064 add dword ptr [esp+04h], 00000017h 0x0000006c inc ebx 0x0000006d push ebx 0x0000006e ret 0x0000006f pop ebx 0x00000070 ret 0x00000071 mov dword ptr [ebp+122D1E43h], edi 0x00000077 push eax 0x00000078 push ebx 0x00000079 pushad 0x0000007a push edi 0x0000007b pop edi 0x0000007c push eax 0x0000007d push edx 0x0000007e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C03A8C second address: C03A9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9A4829B1Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0492B second address: C04930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C03BE5 second address: C03C61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A4829B22h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c or dword ptr [ebp+122D2DA2h], ecx 0x00000012 push dword ptr fs:[00000000h] 0x00000019 push ecx 0x0000001a pushad 0x0000001b mov dword ptr [ebp+12476DD9h], edi 0x00000021 mov esi, 70B1A55Bh 0x00000026 popad 0x00000027 pop ebx 0x00000028 mov dword ptr fs:[00000000h], esp 0x0000002f push 00000000h 0x00000031 push ebp 0x00000032 call 00007FE9A4829B18h 0x00000037 pop ebp 0x00000038 mov dword ptr [esp+04h], ebp 0x0000003c add dword ptr [esp+04h], 00000018h 0x00000044 inc ebp 0x00000045 push ebp 0x00000046 ret 0x00000047 pop ebp 0x00000048 ret 0x00000049 mov eax, dword ptr [ebp+122D03E9h] 0x0000004f and edi, dword ptr [ebp+12446E09h] 0x00000055 mov dword ptr [ebp+124689CEh], edx 0x0000005b push FFFFFFFFh 0x0000005d mov ebx, dword ptr [ebp+122D1C2Ah] 0x00000063 push eax 0x00000064 push edi 0x00000065 push eax 0x00000066 push edx 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C03C61 second address: C03C65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C04B7A second address: C04B7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C04B7E second address: C04B8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C05D9A second address: C05D9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C05D9E second address: C05DA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C079BD second address: C07A39 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007FE9A4829B18h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 push esi 0x00000026 pop edi 0x00000027 mov edi, 5F3A13F1h 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ecx 0x00000031 call 00007FE9A4829B18h 0x00000036 pop ecx 0x00000037 mov dword ptr [esp+04h], ecx 0x0000003b add dword ptr [esp+04h], 00000016h 0x00000043 inc ecx 0x00000044 push ecx 0x00000045 ret 0x00000046 pop ecx 0x00000047 ret 0x00000048 mov di, 1456h 0x0000004c mov bh, E8h 0x0000004e xchg eax, esi 0x0000004f jne 00007FE9A4829B25h 0x00000055 push eax 0x00000056 pushad 0x00000057 je 00007FE9A4829B1Ch 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C08915 second address: C0891B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0891B second address: C0894D instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE9A4829B1Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnl 00007FE9A4829B3Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FE9A4829B29h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C098A2 second address: C098A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C098A8 second address: C098AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0994A second address: C0995F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A4DE432Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0A8A6 second address: C0A8B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007FE9A4829B18h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0A8B7 second address: C0A918 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A4DE4339h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a sub bl, 00000004h 0x0000000d push 00000000h 0x0000000f mov dword ptr [ebp+122D243Dh], edi 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007FE9A4DE4328h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 00000019h 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 adc edi, 2EE42AF1h 0x00000037 xchg eax, esi 0x00000038 push eax 0x00000039 push edx 0x0000003a jc 00007FE9A4DE432Ch 0x00000040 jp 00007FE9A4DE4326h 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0A918 second address: C0A922 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FE9A4829B16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C09BA1 second address: C09BBB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE9A4DE4332h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C09BBB second address: C09BBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C09BBF second address: C09BCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0AAA6 second address: C0AAAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0B908 second address: C0B975 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A4DE4336h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007FE9A4DE4328h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 or di, 06E0h 0x0000002b mov bx, dx 0x0000002e mov ebx, dword ptr [ebp+122D29C7h] 0x00000034 push 00000000h 0x00000036 sub dword ptr [ebp+12445F16h], esi 0x0000003c push 00000000h 0x0000003e add ebx, 1500E5ADh 0x00000044 xchg eax, esi 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 jmp 00007FE9A4DE432Dh 0x0000004d push ecx 0x0000004e pop ecx 0x0000004f popad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0ABC4 second address: C0ABD4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A4829B1Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0BBBF second address: C0BBEA instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE9A4DE433Ah 0x00000008 jmp 00007FE9A4DE4334h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push edi 0x00000014 pop edi 0x00000015 je 00007FE9A4DE4326h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0CD4C second address: C0CD50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0DCF3 second address: C0DCFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C0DDBA second address: C0DDC8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007FE9A4829B16h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB978A second address: BB978E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB978E second address: BB97A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007FE9A4829B16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 jo 00007FE9A4829B16h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1CECF second address: C1CEFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE9A4DE4335h 0x0000000b ja 00007FE9A4DE432Ah 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push esi 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C25183 second address: C251E5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FE9A4829B1Ch 0x0000000c pop eax 0x0000000d popad 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 pushad 0x00000013 jmp 00007FE9A4829B1Ah 0x00000018 push esi 0x00000019 jc 00007FE9A4829B16h 0x0000001f pop esi 0x00000020 popad 0x00000021 mov eax, dword ptr [eax] 0x00000023 jmp 00007FE9A4829B29h 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c push edi 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007FE9A4829B23h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C27B46 second address: C27B4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C27B4E second address: C27B53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2B840 second address: C2B85E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A4DE432Bh 0x00000009 popad 0x0000000a jmp 00007FE9A4DE432Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2B85E second address: C2B87B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A4829B21h 0x00000007 jc 00007FE9A4829B1Eh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2BE3B second address: C2BE91 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A4DE4336h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FE9A4DE4332h 0x0000000e jmp 00007FE9A4DE432Bh 0x00000013 jbe 00007FE9A4DE432Eh 0x00000019 popad 0x0000001a pushad 0x0000001b jmp 00007FE9A4DE432Bh 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2BE91 second address: C2BE95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2C165 second address: C2C169 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2C2A6 second address: C2C2AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAD99D second address: BAD9A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2C6BE second address: C2C6E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE9A4829B21h 0x00000008 jmp 00007FE9A4829B24h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2C95A second address: C2C967 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FE9A4DE4326h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C30F57 second address: C30F5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB2A08 second address: BB2A0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2FEE1 second address: C2FEE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2FEE7 second address: C2FEF9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE9A4DE4326h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2FEF9 second address: C2FEFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF2042 second address: BF2062 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A4DE4335h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edi 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF213A second address: BF2144 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FE9A4829B16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF22E6 second address: BF22F5 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE9A4DE4326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ebx 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF22F5 second address: BF2345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 xchg eax, esi 0x00000007 push 00000000h 0x00000009 push ecx 0x0000000a call 00007FE9A4829B18h 0x0000000f pop ecx 0x00000010 mov dword ptr [esp+04h], ecx 0x00000014 add dword ptr [esp+04h], 00000015h 0x0000001c inc ecx 0x0000001d push ecx 0x0000001e ret 0x0000001f pop ecx 0x00000020 ret 0x00000021 mov dx, 3C7Eh 0x00000025 sub dword ptr [ebp+122D1C73h], ecx 0x0000002b nop 0x0000002c jmp 00007FE9A4829B26h 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 jng 00007FE9A4829B16h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF2345 second address: BF2358 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A4DE432Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF23FF second address: BF2404 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF2636 second address: BF263C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF263C second address: BF2640 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF2640 second address: BF265C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jc 00007FE9A4DE433Dh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FE9A4DE432Bh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF29E8 second address: BF29EE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF29EE second address: BF29F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF29F4 second address: BF29F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF29F8 second address: BF2A0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007FE9A4DE432Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C302CC second address: C302D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C302D2 second address: C302F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A4DE432Eh 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pushad 0x0000000d js 00007FE9A4DE4326h 0x00000013 push edi 0x00000014 pop edi 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C302F1 second address: C3030A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9A4829B23h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3030A second address: C3030E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C304A6 second address: C304B0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE9A4829B16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C304B0 second address: C304CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE9A4DE4337h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BAF41C second address: BAF458 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FE9A4829B24h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop esi 0x0000000b jne 00007FE9A4829B18h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FE9A4829B26h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C38A41 second address: C38A59 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jns 00007FE9A4DE4326h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jo 00007FE9A4DE4326h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C38A59 second address: C38A84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A4829B20h 0x00000007 pushad 0x00000008 jmp 00007FE9A4829B24h 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C38D30 second address: C38D60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A4DE4330h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnl 00007FE9A4DE4337h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C39204 second address: C3921B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A4829B1Eh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3921B second address: C39225 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FE9A4DE4326h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C39665 second address: C3966F instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE9A4829B16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3966F second address: C3967B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FE9A4DE4326h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C397C6 second address: C397CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C397CA second address: C397D6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C397D6 second address: C397F7 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE9A4829B18h 0x00000008 push edx 0x00000009 pop edx 0x0000000a je 00007FE9A4829B1Eh 0x00000010 jng 00007FE9A4829B16h 0x00000016 pushad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push esi 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e pop eax 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C39959 second address: C39960 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C387A2 second address: C387A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C387A8 second address: C387AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C387AC second address: C387B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3E70C second address: C3E715 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3E715 second address: C3E719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3E719 second address: C3E71D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3E94E second address: C3E965 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A4829B23h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3E965 second address: C3E97B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9A4DE4330h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3E97B second address: C3E97F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3EADF second address: C3EAE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3EAE5 second address: C3EAE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3EAE9 second address: C3EAFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A4DE4331h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3EAFE second address: C3EB39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jg 00007FE9A4829B16h 0x00000014 jmp 00007FE9A4829B26h 0x00000019 jmp 00007FE9A4829B1Ch 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3EB39 second address: C3EB3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3EB3D second address: C3EB41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3EB41 second address: C3EB47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3EB47 second address: C3EB4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3EFAD second address: C3EFB7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE9A4DE4326h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3F25E second address: C3F264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3F264 second address: C3F275 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 jo 00007FE9A4DE4326h 0x0000000e push edi 0x0000000f pop edi 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3F548 second address: C3F54E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3F54E second address: C3F564 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A4DE4332h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3F564 second address: C3F596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FE9A4829B1Bh 0x0000000e jng 00007FE9A4829B1Eh 0x00000014 push edi 0x00000015 jmp 00007FE9A4829B1Dh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3F84D second address: C3F877 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE9A4DE4330h 0x00000008 jmp 00007FE9A4DE432Ah 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 jmp 00007FE9A4DE4334h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3F877 second address: C3F88B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a jo 00007FE9A4829B16h 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3F88B second address: C3F893 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C43AFD second address: C43B01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C43B01 second address: C43B05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4627E second address: C4629C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A4829B25h 0x00000009 popad 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4629C second address: C462A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FE9A4DE4326h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4653A second address: C46557 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FE9A4829B25h 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C46557 second address: