Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1562779
MD5:22370d009f56cb4eaa0c65191c9ce569
SHA1:61709a4936735ee99136b7dc86de24480146d8b5
SHA256:3c15b93399455363458932130652659f24d2415b1dc2ef02ace1f943cb83e78d
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SIDT)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6960 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 22370D009F56CB4EAA0C65191C9CE569)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.1802377247.0000000005170000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmp

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBB0F20_2_00DBB0F2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF32A70_2_00CF32A7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DFD56E0_2_00DFD56E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF45020_2_00CF4502
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B7DDD80_2_00B7DDD8
Source: file.exe, 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_053C15D0 ChangeServiceConfigA,0_2_053C15D0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this applicationFDS_WL_
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 2752512 > 1048576
Source: file.exeStatic PE information: Raw size of nddcsido is bigger than: 0x100000 < 0x29a000
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.1802377247.0000000005170000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.b70000.0.unpack :EW;.rsrc:W;.idata :W;nddcsido:EW;dwmsfeeq:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x2ab072 should be: 0x2ad2d2
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name: nddcsido
Source: file.exeStatic PE information: section name: dwmsfeeq
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFD7C2 push ebp; mov dword ptr [esp], edx0_2_00CFD096
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFD7C2 push esi; mov dword ptr [esp], eax0_2_00CFD0AC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFD7C2 push eax; mov dword ptr [esp], edx0_2_00CFD0BD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFCB9B push ebp; mov dword ptr [esp], 64CA3A20h0_2_00CFE16A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B7EB23 push edi; mov dword ptr [esp], eax0_2_00B7EB32
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CEEC7B push esi; mov dword ptr [esp], edi0_2_00CEECB7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CEEC7B push ecx; mov dword ptr [esp], 4E6F1AC1h0_2_00CEED11
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CEEC7B push edx; mov dword ptr [esp], ebp0_2_00CEED76
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D010DD push 0C35E78Fh; mov dword ptr [esp], ebp0_2_00D010F8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D010DD push 74F5C083h; mov dword ptr [esp], eax0_2_00D02885
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBB0F2 push ebp; mov dword ptr [esp], 64D2C052h0_2_00DBB0F7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBB0F2 push esi; mov dword ptr [esp], 1E5AB9B6h0_2_00DBB218
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBB0F2 push edx; mov dword ptr [esp], esi0_2_00DBB23B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBB0F2 push ecx; mov dword ptr [esp], 3CF73109h0_2_00DBB253
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBB0F2 push edi; mov dword ptr [esp], eax0_2_00DBB2A2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D01090 push 663590A1h; mov dword ptr [esp], eax0_2_00D014CE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D0109B push 56B7A610h; mov dword ptr [esp], edi0_2_00D0290B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D0109B push 1B069400h; mov dword ptr [esp], edi0_2_00D02938
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B850F5 push 08C0A2E2h; mov dword ptr [esp], esi0_2_00B8514A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF009D push 4B49FD1Ah; mov dword ptr [esp], ebp0_2_00CF077C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF009D push eax; mov dword ptr [esp], ebx0_2_00CF0792
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF009D push eax; mov dword ptr [esp], ebp0_2_00CF0816
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D01084 push 56E1F5D7h; mov dword ptr [esp], edx0_2_00D02D16
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF00AE push edi; mov dword ptr [esp], ecx0_2_00CF05EE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D020B1 push ebx; mov dword ptr [esp], esi0_2_00D02DCF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D5B0B0 push eax; mov dword ptr [esp], esp0_2_00D5B103
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D5B0B0 push 6F3E69C0h; mov dword ptr [esp], ebp0_2_00D5B126
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D030B7 push ebx; ret 0_2_00D030C6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D1E056 push eax; mov dword ptr [esp], 7FDC9729h0_2_00D1E0C7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D1E056 push 3A8A2466h; mov dword ptr [esp], eax0_2_00D1E11F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFD05E push ebp; mov dword ptr [esp], edx0_2_00CFD096
Source: file.exeStatic PE information: section name: entropy: 7.771151121677305

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7DE62 second address: B7DE6B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7DE6B second address: B7DE91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBFE082F7F6h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c je 00007FBFE082F7F4h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7DE91 second address: B7DE97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEEB4D second address: CEEB53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF0B71 second address: CF0B75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF0B75 second address: CF0B79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF0B79 second address: CF0B7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF0CA5 second address: CF0CA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF0CA9 second address: CF0CBB instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBFE0B7F1E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF0CBB second address: CF0CC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF0E6D second address: CF0E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF0E71 second address: CF0E7B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FBFE082F7E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF0E7B second address: CF0EA7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FBFE0B7F1EAh 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FBFE0B7F1F1h 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push eax 0x00000016 push edx 0x00000017 push ecx 0x00000018 pushad 0x00000019 popad 0x0000001a pop ecx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF0FD8 second address: CF0FE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF0FE4 second address: CF0FEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FBFE0B7F1E6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF0FEF second address: CF0FF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF0FF5 second address: CF105C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov dword ptr [ebp+122D36C1h], eax 0x0000000f push 00000000h 0x00000011 jnc 00007FBFE0B7F1ECh 0x00000017 xor dword ptr [ebp+122D384Fh], edx 0x0000001d push 957543C4h 0x00000022 jmp 00007FBFE0B7F1F6h 0x00000027 add dword ptr [esp], 6A8ABCBCh 0x0000002e mov ecx, 173E0861h 0x00000033 push 00000003h 0x00000035 pushad 0x00000036 sub dword ptr [ebp+122D26E9h], ecx 0x0000003c mov bx, ax 0x0000003f popad 0x00000040 push 00000000h 0x00000042 mov esi, 66AA071Ah 0x00000047 push 00000003h 0x00000049 call 00007FBFE0B7F1E9h 0x0000004e push eax 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF105C second address: CF1084 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FBFE082F7E6h 0x0000000a popad 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007FBFE082F7EEh 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 jnl 00007FBFE082F7E6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D02FA3 second address: D02FB9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBFE0B7F1E8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jo 00007FBFE0B7F1E6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D02FB9 second address: D02FBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D02FBD second address: D02FC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D12C2E second address: D12C45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBFE082F7EFh 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D12C45 second address: D12C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop esi 0x0000000d jmp 00007FBFE0B7F1F3h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE1650 second address: CE1668 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBFE082F7EEh 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE1668 second address: CE166E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE166E second address: CE1672 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE1672 second address: CE1678 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D10F3F second address: D10F45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D10F45 second address: D10F49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D10F49 second address: D10F61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FBFE082F7EFh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1126E second address: D11286 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 jmp 00007FBFE0B7F1EFh 0x0000000a pop ecx 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D113B0 second address: D113B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D113B6 second address: D113BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D113BB second address: D113C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D113C1 second address: D113CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FBFE0B7F1E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D113CB second address: D113F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFE082F7EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jmp 00007FBFE082F7F4h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D113F3 second address: D11415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007FBFE0B7F1F7h 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D11415 second address: D1143C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FBFE082F7E6h 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jmp 00007FBFE082F7F9h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1158F second address: D11593 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1197D second address: D11985 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D11985 second address: D11989 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D11989 second address: D11991 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D11B00 second address: D11B0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBFE0B7F1EBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D11B0F second address: D11B5E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBFE082F7E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FBFE082F7F0h 0x0000000f popad 0x00000010 pushad 0x00000011 jmp 00007FBFE082F7F6h 0x00000016 jmp 00007FBFE082F7F9h 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D11CD1 second address: D11CDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D11CDB second address: D11CE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0761D second address: D07621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D07621 second address: D07627 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1266E second address: D12674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D12674 second address: D12678 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D12678 second address: D126C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFE0B7F1EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007FBFE0B7F1F7h 0x0000000f jmp 00007FBFE0B7F1F1h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 jc 00007FBFE0B7F1E6h 0x0000001e jng 00007FBFE0B7F1E6h 0x00000024 push edi 0x00000025 pop edi 0x00000026 jmp 00007FBFE0B7F1F0h 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D12870 second address: D12875 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D12875 second address: D12893 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FBFE0B7F1E6h 0x0000000a jmp 00007FBFE0B7F1F2h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D12893 second address: D1289B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1289B second address: D128A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D14320 second address: D14324 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D14324 second address: D1434B instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBFE0B7F1E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d jmp 00007FBFE0B7F1F8h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDC509 second address: CDC524 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBFE082F7E6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d jmp 00007FBFE082F7EBh 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D17DD4 second address: D17DDE instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBFE0B7F1ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D17DDE second address: D17E12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FBFE082F7F9h 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push edi 0x00000011 jc 00007FBFE082F7E8h 