C4655B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4893A second address: C48940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C48940 second address: C4894D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jl 00007FE9A4DE432Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C48ACF second address: C48AD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C48AD9 second address: C48ADE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C48ADE second address: C48AE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4DC6B second address: C4DC6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4DC6F second address: C4DC75 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4DC75 second address: C4DC83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FE9A4DE432Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBB1D5 second address: BBB1E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A4829B1Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BBB1E9 second address: BBB1F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 jo 00007FE9A4DE432Eh 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4D334 second address: C4D34A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A4829B1Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4D7AA second address: C4D7C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FE9A4DE432Eh 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4D7C2 second address: C4D7C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C50B71 second address: C50B77 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C502B6 second address: C502BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5059A second address: C505A8 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE9A4DE4326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C54E5A second address: C54E60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C54E60 second address: C54E64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C54F93 second address: C54FA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 js 00007FE9A4829B1Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C54FA2 second address: C54FAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C54FAC second address: C54FB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C54FB2 second address: C54FB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C54FB6 second address: C54FC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007FE9A4829B16h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C54FC8 second address: C54FCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C54FCC second address: C54FD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C54FD0 second address: C54FD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF28C3 second address: BF28C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF28C7 second address: BF28D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF28D3 second address: BF28D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5C648 second address: C5C64E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5C64E second address: C5C65E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FE9A4829B16h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5C65E second address: C5C662 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5C662 second address: C5C66A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5CA41 second address: C5CA47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5CD4F second address: C5CD6E instructions: 0x00000000 rdtsc 0x00000002 je 00007FE9A4829B16h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE9A4829B21h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5D61C second address: C5D650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FE9A4DE4335h 0x0000000a jmp 00007FE9A4DE432Fh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 jmp 00007FE9A4DE4335h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5D650 second address: C5D660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FE9A4829B1Bh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5D660 second address: C5D674 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A4DE432Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5D674 second address: C5D678 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5D9AB second address: C5D9BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A4DE432Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5DC86 second address: C5DC90 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE9A4829B22h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5DC90 second address: C5DC96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C61336 second address: C6134D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FE9A4829B16h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jnl 00007FE9A4829B16h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6978A second address: C69799 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FE9A4DE4326h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C69A39 second address: C69A3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C69A3D second address: C69A43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C69A43 second address: C69A6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE9A4829B1Bh 0x00000008 jmp 00007FE9A4829B27h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C69A6C second address: C69A74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C69B8A second address: C69B94 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE9A4829B1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C69D29 second address: C69D30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C69D30 second address: C69D36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C69E4F second address: C69E53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C69E53 second address: C69E57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C69E57 second address: C69E5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6A129 second address: C6A12D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6A12D second address: C6A133 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6A133 second address: C6A15B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007FE9A4829B3Dh 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FE9A4829B27h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6A15B second address: C6A161 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C71FA6 second address: C71FAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C71FAA second address: C71FB4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE9A4DE4326h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C71FB4 second address: C71FCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FE9A4829B1Ch 0x0000000c jp 00007FE9A4829B16h 0x00000012 push eax 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7227F second address: C7228D instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE9A4DE4326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7228D second address: C72293 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C72293 second address: C722A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jng 00007FE9A4DE432Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C722A3 second address: C722B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 jng 00007FE9A4829B16h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C722B1 second address: C722B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C72D9E second address: C72DA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C75A32 second address: C75A38 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7CD09 second address: C7CD17 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE9A4829B18h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C882D8 second address: C882F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FE9A4DE4338h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C882F8 second address: C882FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C882FC second address: C88327 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE9A4DE4337h 0x00000013 jl 00007FE9A4DE4326h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C925E1 second address: C9260F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A4829B25h 0x00000007 jmp 00007FE9A4829B25h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9260F second address: C92643 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE9A4DE4333h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FE9A4DE432Fh 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jo 00007FE9A4DE4348h 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C92643 second address: C92649 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9A582 second address: C9A586 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9A586 second address: C9A5A8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007FE9A4829B20h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jbe 00007FE9A4829B16h 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9A5A8 second address: C9A5C3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE9A4DE4326h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FE9A4DE432Ch 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9A5C3 second address: C9A5C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA3126 second address: CA3160 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FE9A4DE4326h 0x0000000a jbe 00007FE9A4DE432Ch 0x00000010 jmp 00007FE9A4DE432Dh 0x00000015 popad 0x00000016 pushad 0x00000017 pushad 0x00000018 push esi 0x00000019 pop esi 0x0000001a jmp 00007FE9A4DE4330h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA3160 second address: CA317D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 jmp 00007FE9A4829B1Ch 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 ja 00007FE9A4829B16h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA317D second address: CA3196 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A4DE4335h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA7C0E second address: CA7C13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA792B second address: CA7934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA7934 second address: CA7950 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A4829B20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FE9A4829B1Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB33B3 second address: CB33B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB33B9 second address: CB340B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jnp 00007FE9A4829B2Fh 0x0000000b jnp 00007FE9A4829B26h 0x00000011 jne 00007FE9A4829B22h 0x00000017 popad 0x00000018 push edi 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB340B second address: CB340F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB340F second address: CB3424 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FE9A4829B1Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB3424 second address: CB342C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB5194 second address: CB519A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB519A second address: CB519F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB91E2 second address: CB9208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9A4829B24h 0x00000009 popad 0x0000000a jmp 00007FE9A4829B1Dh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB9208 second address: CB920D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB90BD second address: CB90C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC5E9B second address: CC5E9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC5E9F second address: CC5EA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC5EA3 second address: CC5EA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC5EA9 second address: CC5EB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC8CFA second address: CC8D00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC8D00 second address: CC8D0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC8D0B second address: CC8D30 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jns 00007FE9A4DE4326h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e ja 00007FE9A4DE4332h 0x00000014 push ebx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC88AE second address: CC88CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A4829B25h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD0F01 second address: CD0F07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD0265 second address: CD026A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD026A second address: CD028C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FE9A4DE4334h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007FE9A4DE4326h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD0A4F second address: CD0A7B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FE9A4829B18h 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop ebx 0x0000000f pushad 0x00000010 jmp 00007FE9A4829B1Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007FE9A4829B1Ch 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD92B9 second address: CD92BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD92BD second address: CD92C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD9383 second address: CD9387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDAD6F second address: CDAD73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDAD73 second address: CDAD7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FE9A4DE4326h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDAD7F second address: CDADE2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A4829B29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007FE9A4829B22h 0x00000011 jmp 00007FE9A4829B27h 0x00000016 jmp 00007FE9A4829B21h 0x0000001b popad 0x0000001c push eax 0x0000001d jbe 00007FE9A4829B16h 0x00000023 pop eax 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDC960 second address: CDC96E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007FE9A4DE4326h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDE55A second address: CDE595 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9A4829B1Eh 0x00000007 jmp 00007FE9A4829B22h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007FE9A4829B23h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDE595 second address: CDE59B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDE59B second address: CDE5A1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD41AD second address: CD41B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD41B3 second address: CD41B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD41B9 second address: CD41CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007FE9A4DE4334h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD41CB second address: CD41CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD5131 second address: CD513C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD513C second address: CD5140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BF6195 second address: BF619C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: A4DAF9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: A4D9F9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: C7D6B2 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4CB0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4E20000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 6E20000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BC113F rdtsc 0_2_00BC113F
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7464Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BC113F rdtsc 0_2_00BC113F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4B7EA LdrInitializeThunk,0_2_00A4B7EA
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: vProgram Manager
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C1730F GetSystemTime,GetFileTime,0_2_00C1730F

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		41
Disable or Modify Tools		LSASS Memory641
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Bypass User Account Control		261
Virtualization/Sandbox Evasion		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS261
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets23
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
Obfuscated Files or Information		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
Software Packing		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
Bypass User Account Control		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1562671
Start date and time:2024-11-25 21:26:05 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 19s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.evad.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): SIHClient.exe
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • VT rate limit hit for: file.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File
Process:C:\Users\user\Desktop\file.exe
File Type:CSV text
Category:dropped
Size (bytes):226
Entropy (8bit):5.360398796477698
Encrypted:false
SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:3A8957C6382192B71471BD14359D0B12
SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:true
Reputation:high, very likely benign file
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.541052937295285
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:2'766'336 bytes
MD5:f87ac6c41d36f35ef2b8c6c959ccfe26
SHA1:1af22075b086492c4c254f04a7e06f9cac1f8aa0
SHA256:0fcd2882d307444c83e0f7c26ce048780892df4184db29fd70713cff9a6bde70
SHA512:cbfd14e1a7277cec2666273b4e43d79d483168ca1ba27c2ce9fb9bcf45e52dcce0545a2504f703d50ef5c5a21d7cff8e9666da9d342d0414701167a8dc4e5651
SSDEEP:24576:TqXBEDQGrCObu5+vc12AH9tUc6S3nn7j3fl3QjneYg6mOnrEKW1N+G2bSp0LTxO6:mXBIQGrCObu5XTQ+3X+z9nrU2hP955
TLSH:F4D54C92B94872CFD48E17B45427CD4E985D47FA872088C7A92DB4BF7EA3CC115B9C28
File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............*.. ...`....@.. ........................*.......*...`................................

File Icon

Icon Hash:90cececece8e8eb0

Static PE Info

General

Entrypoint:0x6aa000
Entrypoint Section:.taggant
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FE9A4BCCDEAh
unpcklps xmm5, dqword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x20000x40000x1200ce691b73fbbe267d10ab0a3350ccb1a6False0.9331597222222222data7.780992080954283IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
cjtrgbbx0xa0000x29e0000x29d600a64e298dcfb7b034b723979ffd331f84unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
mwfxntjd0x2a80000x20000x4000c6207c20d41305560a383b834b2bc12False0.7802734375data6.21411690748094IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant0x2aa0000x40000x22004a733f056dfb81a193aab102ab644d49False0.006548713235294118DOS executable (COM)0.019571456231530684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x60900x30cdata0.42948717948717946
RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

Imports

DLLImport
kernel32.dlllstrcpy

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:15:27:03
Start date:25/11/2024
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\file.exe"
Imagebase:0xa40000
File size:2'766'336 bytes
MD5 hash:F87AC6C41D36F35EF2B8C6C959CCFE26
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:4.8%
    Dynamic/Decrypted Code Coverage:4.2%
    Signature Coverage:1.8%
    Total number of Nodes:284
    Total number of Limit Nodes:13
    execution_graph 8679 bcf63e 8680 bcf701 LoadLibraryA 8679->8680 8682 bc113f LoadLibraryA 8683 bc1149 8682->8683 8684 c14e84 8691 c131c2 GetCurrentThreadId 8684->8691 8687 c14eae 8689 c14edf GetModuleHandleExA 8687->8689 8690 c14eb6 8687->8690 8689->8690 8692 c131da 8691->8692 8692->8687 8693 c138d4 8692->8693 8694 c13922 8693->8694 8695 c138e5 8693->8695 8694->8687 8695->8694 8697 c13775 8695->8697 8699 c137a2 8697->8699 8698 c138a8 8698->8695 8699->8698 8700 c137d0 PathAddExtensionA 8699->8700 8701 c137eb 8699->8701 8700->8701 8706 c1380d 8701->8706 8709 c13416 8701->8709 8703 c13856 8703->8698 8704 c1387f 8703->8704 8705 c13416 lstrcmpiA 8703->8705 8704->8698 8708 c13416 lstrcmpiA 8704->8708 8705->8704 8706->8698 8706->8703 8707 c13416 lstrcmpiA 8706->8707 8707->8703 8708->8698 8710 c13434 8709->8710 8711 c1344b 8710->8711 8713 c13393 8710->8713 8711->8706 8714 c133be 8713->8714 8715 c133f0 lstrcmpiA 8714->8715 8716 c13406 8714->8716 8715->8716 8716->8711 8717 c18449 8718 c131c2 GetCurrentThreadId 8717->8718 8719 c18455 8718->8719 8720 c184bd MapViewOfFileEx 8719->8720 8721 c1846e 8719->8721 8720->8721 8918 4e00d48 8919 4e00d93 OpenSCManagerW 8918->8919 8921 4e00ddc 8919->8921 8922 4e01308 8923 4e01349 ImpersonateLoggedOnUser 8922->8923 8924 4e01376 8923->8924 8925 c182eb 8927 c182f7 8925->8927 8928 c1830f 8927->8928 8930 c18339 8928->8930 8931 c18225 8928->8931 8933 c18231 8931->8933 8934 c131c2 GetCurrentThreadId 8933->8934 8935 c18244 8934->8935 8936 c18282 8935->8936 8937 c182bd 8935->8937 8940 c1825e 8935->8940 8936->8940 8941 c158fc 8936->8941 8938 c182c2 CreateFileMappingA 8937->8938 8938->8940 8943 c15913 8941->8943 8942 c1597c CreateFileA 8945 c159c1 8942->8945 8943->8942 8944 c15a10 8943->8944 8944->8940 8945->8944 8946 c14fdb CloseHandle 8945->8946 8946->8944 8722 c17b0c 8724 c17b15 8722->8724 8725 c131c2 GetCurrentThreadId 8724->8725 8726 c17b21 8725->8726 8727 c17b71 ReadFile 8726->8727 8728 c17b3a 8726->8728 8727->8728 8729 a4b7ea 8730 a4b7ef 8729->8730 8731 a4b95a LdrInitializeThunk 8730->8731 8732 4e010f0 8733 4e01131 8732->8733 8736 c15f16 8733->8736 8734 4e01151 8737 c131c2 GetCurrentThreadId 8736->8737 8738 c15f22 8737->8738 8739 c15f4b 8738->8739 8740 c15f3b 8738->8740 8742 c15f50 CloseHandle 8739->8742 8744 c15002 8740->8744 8743 c15f41 8742->8743 8743->8734 8747 c1306d 8744->8747 8748 c13083 8747->8748 8749 c1309d 8748->8749 8751 c13051 8748->8751 8749->8743 8754 c14fdb CloseHandle 8751->8754 8753 c13061 8753->8749 8755 c14fef 8754->8755 8755->8753 8947 4e01510 8948 4e01558 ControlService 8947->8948 8949 4e0158f 8948->8949 8950 c14d31 8952 c14d3d 8950->8952 8953 c14d51 8952->8953 8955 c14d79 8953->8955 8956 c14d92 8953->8956 8958 c14d9b 8956->8958 8959 c14daa 8958->8959 8960 c14db2 8959->8960 8961 c131c2 GetCurrentThreadId 8959->8961 8962 c14e63 GetModuleHandleA 8960->8962 8963 c14e55 GetModuleHandleW 8960->8963 8964 c14dbc 8961->8964 8967 c14dea 8962->8967 8963->8967 8965 c14dd7 8964->8965 8966 c138d4 2 API calls 8964->8966 8965->8960 8965->8967 8966->8965 8756 bcedad 8760 bceff3 8756->8760 8757 bd21da RegOpenKeyA 8757->8760 8758 bd21b3 RegOpenKeyA 8758->8757 8758->8760 8759 bd223b GetNativeSystemInfo 8759->8760 8760->8757 8760->8758 8760->8759 8761 bcf45e 8760->8761 8762 c17792 8764 c1779e 8762->8764 8765 c131c2 GetCurrentThreadId 8764->8765 8766 c177aa 8765->8766 8768 c177ca 8766->8768 8769 c176e9 8766->8769 8771 c176f5 8769->8771 8772 c17709 8771->8772 8773 c131c2 GetCurrentThreadId 8772->8773 8774 c17721 8773->8774 8782 c13926 8774->8782 8777 c138d4 2 API calls 8778 c17744 8777->8778 8779 c1774c 8778->8779 8780 c17779 GetFileAttributesA 8778->8780 8781 c17768 GetFileAttributesW 8778->8781 8780->8779 8781->8779 8783 c139da 8782->8783 8785 c1393a 8782->8785 8783->8777 8783->8779 8784 c13775 2 API calls 8784->8785 8785->8783 8785->8784 8786 c149d9 8789 c14821 8786->8789 8792 c14888 8789->8792 8794 c14895 8792->8794 8795 c148ab 8794->8795 8798 c131c2 GetCurrentThreadId 8795->8798 8804 c148b3 8795->8804 8796 c14980 8825 c146c0 8796->8825 8797 c14993 8800 c149b1 LoadLibraryExA 8797->8800 8801 c1499d LoadLibraryExW 8797->8801 8802 c148d5 8798->8802 8808 c14957 8800->8808 8801->8808 8803 c138d4 2 API calls 8802->8803 8805 c148e6 8803->8805 8804->8796 8804->8797 8805->8804 8806 c14914 8805->8806 8809 c14200 8806->8809 8810 c14226 8809->8810 8811 c1421c 8809->8811 8829 c13a53 8810->8829 8811->8808 8818 c14276 8819 c142a3 8818->8819 8824 c142db 8818->8824 8839 c13c31 8818->8839 8843 c13ecc 8819->8843 8822 c142ae 8822->8824 8848 c13e43 8822->8848 8824->8811 8852 c14a12 8824->8852 8826 c146cb 8825->8826 8827 c146db 8826->8827 8828 c146ec LoadLibraryExA 8826->8828 8827->8808 8828->8827 8830 c13ac8 8829->8830 8831 c13a6f 8829->8831 8830->8811 8833 c13af9 VirtualAlloc 8830->8833 8831->8830 8832 c13a9f VirtualAlloc 8831->8832 8832->8830 8834 c13b3e 8833->8834 8834->8824 8835 c13b76 8834->8835 8838 c13b9e 8835->8838 8836 c13bb7 VirtualAlloc 8837 c13c15 8836->8837 8836->8838 8837->8818 8838->8836 8838->8837 8841 c13c51 8839->8841 8842 c13c4c 8839->8842 8840 c13c84 lstrcmpiA 8840->8841 8840->8842 8841->8840 8841->8842 8842->8819 8844 c13fd8 8843->8844 8846 c13ef9 8843->8846 8844->8822 8846->8844 8854 c139de 8846->8854 8862 c14aef 8846->8862 8849 c13e6c 8848->8849 8850 c13e84 VirtualProtect 8849->8850 8851 c13ead 8849->8851 8850->8849 8850->8851 8851->8824 8887 c14a1e 8852->8887 8855 c14821 15 API calls 8854->8855 8856 c139f1 8855->8856 8857 c13a43 8856->8857 8859 c13a1a 8856->8859 8861 c13a37 8856->8861 8858 c14a12 2 API calls 8857->8858 8858->8861 8860 c14a12 2 API calls 8859->8860 8859->8861 8860->8861 8861->8846 8864 c14af8 8862->8864 8865 c14b07 8864->8865 8866 c14b0f 8865->8866 8868 c131c2 GetCurrentThreadId 8865->8868 8867 c14b3c GetProcAddress 8866->8867 8872 c14b32 8867->8872 8869 c14b19 8868->8869 8869->8866 8870 c14b29 8869->8870 8873 c14550 8870->8873 8874 c1463c 8873->8874 8875 c1456f 8873->8875 8874->8872 8875->8874 8876 c145ac lstrcmpiA 8875->8876 8877 c145d6 8875->8877 8876->8875 8876->8877 8877->8874 8879 c14499 8877->8879 8880 c144aa 8879->8880 8881 c144da lstrcpyn 8880->8881 8886 c14535 8880->8886 8883 c144f6 8881->8883 8881->8886 8882 c139de 14 API calls 8884 c14524 8882->8884 8883->8882 8883->8886 8885 c14aef 14 API calls 8884->8885 8884->8886 8885->8886 8886->8874 8888 c14a2d 8887->8888 8889 c14a35 8888->8889 8891 c131c2 GetCurrentThreadId 8888->8891 8890 c14a83 FreeLibrary 8889->8890 8895 c14a6a 8890->8895 8892 c14a3f 8891->8892 8892->8889 8893 c14a4f 8892->8893 8896 c14400 8893->8896 8897 c14463 8896->8897 8898 c14423 8896->8898 8897->8895 8898->8897 8900 c12fbc 8898->8900 8901 c12fc5 8900->8901 8902 c12fdd 8901->8902 8904 c12fa3 8901->8904 8902->8897 8905 c14a12 2 API calls 8904->8905 8906 c12fb0 8905->8906 8906->8901 8968 a4e31c 8969 a4eb3f VirtualAlloc 8968->8969 8971 a4ec2b 8969->8971 8972 c179f9 8974 c17a05 8972->8974 8975 c131c2 GetCurrentThreadId 8974->8975 8976 c17a11 8975->8976 8978 c17a31 8976->8978 8979 c17905 8976->8979 8981 c17911 8979->8981 8982 c17925 8981->8982 8983 c131c2 GetCurrentThreadId 8982->8983 8984 c1793d 8983->8984 8985 c17952 8984->8985 9005 c1781e 8984->9005 8989 c1795a 8985->8989 8997 c178c3 IsBadWritePtr 8985->8997 8991 c179ab CreateFileW 8989->8991 8992 c179ce CreateFileA 8989->8992 8990 c138d4 2 API calls 8993 c1798d 8990->8993 8996 c1799b 8991->8996 8992->8996 8993->8989 8994 c17995 8993->8994 8999 c15118 8994->8999 8998 c178e5 8997->8998 8998->8989 8998->8990 9002 c15125 8999->9002 9000 c15220 9000->8996 9001 c1515e CreateFileA 9003 c151aa 9001->9003 9002->9000 9002->9001 9003->9000 9004 c14fdb CloseHandle 9003->9004 9004->9000 9007 c1782d GetWindowsDirectoryA 9005->9007 9008 c17857 9007->9008 8907 bc5865 8908 bc5803 CreateFileA 8907->8908 8909 bc581e 8908->8909 9012 c149fa 9015 c1483a 9012->9015 9017 c14846 9015->9017 9018 c1485b 9017->9018 9019 c14888 15 API calls 9018->9019 9020 c14879 9018->9020 9019->9020 9021 c1727d 9022 c131c2 GetCurrentThreadId 9021->9022 9023 c17289 GetCurrentProcess 9022->9023 9024 c172d5 9023->9024 9026 c17299 9023->9026 9025 c172da DuplicateHandle 9024->9025 9029 c172d0 9025->9029 9026->9024 9027 c172c4 9026->9027 9030 c1501a 9027->9030 9031 c15044 9030->9031 9032 c150d7 9031->9032 9033 c15002 CloseHandle 9031->9033 9032->9029 9033->9032 8912 bc5721 8913 bc56d5 8912->8913 8914 bc56fc CreateFileA 8913->8914 8916 bc5718 CreateFileA 8913->8916 8915 bc581e 8914->8915 8914->8916 8916->8915