0x00000017 pushad 0x00000018 popad 0x00000019 pop edi 0x0000001a mov eax, dword ptr [eax] 0x0000001c push ebx 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D17E12 second address: D17E2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FBFE0B7F1E6h 0x0000000a popad 0x0000000b pop ebx 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 pushad 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE3122 second address: CE3126 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE3126 second address: CE3164 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FBFE0B7F1F5h 0x0000000d popad 0x0000000e pushad 0x0000000f jmp 00007FBFE0B7F1EAh 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FBFE0B7F1F3h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE3164 second address: CE317B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFE082F7EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1E60E second address: D1E645 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FBFE0B7F1F6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FBFE0B7F1F8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1DD53 second address: D1DD7A instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBFE082F7E6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007FBFE082F7E8h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FBFE082F7F1h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1DD7A second address: D1DD7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1DD7E second address: D1DD87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D21854 second address: D2185A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2185A second address: D21863 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D21F0E second address: D21F12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D22421 second address: D22426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D22426 second address: D22430 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBFE0B7F1ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D22430 second address: D2244C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a jmp 00007FBFE082F7F1h 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2244C second address: D22452 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D22452 second address: D22456 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D22456 second address: D224DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFE0B7F1F6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007FBFE0B7F1E8h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 movzx esi, si 0x00000029 nop 0x0000002a jne 00007FBFE0B7F205h 0x00000030 push eax 0x00000031 push edi 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007FBFE0B7F1F9h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2267B second address: D22681 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D22A15 second address: D22A19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D22A19 second address: D22A1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D22A1D second address: D22A28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ebx 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D22F13 second address: D22FF2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBFE082F7ECh 0x00000008 jbe 00007FBFE082F7E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 jmp 00007FBFE082F7F9h 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ecx 0x0000001d call 00007FBFE082F7E8h 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], ecx 0x00000027 add dword ptr [esp+04h], 0000001Dh 0x0000002f inc ecx 0x00000030 push ecx 0x00000031 ret 0x00000032 pop ecx 0x00000033 ret 0x00000034 or dword ptr [ebp+122D3104h], ecx 0x0000003a call 00007FBFE082F7F2h 0x0000003f call 00007FBFE082F7F8h 0x00000044 jng 00007FBFE082F7E6h 0x0000004a pop esi 0x0000004b pop edi 0x0000004c push 00000000h 0x0000004e push 00000000h 0x00000050 push eax 0x00000051 call 00007FBFE082F7E8h 0x00000056 pop eax 0x00000057 mov dword ptr [esp+04h], eax 0x0000005b add dword ptr [esp+04h], 0000001Ch 0x00000063 inc eax 0x00000064 push eax 0x00000065 ret 0x00000066 pop eax 0x00000067 ret 0x00000068 mov esi, dword ptr [ebp+122D3104h] 0x0000006e xchg eax, ebx 0x0000006f jmp 00007FBFE082F7EDh 0x00000074 push eax 0x00000075 push eax 0x00000076 push edx 0x00000077 js 00007FBFE082F7F7h 0x0000007d jmp 00007FBFE082F7F1h 0x00000082 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D22FF2 second address: D22FF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D24A7C second address: D24A88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnc 00007FBFE082F7E6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D24A88 second address: D24AA0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBFE0B7F1E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007FBFE0B7F1E8h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push ecx 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26026 second address: D26041 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBFE082F7F7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26041 second address: D26045 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26045 second address: D2604B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2604B second address: D2605C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push edi 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b pushad 0x0000000c popad 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2605C second address: D26065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26762 second address: D26772 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBFE0B7F1ECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26772 second address: D26776 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D287DD second address: D287E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D287E1 second address: D287E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D28F1F second address: D28F5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jmp 00007FBFE0B7F1F7h 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FBFE0B7F1F9h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2AE12 second address: D2AE1C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBFE082F7ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2B8F3 second address: D2B96E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edi 0x0000000a pushad 0x0000000b jmp 00007FBFE0B7F1EDh 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pop edi 0x00000014 nop 0x00000015 mov esi, dword ptr [ebp+122D285Fh] 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ebp 0x00000020 call 00007FBFE0B7F1E8h 0x00000025 pop ebp 0x00000026 mov dword ptr [esp+04h], ebp 0x0000002a add dword ptr [esp+04h], 00000017h 0x00000032 inc ebp 