    Executed Functions

    Function 00BC113F Relevance: 1.6, APIs: 1, Instructions: 107libraryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 34d27e21dc4a3854a474adea92ce9ba174bafdf8e76874a6f03d050e5516c114
    • Instruction ID: fdfef2f9d4eb59435678181e9fec60e981abb85b6e5f7b2c38741d0387c4c822
    • Opcode Fuzzy Hash: 34d27e21dc4a3854a474adea92ce9ba174bafdf8e76874a6f03d050e5516c114
    • Instruction Fuzzy Hash: 42314DF211C200AFE706AF18EC8567EBBE5EF88710F16882DE2C596600E73594508B57
    Function 00A4B7EA Relevance: 1.3, Strings: 1, Instructions: 18COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID:
    • String ID: !!iH
    • API String ID: 0-3430752988
    • Opcode ID: 882e3ef710cd905d18684d890ff44616297c048af188cef4245c8ec029a5d528
    • Instruction ID: f86092dd6b77f0b5757c262fbc2e22d74c9a687114d25890145fad20af8b78e5
    • Opcode Fuzzy Hash: 882e3ef710cd905d18684d890ff44616297c048af188cef4245c8ec029a5d528
    • Instruction Fuzzy Hash: 61E0C2B616858ACACF16EF648A027A9772EDFC0700F500515FB059AE4BCB2D9D11C7B5
    Function 00C14895 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • LoadLibraryExW.KERNEL32(?,?,?), ref: 00C149A6
    • LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 00C149BA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: .dll$.exe$1002
    • API String ID: 1029625771-847511843
    • Opcode ID: 7823de7f8bf0488db5ed57c46e8663a3e7fae65de2a9e45cd858d51468e14356
    • Instruction ID: 9714c76b687c3b2d80528a4bb35bcb76407189e1737b7226a52e506a8c373cbc
    • Opcode Fuzzy Hash: 7823de7f8bf0488db5ed57c46e8663a3e7fae65de2a9e45cd858d51468e14356
    • Instruction Fuzzy Hash: 4631EE71504249FFEF29AF54E904AEE7BB9FF0A340F104125F81196161C7319AE1FB91
    Function 00C14D9B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 c14d9b-c14dac call c146ff 40 c14db2 37->40 41 c14db7-c14dc0 call c131c2 37->41 42 c14e4b-c14e4f 40->42 48 c14df4-c14dfb 41->48 49 c14dc6-c14dd2 call c138d4 41->49 44 c14e63-c14e66 GetModuleHandleA 42->44 45 c14e55-c14e5e GetModuleHandleW 42->45 47 c14e6c 44->47 45->47 50 c14e76-c14e78 47->50 51 c14e01-c14e08 48->51 52 c14e46 call c1326d 48->52 54 c14dd7-c14dd9 49->54 51->52 55 c14e0e-c14e15 51->55 52->42 54->52 57 c14ddf-c14de4 54->57 55->52 58 c14e1b-c14e22 55->58 57->52 59 c14dea-c14e71 call c1326d 57->59 58->52 60 c14e28-c14e3c 58->60 59->50 60->52
    APIs
    • GetModuleHandleW.KERNEL32(?,?,?,?,00C14D2D,?,00000000,00000000), ref: 00C14E58
    • GetModuleHandleA.KERNEL32(00000000,?,?,?,00C14D2D,?,00000000,00000000), ref: 00C14E66
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: HandleModule
    • String ID: .dll
    • API String ID: 4139908857-2738580789
    • Opcode ID: 149e416efbaf3cc3b8282d3725dd2cce79b948eafea940a88134d130a122ede5
    • Instruction ID: 44182a9fbce9b66df2da0c765b9e565955f983af5d38446aedff48a033da8a91
    • Opcode Fuzzy Hash: 149e416efbaf3cc3b8282d3725dd2cce79b948eafea940a88134d130a122ede5
    • Instruction Fuzzy Hash: 3F112A30200646EBEF39EF28C80CBE9BB71BF03355F044221A814854D2D7799AE5FA92
    Function 00C176F5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 64 c176f5-c17703 65 c17715 64->65 66 c17709-c17710 64->66 67 c1771c-c17732 call c131c2 call c13926 65->67 66->67 72 c17751 67->72 73 c17738-c17746 call c138d4 67->73 75 c17755-c17758 72->75 79 c1775d-c17762 73->79 80 c1774c 73->80 77 c17788-c1778f call c1326d 75->77 82 c17779-c1777c GetFileAttributesA 79->82 83 c17768-c17774 GetFileAttributesW 79->83 80->75 84 c17782-c17783 82->84 83->84 84->77
    APIs
    • GetFileAttributesW.KERNELBASE(0094BF9C,-11885FEC), ref: 00C1776E
    • GetFileAttributesA.KERNEL32(00000000,-11885FEC), ref: 00C1777C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: 41658731a1a1e7a33b6da5a3b7a415eb81183630242e2983b9b0166ab7b1e377
    • Instruction ID: 0ed86d2e6fa2cdabc125163cbaa22f15cbaa6635646745db2f9fef60de53774b
    • Opcode Fuzzy Hash: 41658731a1a1e7a33b6da5a3b7a415eb81183630242e2983b9b0166ab7b1e377
    • Instruction Fuzzy Hash: 5101197020C145FAEF229F68D849BDC7EB1AF46349F208265E501660D2D7B49BE1FB91
    Function 00BCE406 Relevance: 4.6, APIs: 3, Instructions: 80registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 85 bce406-bce40d 86 bd20f9-bd21b1 85->86 89 bd21da-bd21f5 RegOpenKeyA 86->89 90 bd21b3-bd21ce RegOpenKeyA 86->90 91 bd220d-bd2239 89->91 92 bd21f7-bd2201 89->92 90->89 93 bd21d0 90->93 96 bd223b-bd2244 GetNativeSystemInfo 91->96 97 bd2246-bd2250 91->97 92->91 93->89 96->97 98 bd225c-bd226a 97->98 99 bd2252 97->99 101 bd226c 98->101 102 bd2276-bd227d 98->102 99->98 101->102 103 bd2290 102->103 104 bd2283-bd228a 102->104 106 bd2381-bd25cd 103->106 104->103 105 bcf451-bcf458 104->105 107 bcf45e-bcf469 105->107 108 bcfd11-bcfd1a 105->108 107->106 108->86
    APIs
    • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00BD21C6
    • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00BD21ED
    • GetNativeSystemInfo.KERNELBASE(?), ref: 00BD2244
    Memory Dump Source
    • Source File: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: Open$InfoNativeSystem
    • String ID:
    • API String ID: 1247124224-0
    • Opcode ID: 5d7550c9c4e3163f8fb0eebecfc1e44ec869b4517b0dd9e8cc07b42b40788361
    • Instruction ID: b8ea054d54df3937b850bd7258d783b20f99f2d8fc797aa6fde2a919b5f4d445
    • Opcode Fuzzy Hash: 5d7550c9c4e3163f8fb0eebecfc1e44ec869b4517b0dd9e8cc07b42b40788361
    • Instruction Fuzzy Hash: 9D3127B140824EDFEF11DF50C888BEF7BE9EB14710F1044AAED8186A50E77A4CA49F59
    Function 00C13775 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 110 c13775-c137a5 112 c138d0-c138d1 110->112 113 c137ab-c137c0 110->113 113->112 115 c137c6-c137ca 113->115 116 c137d0-c137e2 PathAddExtensionA 115->116 117 c137ec-c137f3 115->117 120 c137eb 116->120 118 c13815-c1381c 117->118 119 c137f9-c13808 call c13416 117->119 122 c13822-c13829 118->122 123 c1385e-c13865 118->123 126 c1380d-c1380f 119->126 120->117 127 c13842-c13851 call c13416 122->127 128 c1382f-c13838 122->128 124 c13887-c1388e 123->124 125 c1386b-c13881 call c13416 123->125 130 c138b0-c138b7 124->130 131 c13894-c138aa call c13416 124->131 125->112 125->124 126->112 126->118 134 c13856-c13858 127->134 128->127 132 c1383e 128->132 130->112 137 c138bd-c138ca call c1344f 130->137 131->112 131->130 132->127 134->112 134->123 137->112
    APIs
    • PathAddExtensionA.KERNELBASE(?,00000000), ref: 00C137D7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: ExtensionPath
    • String ID: \\?\
    • API String ID: 158807944-4282027825
    • Opcode ID: 04682b0b8c70f0316e66743adaea3db05d49694a48798766f7fc0d50070ecdc2
    • Instruction ID: 0068daf6baad871ca3b79df6a2284d35c13f7cabe0558b2eb9f8c3526742db91
    • Opcode Fuzzy Hash: 04682b0b8c70f0316e66743adaea3db05d49694a48798766f7fc0d50070ecdc2
    • Instruction Fuzzy Hash: 8931287560024AFEEF229F94CC09BCE7B76BF4A358F000061FA10A54A0D3769BA5EB51
    Function 00C14E84 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 141 c14e84-c14e97 call c131c2 144 c14eda-c14eee call c1326d GetModuleHandleExA 141->144 145 c14e9d-c14ea9 call c138d4 141->145 151 c14ef8-c14efa 144->151 148 c14eae-c14eb0 145->148 148->144 150 c14eb6-c14ebd 148->150 152 c14ec3 150->152 153 c14ec6-c14ef3 call c1326d 150->153 152->153 153->151
    APIs
      • Part of subcall function 00C131C2: GetCurrentThreadId.KERNEL32 ref: 00C131D1
    • GetModuleHandleExA.KERNELBASE(?,?,?), ref: 00C14EE8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: CurrentHandleModuleThread
    • String ID: .dll
    • API String ID: 2752942033-2738580789
    • Opcode ID: 348184c73e61a03fc8464d12c76313d8f6575e6ea10773bf09b966afdf3fca75
    • Instruction ID: d7daf12c9233ad48a068c94016097356c253e55390093d36452f7280615dec81
    • Opcode Fuzzy Hash: 348184c73e61a03fc8464d12c76313d8f6575e6ea10773bf09b966afdf3fca75
    • Instruction Fuzzy Hash: FBF03071204249EFEF15DF58C845AEDBBA5BF5A304F108151FD154A052C731CAE1FB51
    Function 00BC5592 Relevance: 3.2, APIs: 2, Instructions: 198COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 156 bc5592-bc5593 157 bc55a5-bc55ab 156->157 158 bc5595-bc55a4 156->158 160 bc55ad-bc55b4 157->160 161 bc561f-bc5667 157->161 164 bc55ba-bc55bc 158->164 160->164 162 bc5669-bc566d 161->162 163 bc56b5-bc56bb 161->163 165 bc569c-bc56a6 162->165 166 bc566f 162->166 167 bc56bc-bc56c3 163->167 168 bc55c4-bc55cb 164->168 169 bc55c2-bc55c3 164->169 165->167 166->165 172 bc56cc-bc5712 CreateFileA 167->172 173 bc56c6-bc56cb 167->173 170 bc55d7-bc55ff call bc5602 168->170 171 bc55d1 168->171 169->168 171->170 179 bc5718-bc57cb 172->179 180 bc59b2-bc59bb 172->180 173->172 190 bc57df-bc5818 CreateFileA 179->190 191 bc57d1-bc57de 179->191 182 bc59c7 180->182 183 bc59c1 180->183 186 bc59c8 182->186 183->182 186->186 190->180 193 bc581e-bc582a call bc582d 190->193 191->190 193->180
    Memory Dump Source
    • Source File: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 4523af4c9c897eaf9511bd2e3cf5dc09938e0e7fb6dc5735542b29ec46a16e9a
    • Instruction ID: 0b92955c2f0bc473b3419454ff909ef68484d5c86c91a87bda1c79de8bdce0a1
    • Opcode Fuzzy Hash: 4523af4c9c897eaf9511bd2e3cf5dc09938e0e7fb6dc5735542b29ec46a16e9a
    • Instruction Fuzzy Hash: 175188B350C645AEE711CE145A90FFE3BE4DBE6330F2444AFE481CB542D2642D899730
    Function 00BC5675 Relevance: 3.1, APIs: 2, Instructions: 118fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 196 bc5675-bc567c 197 bc5688-bc56c3 196->197 198 bc5682 196->198 200 bc56cc-bc5712 CreateFileA 197->200 201 bc56c6-bc56cb 197->201 198->197 204 bc5718-bc57cb 200->204 205 bc59b2-bc59bb 200->205 201->200 214 bc57df-bc5818 CreateFileA 204->214 215 bc57d1-bc57de 204->215 206 bc59c7 205->206 207 bc59c1 205->207 210 bc59c8 206->210 207->206 210->210 214->205 217 bc581e-bc582a call bc582d 214->217 215->214 217->205
    APIs
    • CreateFileA.KERNELBASE(?), ref: 00BC5709
    Memory Dump Source
    • Source File: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: a1ce96f3df9226dc944f584accecd1b19a09e91739a628e38932dd8967ee1faa
    • Instruction ID: 4eea1308461b690c0a88949a951219eadf947f79e675f8c794f6eadae3b32c3e
    • Opcode Fuzzy Hash: a1ce96f3df9226dc944f584accecd1b19a09e91739a628e38932dd8967ee1faa
    • Instruction Fuzzy Hash: 293159B264C629AEF721CD154E91FFF37E9DBC1720F20486EF482CB641D2A11DC55664
    Function 00BC5721 Relevance: 3.1, APIs: 2, Instructions: 115fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 220 bc5721-bc5729 222 bc572b-bc572c 220->222 223 bc56d5-bc5712 CreateFileA 220->223 224 bc572d-bc57cb 222->224 231 bc5718-bc571c 223->231 232 bc59b2-bc59bb 223->232 236 bc57df-bc5818 CreateFileA 224->236 237 bc57d1-bc57de 224->237 231->224 234 bc59c7 232->234 235 bc59c1 232->235 239 bc59c8 234->239 235->234 236->232 240 bc581e-bc582a call bc582d 236->240 237->236 239->239 240->232
    APIs
    • CreateFileA.KERNELBASE(?), ref: 00BC5709
    • CreateFileA.KERNELBASE(?,E4DEA7A8,00000003,00000000,00000003,59BF0A61,00000000), ref: 00BC5812
    Memory Dump Source
    • Source File: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: ead9793315c2927c930362295b160c91f4f3898a61c94f0d7ab634a66530fc4c
    • Instruction ID: 9f2f94f24833fd46d5f70b3f7dc9093f17a66d52682489fc1b0081e0af8d530d
    • Opcode Fuzzy Hash: ead9793315c2927c930362295b160c91f4f3898a61c94f0d7ab634a66530fc4c
    • Instruction Fuzzy Hash: 7A312CB254861AAEF711CE244E91BFE3BA9EB82320F60885EE846C7941D3711D869671
    Function 00BC56AE Relevance: 3.1, APIs: 2, Instructions: 114fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 243 bc56ae-bc56ba 244 bc56bc-bc56c3 243->244 245 bc569a-bc56a6 243->245 246 bc56cc-bc5712 CreateFileA 244->246 247 bc56c6-bc56cb 244->247 245->244 250 bc5718-bc57cb 246->250 251 bc59b2-bc59bb 246->251 247->246 260 bc57df-bc5818 CreateFileA 250->260 261 bc57d1-bc57de 250->261 252 bc59c7 251->252 253 bc59c1 251->253 256 bc59c8 252->256 253->252 256->256 260->251 263 bc581e-bc582a call bc582d 260->263 261->260 263->251
    APIs
    • CreateFileA.KERNELBASE(?), ref: 00BC5709
    • CreateFileA.KERNELBASE(?,E4DEA7A8,00000003,00000000,00000003,59BF0A61,00000000), ref: 00BC5812
    Memory Dump Source
    • Source File: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: b29f1962ac553be16c0ab97c0c7891dbeac483a8458e2d6d54520020b9524d6f
    • Instruction ID: d3d40ea3c568ec7c0f4771061cd2e84eace3ebc45cd22809e83db1e5d1627f1a
    • Opcode Fuzzy Hash: b29f1962ac553be16c0ab97c0c7891dbeac483a8458e2d6d54520020b9524d6f
    • Instruction Fuzzy Hash: 843146B250C62AAEF721CE154A91FFF7BE8DBC5720F20846EF482DB941D2A11D859360
    Function 00BC56DE Relevance: 3.1, APIs: 2, Instructions: 102fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 266 bc56de-bc5712 CreateFileA 269 bc5718-bc57cb 266->269 270 bc59b2-bc59bb 266->270 279 bc57df-bc5818 CreateFileA 269->279 280 bc57d1-bc57de 269->280 271 bc59c7 270->271 272 bc59c1 270->272 275 bc59c8 271->275 272->271 275->275 279->270 282 bc581e-bc582a call bc582d 279->282 280->279 282->270
    APIs
    • CreateFileA.KERNELBASE(?), ref: 00BC5709
    • CreateFileA.KERNELBASE(?,E4DEA7A8,00000003,00000000,00000003,59BF0A61,00000000), ref: 00BC5812
    Memory Dump Source
    • Source File: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 50f12ba2be5f31983de6ae2ea9e3620ec4ac1aa62fd32a0736840a166397ad10
    • Instruction ID: e5ae6d9083c9c17702dd399bda0463e3ed00342d5afb1758216d369b19b66f32
    • Opcode Fuzzy Hash: 50f12ba2be5f31983de6ae2ea9e3620ec4ac1aa62fd32a0736840a166397ad10
    • Instruction Fuzzy Hash: CF2104B6548629AEFB10CE115A90BFF3BA8DBC6720F30885EF886C7541D3A11D899660
    Function 00BC56F5 Relevance: 3.1, APIs: 2, Instructions: 96fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 285 bc56f5-bc5712 CreateFileA 287 bc5718-bc57cb 285->287 288 bc59b2-bc59bb 285->288 297 bc57df-bc5818 CreateFileA 287->297 298 bc57d1-bc57de 287->298 289 bc59c7 288->289 290 bc59c1 288->290 293 bc59c8 289->293 290->289 293->293 297->288 300 bc581e-bc582a call bc582d 297->300 298->297 300->288
    APIs
    • CreateFileA.KERNELBASE(?), ref: 00BC5709
    • CreateFileA.KERNELBASE(?,E4DEA7A8,00000003,00000000,00000003,59BF0A61,00000000), ref: 00BC5812
    Memory Dump Source
    • Source File: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 51ab63d0044943e87f4dde63b8f8dc8b11236bdd96bae7b6014dc70b73c2275a
    • Instruction ID: 88c79fc04a79d9f8b956c698fff443a3648c95fb5aac2bc68dec8a747cf62119
    • Opcode Fuzzy Hash: 51ab63d0044943e87f4dde63b8f8dc8b11236bdd96bae7b6014dc70b73c2275a
    • Instruction Fuzzy Hash: 5421F4B2548629AEF710CE115E90FFF37A9DBC6730F20885EF882C7A41D3A51D859674
    Function 00C17911 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 303 c17911-c1791f 304 c17931 303->304 305 c17925-c1792c 303->305 306 c17938-c17944 call c131c2 304->306 305->306 309 c1794a-c17954 call c1781e 306->309 310 c1795f-c1796f call c178c3 306->310 309->310 315 c1795a 309->315 316 c17981-c1798f call c138d4 310->316 317 c17975-c1797c 310->317 318 c179a0-c179a5 315->318 316->318 323 c17995-c17996 call c15118 316->323 317->318 320 c179ab-c179c9 CreateFileW 318->320 321 c179ce-c179e3 CreateFileA 318->321 324 c179e9-c179ea 320->324 321->324 327 c1799b 323->327 326 c179ef-c179f6 call c1326d 324->326 327->326
    APIs
    • CreateFileW.KERNELBASE(0094BF9C,?,?,-11885FEC,?,?,?,-11885FEC,?), ref: 00C179C3
      • Part of subcall function 00C178C3: IsBadWritePtr.KERNEL32(?,00000004), ref: 00C178D1
    • CreateFileA.KERNEL32(?,?,?,-11885FEC,?,?,?,-11885FEC,?), ref: 00C179E3
    Memory Dump Source
    • Source File: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: CreateFile$Write
    • String ID:
    • API String ID: 1125675974-0
    • Opcode ID: ea373b68ada8bc22639102711a4e4df79e5745535f10c59832ab7b610f625a3b
    • Instruction ID: a92032ad20fd51dac319d3e15111603d77a8c65065a48e66053411ea6861424e
    • Opcode Fuzzy Hash: ea373b68ada8bc22639102711a4e4df79e5745535f10c59832ab7b610f625a3b
    • Instruction Fuzzy Hash: 1611E43110814AFBEF12AF98CD09BDD3F72AF0A344F148215B911640A1D7768AE9FB92
    Function 00C1727D Relevance: 3.0, APIs: 2, Instructions: 41COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 330 c1727d-c17293 call c131c2 GetCurrentProcess 333 c172d5-c172f7 call c1326d DuplicateHandle 330->333 334 c17299-c1729c 330->334 339 c17301-c17303 333->339 334->333 336 c172a2-c172a5 334->336 336->333 338 c172ab-c172be call c1301c 336->338 338->333 342 c172c4-c172fc call c1501a call c1326d 338->342 342->339