0x00000033 push ebp 0x00000034 ret 0x00000035 pop ebp 0x00000036 ret 0x00000037 or esi, dword ptr [ebp+122D3B72h] 0x0000003d mov dword ptr [ebp+122D31E9h], ebx 0x00000043 push 00000000h 0x00000045 jmp 00007FBFE0B7F1F3h 0x0000004a xchg eax, ebx 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007FBFE0B7F1F1h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2B96E second address: D2B978 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FBFE082F7E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2C3E3 second address: D2C3E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2C174 second address: D2C178 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2C3E9 second address: D2C40A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFE0B7F1EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FBFE0B7F1EDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2C40A second address: D2C414 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FBFE082F7E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2CD7F second address: D2CD97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBFE0B7F1F4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2CD97 second address: D2CDA9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBFE082F7E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D30750 second address: D30754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D30754 second address: D307A0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007FBFE082F7E8h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 stc 0x00000023 push 00000000h 0x00000025 mov edi, dword ptr [ebp+122D3BA6h] 0x0000002b push 00000000h 0x0000002d xchg eax, esi 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007FBFE082F7F2h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2F8C5 second address: D2F8C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2F8C9 second address: D2F8FA instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBFE082F7E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b jp 00007FBFE082F7E6h 0x00000011 pop edx 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 jmp 00007FBFE082F7EEh 0x0000001c jmp 00007FBFE082F7EBh 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2F8FA second address: D2F904 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FBFE0B7F1E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D33624 second address: D3362A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3362A second address: D336DD instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBFE0B7F1FCh 0x00000008 jmp 00007FBFE0B7F1F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FBFE0B7F1EEh 0x00000016 pop edx 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ecx 0x0000001d call 00007FBFE0B7F1E8h 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], ecx 0x00000027 add dword ptr [esp+04h], 0000001Dh 0x0000002f inc ecx 0x00000030 push ecx 0x00000031 ret 0x00000032 pop ecx 0x00000033 ret 0x00000034 and ebx, 15D26F06h 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push edx 0x0000003f call 00007FBFE0B7F1E8h 0x00000044 pop edx 0x00000045 mov dword ptr [esp+04h], edx 0x00000049 add dword ptr [esp+04h], 00000019h 0x00000051 inc edx 0x00000052 push edx 0x00000053 ret 0x00000054 pop edx 0x00000055 ret 0x00000056 mov ebx, dword ptr [ebp+122D5C2Ch] 0x0000005c mov bx, si 0x0000005f xchg eax, esi 0x00000060 jmp 00007FBFE0B7F1F2h 0x00000065 push eax 0x00000066 pushad 0x00000067 jmp 00007FBFE0B7F1EBh 0x0000006c push eax 0x0000006d push edx 0x0000006e jnc 00007FBFE0B7F1E6h 0x00000074 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D31A0A second address: D31A25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 jl 00007FBFE082F7E6h 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 jo 00007FBFE082F7F8h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D31A25 second address: D31A29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D33912 second address: D3391C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FBFE082F7E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3391C second address: D33920 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D35631 second address: D35651 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFE082F7F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D374CE second address: D374D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D374D4 second address: D374D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D374D8 second address: D374DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D366A2 second address: D366C2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBFE082F7E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FBFE082F7F2h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3850B second address: D3850F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3850F second address: D38515 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D38515 second address: D38528 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBFE0B7F1EFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D394F1 second address: D394F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3A49C second address: D3A4A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3B3C6 second address: D3B3CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3B3CF second address: D3B3D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3B3D3 second address: D3B43B instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBFE082F7E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007FBFE082F7E8h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 mov ebx, 7B7F401Bh 0x0000002d push 00000000h 0x0000002f push ebx 0x00000030 or dword ptr [ebp+122D1D01h], edx 0x00000036 pop ebx 0x00000037 push 00000000h 0x00000039 jmp 00007FBFE082F7F5h 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007FBFE082F7EDh 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3866C second address: D386AA instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBFE0B7F1FEh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007FBFE0B7F1F6h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D386AA second address: D386AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D376C3 second address: D376EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FBFE0B7F1E6h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 jmp 00007FBFE0B7F1F9h 0x00000017 pop eax 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D376EF second address: D376F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3A5FF second address: D3A695 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jmp 00007FBFE0B7F1EFh 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 pushad 0x00000011 and eax, dword ptr [ebp+122D25AFh] 0x00000017 jc 00007FBFE0B7F1F4h 0x0000001d jmp 00007FBFE0B7F1EEh 0x00000022 