    APIs
      • Part of subcall function 00C131C2: GetCurrentThreadId.KERNEL32 ref: 00C131D1
    • GetCurrentProcess.KERNEL32(-11885FEC), ref: 00C1728A
    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C172F0
    Memory Dump Source
    • Source File: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: Current$DuplicateHandleProcessThread
    • String ID:
    • API String ID: 3748180921-0
    • Opcode ID: 4960331c130e1edd91cae2b252d90c0cc030c811f66d8acacd44ca18038a2dda
    • Instruction ID: ebc01806d60539ae8b00b2e98f52c94ab5d1dbf22e54c925aa6dfd48bd31b691
    • Opcode Fuzzy Hash: 4960331c130e1edd91cae2b252d90c0cc030c811f66d8acacd44ca18038a2dda
    • Instruction Fuzzy Hash: 2601287220404AEA8F22AFA9CC08DDE3B75AF8A3547104211F91191011D732C1E2BB61
    Function 00C158FC Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 00C159B1
    Memory Dump Source
    • Source File: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 020361b30298d7d181134697f99e18ae0d8c35b8faaa231567c322be94fda7a2
    • Instruction ID: 31fbc84aabc3393187e3e6e50059e38f8f3a0ad8ac3feb583ac98b2ad2fac0ba
    • Opcode Fuzzy Hash: 020361b30298d7d181134697f99e18ae0d8c35b8faaa231567c322be94fda7a2
    • Instruction Fuzzy Hash: C2315E71500604FFEB209F65DC85FEDBBB8FF8A324F208265F514AA191D7719A92EB10
    Function 00BC12A1 Relevance: 1.6, APIs: 1, Instructions: 99libraryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 7d453a944faa2dd6f6adbd4634ba88a821cb5024ddb6428bbec7d47711d399be
    • Instruction ID: e695598422e70c6485d8e1d0aa41ba37b53992ef390ef17a7688e29f464b3a50
    • Opcode Fuzzy Hash: 7d453a944faa2dd6f6adbd4634ba88a821cb5024ddb6428bbec7d47711d399be
    • Instruction Fuzzy Hash: AD3109B250C604AFE701AF08DC81A7AFBE9EF99764F12482EE6D4C7600D73548558BA7
    Function 00C15118 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 00C1519A
    Memory Dump Source
    • Source File: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 1d0b4b67f138316627a5ff979d9174e8f730472994af208b4fa49c163c6d27ef
    • Instruction ID: eddcbde881e6c5faaf930cba1f451b731bc10d2a30a2322a009a692ee14ad371
    • Opcode Fuzzy Hash: 1d0b4b67f138316627a5ff979d9174e8f730472994af208b4fa49c163c6d27ef
    • Instruction Fuzzy Hash: 1631AE71600604FFEB219F68DC45FD977B8EF46724F208265F624AA1D1D3B1A682AB10
    Function 00BC5744 Relevance: 1.6, APIs: 1, Instructions: 80fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,E4DEA7A8,00000003,00000000,00000003,59BF0A61,00000000), ref: 00BC5812
    Memory Dump Source
    • Source File: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: c3d575eb97c6581976cadb646a667775f7a9505bfc6440c3aa297017708a9b70
    • Instruction ID: d0e32e2ec3d1d50fc3291b56a47af14bc4aefc3855f45f8ce7f7a1d4399a69c7
    • Opcode Fuzzy Hash: c3d575eb97c6581976cadb646a667775f7a9505bfc6440c3aa297017708a9b70
    • Instruction Fuzzy Hash: 1C1103B6548625BEF611CD115AA1FFF3BA9DBC1730F20885EF482DB981D2A11D899270
    Function 00BC5782 Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,E4DEA7A8,00000003,00000000,00000003,59BF0A61,00000000), ref: 00BC5812
    Memory Dump Source
    • Source File: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 34ce3131715d0c93ae205e78095a7d9fae457721d2d36d731672ebd0b2a44d06
    • Instruction ID: 9bf223c62f7a17a7e7d9d631e3c7de71f7de53a6cb27eb08c8fd84180a24f754
    • Opcode Fuzzy Hash: 34ce3131715d0c93ae205e78095a7d9fae457721d2d36d731672ebd0b2a44d06
    • Instruction Fuzzy Hash: AD1102B25082356DF610DD015A61FFF3BE9CBD1B20F30882FF482CA881D2600D8552B1
    Function 00BC58AD Relevance: 1.6, APIs: 1, Instructions: 61fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: bd9d8fd39f99c457f097310843f054674f840ca89318a4fe378e4c867da06841
    • Instruction ID: 19f66d6c81efe09bea98d850bf558c49e16480f41aa02e1cf8baf84a6a519ac5
    • Opcode Fuzzy Hash: bd9d8fd39f99c457f097310843f054674f840ca89318a4fe378e4c867da06841
    • Instruction Fuzzy Hash: 750145A3448A99AED3319A344955F6E7EA8EBD1330F3047DDE592D65C3E2E028849374
    Function 04E00D41 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04E00DCD
    Memory Dump Source
    • Source File: 00000000.00000002.1919102304.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4e00000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: f4d0295ff0a546edfbb1b3db16651ac4a49fcb1771159104d9c1f8356176bd36
    • Instruction ID: 64dc1a7e1a1b065be774c25417fce8f2bcb0dbe1e77dda8501daa2f42614a4c9
    • Opcode Fuzzy Hash: f4d0295ff0a546edfbb1b3db16651ac4a49fcb1771159104d9c1f8356176bd36
    • Instruction Fuzzy Hash: 652138B5C002189FCB50DF99D884BDEFBF5FF88310F14851AD818AB245C734A544CBA5
    Function 04E00D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04E00DCD
    Memory Dump Source
    • Source File: 00000000.00000002.1919102304.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4e00000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: f817e990c9c98f2053debd78695b4e01fd2c676c808933318e1be20e3c1dac6a
    • Instruction ID: 838f8eb28aaee245076aeb95173b70dd27e00a8931c6bf66ee576ec93b8b5df7
    • Opcode Fuzzy Hash: f817e990c9c98f2053debd78695b4e01fd2c676c808933318e1be20e3c1dac6a
    • Instruction Fuzzy Hash: EC2127B6C012199FCB50DF99D884BDEFBF5EF88310F14851AD818AB345D734A544CBA4
    Function 04E01509 Relevance: 1.6, APIs: 1, Instructions: 56serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 04E01580
    Memory Dump Source
    • Source File: 00000000.00000002.1919102304.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4e00000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 69dac0a645ee67bf34711f2f20ecb5c76dd765e4ba26628cc2c7ecc8cfcaaee9
    • Instruction ID: 7b11049f5f48a574d423d8fea1962dd4ab61be5f2e4f1b03352170b9ca3ff5a4
    • Opcode Fuzzy Hash: 69dac0a645ee67bf34711f2f20ecb5c76dd765e4ba26628cc2c7ecc8cfcaaee9
    • Instruction Fuzzy Hash: EE2114B1D002499FDB10CF9AD485BDEFBF4EB88320F108429E959A7241D778A685CFA5
    Function 04E01510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 04E01580
    Memory Dump Source
    • Source File: 00000000.00000002.1919102304.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4e00000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 0fcbef721263ae2ef390bdad9573cc120f10b110bbfd0aa7b29b76acaca5dd59
    • Instruction ID: ba13d4dc7e74b63321d706ed8c133b99f0cccbe4847f6ecdfd56c887ae97c297
    • Opcode Fuzzy Hash: 0fcbef721263ae2ef390bdad9573cc120f10b110bbfd0aa7b29b76acaca5dd59
    • Instruction Fuzzy Hash: A31114B1D003498FDB10CF9AC484BDEFBF4EB48320F108029E559A7240D778A644CFA5
    Function 00C18449 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00C131C2: GetCurrentThreadId.KERNEL32 ref: 00C131D1
    • MapViewOfFileEx.KERNELBASE(?,?,?,?,?,?,-11885FEC), ref: 00C184D0
    Memory Dump Source
    • Source File: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: CurrentFileThreadView
    • String ID:
    • API String ID: 1949693742-0
    • Opcode ID: 4638decc37e0f5c4d72d18aad5c69b115de62bc1930cee6865db7aca2cb38c4a
    • Instruction ID: 7e6ced85da9f07c24c8437aeac727ef5e77329bafddf14b1a7a6ad2bdae5197f
    • Opcode Fuzzy Hash: 4638decc37e0f5c4d72d18aad5c69b115de62bc1930cee6865db7aca2cb38c4a
    • Instruction Fuzzy Hash: DF11F73220414BFBCF22AFA5CC19CDE3A66BF5A340B408411FA1155021CB36C5F6FB61
    Function 00C18231 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: CurrentThread
    • String ID:
    • API String ID: 2882836952-0
    • Opcode ID: ec658619870f8dfc2ee2f3e515d2cca3997a97f7b9c10db190df15e1825641eb
    • Instruction ID: 9f326612a08803ecdb7f56b76185eb521d82eefefd63e87af474f6adf84b4761
    • Opcode Fuzzy Hash: ec658619870f8dfc2ee2f3e515d2cca3997a97f7b9c10db190df15e1825641eb
    • Instruction Fuzzy Hash: BA112171208A4AEBDF12AF95C909EDE3BA5AF4A344F148011F91156062DB35C6E5FB60
    Function 04E01301 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 04E01367
    Memory Dump Source
    • Source File: 00000000.00000002.1919102304.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4e00000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 51dbaa2fc84854686946f5e39383489edaa01f81e6766090317a79afad2d9b0d
    • Instruction ID: ec79d7c85dfb54f0b9dddec1d62771fb62fa2af175f3ef5d0d89634eb5d47169
    • Opcode Fuzzy Hash: 51dbaa2fc84854686946f5e39383489edaa01f81e6766090317a79afad2d9b0d
    • Instruction Fuzzy Hash: F11113B18003498FDB10DF9AC545BEEFBF8EF48324F24842AD558A7281D778A584CBA5
    Function 00BC575A Relevance: 1.5, APIs: 1, Instructions: 48fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,E4DEA7A8,00000003,00000000,00000003,59BF0A61,00000000), ref: 00BC5812
    Memory Dump Source
    • Source File: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: bc9cf30884a157531dd78b65f530a7555f2791a63d93b4069ed08d1490f46bd9
    • Instruction ID: 593c9a2a3eb402ac78b7bc900142657d408b98ec3325985529273896a1371da9
    • Opcode Fuzzy Hash: bc9cf30884a157531dd78b65f530a7555f2791a63d93b4069ed08d1490f46bd9
    • Instruction Fuzzy Hash: CF0126B1948629ADF720CE0149A1FBF3BE5DBD1720F20486FF4828A981D2B41E8587A1
    Function 04E01308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 04E01367
    Memory Dump Source
    • Source File: 00000000.00000002.1919102304.0000000004E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4e00000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: b9e52542e1fd35c50fdf8f0f30cb72f05b9d248f95c60e8d3126d4a6aeccc668
    • Instruction ID: ccfcedfd40ec2fa37e3bc157851698309d7a35e23375565e542ec96572c495ee
    • Opcode Fuzzy Hash: b9e52542e1fd35c50fdf8f0f30cb72f05b9d248f95c60e8d3126d4a6aeccc668
    • Instruction Fuzzy Hash: 8E1125B18003498FDB10DF9AC445BEEFBF4EB48324F20841AD558A3280C778A584CBA5
    Function 00C17B15 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00C131C2: GetCurrentThreadId.KERNEL32 ref: 00C131D1
    • ReadFile.KERNELBASE(?,00000000,?,00000400,?,-11885FEC,?,?,00C15844,?,?,00000400,?,00000000,?,00000000), ref: 00C17B81
    Memory Dump Source
    • Source File: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: CurrentFileReadThread
    • String ID:
    • API String ID: 2348311434-0
    • Opcode ID: 9dcb241566cef68580af76e65e0f9d16d440af10e27392600766f3f1837974e0
    • Instruction ID: fcd2ded0fb0b4e16a9edb896cbc451b182e4f639d146e621661e8ecb8aa5d28f
    • Opcode Fuzzy Hash: 9dcb241566cef68580af76e65e0f9d16d440af10e27392600766f3f1837974e0
    • Instruction Fuzzy Hash: 41F0C972208149EBCF12AF98DC05DDE3F76AF4A354B148121B91555022C732C5E2FB61
    Function 00BCF63E Relevance: 1.5, APIs: 1, Instructions: 34libraryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 9ecd57893a83e9f076b1d2029e4be14f11357ecf88e7b6c1a80e4eaf9e7a25b3
    • Instruction ID: 1918c01b0b0dd1d0c4f6364084949902fdcd2daf13f2e74ef5879ef46936f93b
    • Opcode Fuzzy Hash: 9ecd57893a83e9f076b1d2029e4be14f11357ecf88e7b6c1a80e4eaf9e7a25b3
    • Instruction Fuzzy Hash: FEF06DB241D704EFD3195F12D98467EB7E6EF84761F22C81EE1C543600E63598409B5A
    Function 00BC591A Relevance: 1.5, APIs: 1, Instructions: 28fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: b18d602b6c7db17520c4e105dbaa6a968ce284971e453dbdae14ed215a172f54
    • Instruction ID: bb944b6aca44697978d533f8c5e7e95a9fdae2599f94a6aecae9e741b4859e21
    • Opcode Fuzzy Hash: b18d602b6c7db17520c4e105dbaa6a968ce284971e453dbdae14ed215a172f54
    • Instruction Fuzzy Hash: 35E02B2280D7D49ECB3669340856B0C3FA0C952220F2407DD95E18B6E7D55028468353
    Function 00BC5865 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,E4DEA7A8,00000003,00000000,00000003,59BF0A61,00000000), ref: 00BC5812
    Memory Dump Source
    • Source File: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: af20a6fb904fa71b6125cb75da98178e0f7381d2840293db0e8f7ae5b64cbae0
    • Instruction ID: 78aa9ca9a535f89be0788f5dabdc051751fbcc5b2e4f5554c533374c32c36d4f
    • Opcode Fuzzy Hash: af20a6fb904fa71b6125cb75da98178e0f7381d2840293db0e8f7ae5b64cbae0
    • Instruction Fuzzy Hash: ECD0227040D8F889EA31CB904DD2BBD3AE0CFA1302F00048ED1C146082C928A6826A92
    Function 00BC5944 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: d8bb4e4802e5adce2686d8ed96a2c43e2a224e2577cdabda212041034a803285
    • Instruction ID: 4018cef07cf3b698b30cc4c232b5d8b71372cc4cca05077b4be935fc61ff8044
    • Opcode Fuzzy Hash: d8bb4e4802e5adce2686d8ed96a2c43e2a224e2577cdabda212041034a803285
    • Instruction Fuzzy Hash: 3BC0801344C7DC69D57175F45851F586540C711574F5403945B79E72E3D5901C450152
    Function 00BC5800 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,E4DEA7A8,00000003,00000000,00000003,59BF0A61,00000000), ref: 00BC5812
    Memory Dump Source
    • Source File: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 3e0cdcbdd6ba1ff4c81a4abb75f9140b21d0972c12af92416e06cdd85d1dcaf6
    • Instruction ID: 8241c8c2b7460d4d2d1360059d25ff658705987edae4910bfa119eb2b990150a
    • Opcode Fuzzy Hash: 3e0cdcbdd6ba1ff4c81a4abb75f9140b21d0972c12af92416e06cdd85d1dcaf6
    • Instruction Fuzzy Hash: FFD022B040A5F9A8EA318B904992BBD3AE0CFA5382F00448ED0C144082C23466865B92
    Function 00C13393 Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: lstrcmpi
    • String ID:
    • API String ID: 1586166983-0
    • Opcode ID: 577737915366baa4b9020069c22096e2f5eba76d9dd3002bc4fa0992434be188
    • Instruction ID: 65ad2b03b1c48e63384835856e36f577ebc5efd4a561ccd3bdd1d027b4c25c20
    • Opcode Fuzzy Hash: 577737915366baa4b9020069c22096e2f5eba76d9dd3002bc4fa0992434be188
    • Instruction Fuzzy Hash: 15010475A00549BEDF12AFA8CC04DCEBF76EF4A354F004061B411A4061E7329BA2EB60
    Function 00A4E31C Relevance: 1.3, APIs: 1, Instructions: 39memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 00A4EC19
    Memory Dump Source
    • Source File: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 01fa5d5dc77bbcd1bff9d5053e1e5d22d3a9b2a71252c9b6eb569dfd7b74697b
    • Instruction ID: 27b520192d468ac768693c437bec6e178d1fc51d08d2c0897f3a1d8185992c48
    • Opcode Fuzzy Hash: 01fa5d5dc77bbcd1bff9d5053e1e5d22d3a9b2a71252c9b6eb569dfd7b74697b
    • Instruction Fuzzy Hash: 7D016DB25086049FDB046F68D44566DBBF4EF98720F16462EEA9687380D2710C54CA46
    Function 00C15F16 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00C131C2: GetCurrentThreadId.KERNEL32 ref: 00C131D1
    • CloseHandle.KERNELBASE(00C158D9,-11885FEC,?,?,00C158D9,?), ref: 00C15F54
    Memory Dump Source
    • Source File: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: CloseCurrentHandleThread
    • String ID:
    • API String ID: 3305057742-0
    • Opcode ID: 315860622a1cdc5b5c74c6023b3a009d1de5677462020b54711cf85cc7ea675a
    • Instruction ID: eec0c5ae474d56009fd9bfad088b2c3201bc8dfb786aec05c7b4ba8005983a42
    • Opcode Fuzzy Hash: 315860622a1cdc5b5c74c6023b3a009d1de5677462020b54711cf85cc7ea675a
    • Instruction Fuzzy Hash: 20E04FB2204889E6DE107AADD80ADCE2E68AFCB3887504122B50195056DA35C2D3B660
    Function 00C14FDB Relevance: 1.3, APIs: 1, Instructions: 8COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNELBASE(?,?,00C13061,?,?), ref: 00C14FE1
    Memory Dump Source
    • Source File: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: 27ed9f339740639afc0f7c22c693d1ae68b66a7d1810cf54e99e88d3f1104e55
    • Instruction ID: 7a00fac335bd542c17adf64568d97403e73d38def231c81a5d69d7cc772111f4
    • Opcode Fuzzy Hash: 27ed9f339740639afc0f7c22c693d1ae68b66a7d1810cf54e99e88d3f1104e55
    • Instruction Fuzzy Hash: FDB09231004109BBCF41BFA5DC0688DBF69BF96398B408122B90544161DB72E9A2EB90

    Non-executed Functions

    Function 00C1730F Relevance: 3.0, APIs: 2, Instructions: 43timeCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00C131C2: GetCurrentThreadId.KERNEL32 ref: 00C131D1
    • GetSystemTime.KERNEL32(?,-11885FEC), ref: 00C17344
    • GetFileTime.KERNEL32(?,?,?,?,-11885FEC), ref: 00C17387
    Memory Dump Source
    • Source File: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: Time$CurrentFileSystemThread
    • String ID:
    • API String ID: 2191017843-0
    • Opcode ID: 2da91638045245d42af673eaa570f98c1ac82f627d553f6b31c4acca8767a525
    • Instruction ID: e3238fa32a2d96dde2882de09a77ee89ba914d6ac128c5724f96a69acb686734
    • Opcode Fuzzy Hash: 2da91638045245d42af673eaa570f98c1ac82f627d553f6b31c4acca8767a525
    • Instruction Fuzzy Hash: B401C47220858AEBDF256F69D808EDE7F76EF86354B504221B81545461CB32CAE2FA60
    Function 00BBE000 Relevance: 1.7, Strings: 1, Instructions: 421COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID:
    • String ID: %i{]
    • API String ID: 0-683670987
    • Opcode ID: e3487140bd32b910590a54ebf5ef65b1b183073d338bcf3df117747fbb1f61f3
    • Instruction ID: 507359a3742e5509f8e8f9424151d318ccbaaf419a7d64313c43d0d5d3a05abb
    • Opcode Fuzzy Hash: e3487140bd32b910590a54ebf5ef65b1b183073d338bcf3df117747fbb1f61f3
    • Instruction Fuzzy Hash: 5DD1F5F390C200AFE305AE29DC8576AB7E9EF94720F1A453DEAD4C3344EA7598058697
    Function 00C181CD Relevance: 1.5, APIs: 1, Instructions: 24encryptionCOMMON
    Download Yara Rule
    APIs
    • CryptVerifySignatureA.ADVAPI32(?,?,?,?,?,?), ref: 00C18214
    Memory Dump Source
    • Source File: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: CryptSignatureVerify
    • String ID:
    • API String ID: 1015439381-0
    • Opcode ID: 7fd892d83c598af2be9b7e0fdaaf6535b1ea719d172fb5fe699b001acc903685
    • Instruction ID: 6f397ef7653d38dd47e15eb7c254220ab820e91c4d9401f60818103d0fae1401
    • Opcode Fuzzy Hash: 7fd892d83c598af2be9b7e0fdaaf6535b1ea719d172fb5fe699b001acc903685
    • Instruction Fuzzy Hash: 09F0F83260450AEFCF02CF94C90599C7BB1FF0A304B10812AF91596211D775D6A5EF40