popad 0x00000023 push dword ptr fs:[00000000h] 0x0000002a mov ebx, 0FFCCFD1h 0x0000002f mov dword ptr fs:[00000000h], esp 0x00000036 mov edi, dword ptr [ebp+122D3AF6h] 0x0000003c mov eax, dword ptr [ebp+122D05CDh] 0x00000042 push 00000000h 0x00000044 push eax 0x00000045 call 00007FBFE0B7F1E8h 0x0000004a pop eax 0x0000004b mov dword ptr [esp+04h], eax 0x0000004f add dword ptr [esp+04h], 00000016h 0x00000057 inc eax 0x00000058 push eax 0x00000059 ret 0x0000005a pop eax 0x0000005b ret 0x0000005c push FFFFFFFFh 0x0000005e jmp 00007FBFE0B7F1EEh 0x00000063 nop 0x00000064 push eax 0x00000065 push edx 0x00000066 jmp 00007FBFE0B7F1F0h 0x0000006b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3A695 second address: D3A6AB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jg 00007FBFE082F7E6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jne 00007FBFE082F7E6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3C537 second address: D3C55B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFE0B7F1F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d jnp 00007FBFE0B7F1E6h 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D475BC second address: D475C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D475C0 second address: D475C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46ECD second address: D46EDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007FBFE082F7E6h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47028 second address: D47051 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBFE0B7F1F9h 0x00000009 jmp 00007FBFE0B7F1ECh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47051 second address: D47057 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D296E2 second address: D29711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 pushad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FBFE0B7F1F3h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FBFE0B7F1EFh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D55C8C second address: D55CA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBFE082F7F5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D55CA5 second address: D55CCE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jl 00007FBFE0B7F1EAh 0x0000000f push ebx 0x00000010 push edx 0x00000011 pop edx 0x00000012 pop ebx 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a jmp 00007FBFE0B7F1ECh 0x0000001f push eax 0x00000020 pop eax 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D55CCE second address: D55CE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jp 00007FBFE082F7E6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [eax] 0x00000010 pushad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D55EEE second address: D55EFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007FBFE0B7F1E6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5B443 second address: D5B447 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5B447 second address: D5B494 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBFE0B7F1F6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007FBFE0B7F1FBh 0x00000011 jmp 00007FBFE0B7F1F3h 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FBFE0B7F1F4h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5B884 second address: D5B889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5B889 second address: D5B88F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5B88F second address: D5B893 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5B893 second address: D5B897 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5B897 second address: D5B8B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FBFE082F7F4h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5B8B9 second address: D5B8C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 je 00007FBFE0B7F1E6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5B8C8 second address: D5B8D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5BA1D second address: D5BA30 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnl 00007FBFE0B7F1E6h 0x00000009 jng 00007FBFE0B7F1E6h 0x0000000f pop esi 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5BE15 second address: D5BE1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D612BC second address: D612D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFE0B7F1F2h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D612D4 second address: D612DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D612DA second address: D612E7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D612E7 second address: D61305 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push edi 0x00000008 jmp 00007FBFE082F7F3h 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D61305 second address: D6130F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FBFE0B7F1E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE8235 second address: CE823B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE823B second address: CE8241 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE8241 second address: CE8245 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2D6C8 second address: D2D6E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBFE0B7F1EFh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2DCA2 second address: D2DCA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2DD2C second address: D2DD82 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FBFE0B7F1FDh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c jmp 00007FBFE0B7F1EBh 0x00000011 pop edi 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 jo 00007FBFE0B7F1F5h 0x0000001c jmp 00007FBFE0B7F1EFh 0x00000021 mov eax, dword ptr [eax] 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FBFE0B7F1EAh 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2DD82 second address: D2DDA1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c pushad 0x0000000d push esi 0x0000000e jmp 00007FBFE082F7ECh 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2DDA1 second address: D2DDA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2DDA5 second address: D2DDA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2DDA9 second address: D2DE22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007FBFE0B7F1E8h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 0000001Ah 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 or ecx, dword ptr [ebp+122D3039h] 0x00000028 movzx ecx, cx 0x0000002b call 00007FBFE0B7F1E9h 0x00000030 pushad 0x00000031 pushad 0x00000032 jnc 00007FBFE0B7F1E6h 0x00000038 jmp 00007FBFE0B7F1F8h 0x0000003d popad 0x0000003e jmp 00007FBFE0B7F1F5h 0x00000043 popad 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2DE22 second address: D2DE27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2DE27 second address: D2DE66 