    Function 00A4D9D9 Relevance: 1.5, Strings: 1, Instructions: 228COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID:
    • String ID: @1J~
    • API String ID: 0-584250162
    • Opcode ID: f57245e9e5c54038c3d35e43514f6a7064d77b58c5bbcc7808b6b955a0be97c4
    • Instruction ID: dd4577113835079737e1e59d6256a83e0666df6d9022031b44ab7bc24797ab5e
    • Opcode Fuzzy Hash: f57245e9e5c54038c3d35e43514f6a7064d77b58c5bbcc7808b6b955a0be97c4
    • Instruction Fuzzy Hash: CE7103BA90825E8FDB05CF24D5412EF7BF1EFC6330F21856AD84193A42D2B25D12DB98
    Function 00C3A71D Relevance: 1.4, Strings: 1, Instructions: 150COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID:
    • String ID: /~H~
    • API String ID: 0-141016088
    • Opcode ID: 3df546accab35eab1907bb6b702d8aaa1f6080a4131306c2d728bbf89336d7e9
    • Instruction ID: 536ba55b8f8366e1960277a955c227f039c41396da8e1dea83609efe01c18f10
    • Opcode Fuzzy Hash: 3df546accab35eab1907bb6b702d8aaa1f6080a4131306c2d728bbf89336d7e9
    • Instruction Fuzzy Hash: CD41A5B360D3149FE3157EADECC566AB7D8EB58260F06053DDBC8C3740EA7629108697
    Function 00A55945 Relevance: .2, Instructions: 230COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5c205f2cfdfcd4a32387813262969b4332a06c55d06a92520a8ac0d200196d24
    • Instruction ID: fb99e087c8f2a271cd642a5913598858f2bbed489fb3038f8b75d9465af8f221
    • Opcode Fuzzy Hash: 5c205f2cfdfcd4a32387813262969b4332a06c55d06a92520a8ac0d200196d24
    • Instruction Fuzzy Hash: 4A815BF3F1163547F3544929DD583A266939BA1321F2F82788E9C2BBC9E87E4D0A52C4
    Function 00BF01D1 Relevance: .2, Instructions: 174COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2c6b66b82a44064f1fe2b432aa61d3be229329ebc8267eb6b39b2fe592df9053
    • Instruction ID: 18fbca1063a9831921bda3d4e5bd32ef3f07e4c50dac0b9e18a0955248a1d048
    • Opcode Fuzzy Hash: 2c6b66b82a44064f1fe2b432aa61d3be229329ebc8267eb6b39b2fe592df9053
    • Instruction Fuzzy Hash: 4E5114B222C708EFE3407B08ECC5A7AB7E5EB48310F25486DE3C687311E6718458DA57
    Function 00A55753 Relevance: .1, Instructions: 146COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 64c66aa34e1d3334e38a42049c727487fc25709cac1d13cd11f8ab1077377b00
    • Instruction ID: b8822cf3e419fb6b2ef39f57e34fa8e120692d7773862352b63d351254ee4312
    • Opcode Fuzzy Hash: 64c66aa34e1d3334e38a42049c727487fc25709cac1d13cd11f8ab1077377b00
    • Instruction Fuzzy Hash: C341C5B3E105248BF3548E34CC6836177A2DB85311F2F42BD8E886B7D5D93E5E099788
    Function 00BC16AF Relevance: .1, Instructions: 116COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 1919ee442df80aa30714ca23ff78836aaa879d2963c95bbf3e1b851625088f76
    • Instruction ID: 7a0fa2512b68d6658d44525d2ed6744c39922adba3e7cd60efd0bda11ccf2ea7
    • Opcode Fuzzy Hash: 1919ee442df80aa30714ca23ff78836aaa879d2963c95bbf3e1b851625088f76
    • Instruction Fuzzy Hash: 113184F391C6109FE305AF19D8816BEFBE5FF98321F16892DEAC883614D63448418B96
    Function 00BC16C0 Relevance: .1, Instructions: 113COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 57870dc9839f57cffbcb6509711916bd0f9aa9857c9d0d0c637d848add4a75df
    • Instruction ID: 9218b87ed6b13f615b12fb94be56a4dad8a142b7022cfa3b83a8ffa064550876
    • Opcode Fuzzy Hash: 57870dc9839f57cffbcb6509711916bd0f9aa9857c9d0d0c637d848add4a75df
    • Instruction Fuzzy Hash: C33162B391C6109FE305AF19D8816BAFBE5FF98721F16892DEAC883614D63448418B97
    Function 00CA344C Relevance: .1, Instructions: 93COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5d094c3b899ea14d758dbae220b1a388218a3c55083be638dd4e5258feb19335
    • Instruction ID: 6fa6c46b142541474b2dba50ec4f2e1aceeb84085c51885c551a311e25f2d9ec
    • Opcode Fuzzy Hash: 5d094c3b899ea14d758dbae220b1a388218a3c55083be638dd4e5258feb19335
    • Instruction Fuzzy Hash: 57310AB250C200DFE355AF29D8857BEFBE6EF98710F16492DE6C583650EB355440CA8B
    Function 00C9A609 Relevance: .1, Instructions: 80COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5db7c746dee57774f3379b074050e2a745eabb5fa6ef6410c426bf3b1103b6d0
    • Instruction ID: 35d3bbfb2fef5caa246a87be5d1d3921b5daebf387435c4e13f4898e161d6847
    • Opcode Fuzzy Hash: 5db7c746dee57774f3379b074050e2a745eabb5fa6ef6410c426bf3b1103b6d0
    • Instruction Fuzzy Hash: 0A21D5B241C204EFE715BF28D8857BAFBE5FF18310F16492DEAD482620E73558509B87
    Function 00C16845 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00C131C2: GetCurrentThreadId.KERNEL32 ref: 00C131D1
      • Part of subcall function 00C178C3: IsBadWritePtr.KERNEL32(?,00000004), ref: 00C178D1
    • wsprintfA.USER32 ref: 00C1688B
    • LoadImageA.USER32(?,?,?,?,?,?), ref: 00C1694F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: CurrentImageLoadThreadWritewsprintf
    • String ID: %8x$%8x
    • API String ID: 439219941-2046107164
    • Opcode ID: 84443fe4b07b556df82a67e45a448add7cb737f4c19c4e2ed97ddb17f57556ba
    • Instruction ID: fac7b288c046acfb92ce1ba67fea529b582146bade48a12e3be82b13321a4d6b
    • Opcode Fuzzy Hash: 84443fe4b07b556df82a67e45a448add7cb737f4c19c4e2ed97ddb17f57556ba
    • Instruction Fuzzy Hash: 34310771A0010AFFDF119F94DC49EEEBB75FF89710F108125F511A61A1C7319AA2EB60
    Function 00C17416 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesExW.KERNEL32(0094BF9C,00004020,00000000,-11885FEC), ref: 00C17503
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1916552670.0000000000C0E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A40000, based on PE: true
    • Associated: 00000000.00000002.1915807245.0000000000A40000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915835440.0000000000A42000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915918906.0000000000A46000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915954373.0000000000A4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1915979541.0000000000A56000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916242638.0000000000BA8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916283452.0000000000BAB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BBE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916323470.0000000000BC9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916438244.0000000000BD3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916462370.0000000000BD5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916523561.0000000000C02000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916575442.0000000000C19000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916598811.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916625667.0000000000C1B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916647417.0000000000C1E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916672164.0000000000C2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916695248.0000000000C34000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916712311.0000000000C3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916731304.0000000000C40000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916763271.0000000000C48000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916784234.0000000000C4A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916806185.0000000000C52000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916826431.0000000000C56000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916846110.0000000000C5D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916864704.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916885194.0000000000C61000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916907557.0000000000C62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916925179.0000000000C69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916944129.0000000000C6B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916965510.0000000000C73000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1916987439.0000000000C76000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917008999.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917028166.0000000000C85000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917066169.0000000000CC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917083198.0000000000CC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917107020.0000000000CD8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1917157040.0000000000CE8000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a40000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: 2151811a2c1b7610b19528a6780f96353fe91bd3d943334c729ca59a21d949b9
    • Instruction ID: d0396fa81aa2e5e497f58fa69eb86c0515e7997fcb10405b504db5b522654db3
    • Opcode Fuzzy Hash: 2151811a2c1b7610b19528a6780f96353fe91bd3d943334c729ca59a21d949b9
    • Instruction Fuzzy Hash: 213189B1508605EFEF258F59C848BCABFB1FF09314F108619E85567691C3B0A6A1EF91