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FBFE0B7F1F9h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f ja 00007FBFE0B7F1F0h 0x00000015 mov eax, dword ptr [eax] 0x00000017 push eax 0x00000018 push edx 0x00000019 jo 00007FBFE0B7F1E8h 0x0000001f push eax 0x00000020 pop eax 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2DE66 second address: D2DE6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2DE6B second address: D2DE71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2DFAB second address: D2DFAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2E233 second address: D2E237 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2E237 second address: D2E23B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2E23B second address: D2E241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2E241 second address: D2E24B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FBFE082F7E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2E24B second address: D2E280 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFE0B7F1F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c or dword ptr [ebp+122D2785h], esi 0x00000012 push 00000004h 0x00000014 sub dword ptr [ebp+122D369Fh], edx 0x0000001a nop 0x0000001b jp 00007FBFE0B7F1F0h 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2E5DA second address: D2E5E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2E5E0 second address: D2E653 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FBFE0B7F1E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D31FBh], ebx 0x00000013 push 0000001Eh 0x00000015 push 00000000h 0x00000017 push ebp 0x00000018 call 00007FBFE0B7F1E8h 0x0000001d pop ebp 0x0000001e mov dword ptr [esp+04h], ebp 0x00000022 add dword ptr [esp+04h], 00000015h 0x0000002a inc ebp 0x0000002b push ebp 0x0000002c ret 0x0000002d pop ebp 0x0000002e ret 0x0000002f call 00007FBFE0B7F1F1h 0x00000034 mov dword ptr [ebp+12470FFDh], eax 0x0000003a pop edx 0x0000003b push eax 0x0000003c pushad 0x0000003d jmp 00007FBFE0B7F1F4h 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007FBFE0B7F1F1h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2E77F second address: D2E783 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2E783 second address: D2E792 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBFE0B7F1E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2E792 second address: D2E79A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2E9C9 second address: D2E9CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2E9CD second address: D080D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 lea eax, dword ptr [ebp+124834A7h] 0x0000000f sub di, 0DC4h 0x00000014 push eax 0x00000015 jng 00007FBFE082F7EAh 0x0000001b mov dword ptr [esp], eax 0x0000001e movsx edx, di 0x00000021 lea eax, dword ptr [ebp+12483463h] 0x00000027 push 00000000h 0x00000029 push eax 0x0000002a call 00007FBFE082F7E8h 0x0000002f pop eax 0x00000030 mov dword ptr [esp+04h], eax 0x00000034 add dword ptr [esp+04h], 0000001Ah 0x0000003c inc eax 0x0000003d push eax 0x0000003e ret 0x0000003f pop eax 0x00000040 ret 0x00000041 push eax 0x00000042 push esi 0x00000043 jmp 00007FBFE082F7F5h 0x00000048 pop esi 0x00000049 mov dword ptr [esp], eax 0x0000004c push 00000000h 0x0000004e push eax 0x0000004f call 00007FBFE082F7E8h 0x00000054 pop eax 0x00000055 mov dword ptr [esp+04h], eax 0x00000059 add dword ptr [esp+04h], 0000001Ah 0x00000061 inc eax 0x00000062 push eax 0x00000063 ret 0x00000064 pop eax 0x00000065 ret 0x00000066 sub dword ptr [ebp+122D2D63h], ecx 0x0000006c or ecx, dword ptr [ebp+122D24A2h] 0x00000072 call dword ptr [ebp+122D2CA5h] 0x00000078 push eax 0x00000079 push edx 0x0000007a jl 00007FBFE082F7ECh 0x00000080 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6041E second address: D60428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FBFE0B7F1E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D60428 second address: D6043A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFE082F7EEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6043A second address: D60440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D60440 second address: D60458 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007FBFE082F7ECh 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D60458 second address: D6046C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFE0B7F1F0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D60706 second address: D6073B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edx 0x00000006 jmp 00007FBFE082F7F7h 0x0000000b pop edx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FBFE082F7F1h 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6073B second address: D60740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D60880 second address: D6088A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FBFE082F7E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6088A second address: D60898 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFE0B7F1EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D60898 second address: D608D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jnp 00007FBFE082F7E6h 0x0000000b jmp 00007FBFE082F7F9h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FBFE082F7F8h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D608D9 second address: D608DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D608DD second address: D608FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFE082F7F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jbe 00007FBFE082F7F2h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D608FC second address: D6090A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FBFE0B7F1E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6090A second address: D60910 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D60B7B second address: D60B83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D60B83 second address: D60B87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D60B87 second address: D60B8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D60B8B second address: D60BBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBFE082F7F5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c pushad 0x0000000d pushad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jmp 00007FBFE082F7F1h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D64F09 second address: D64F0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE4C4A second address: CE4C50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE4C50 second address: CE4C6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBFE0B7F1F5h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6A6AF second address: D6A6B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6A6B5 second address: D6A6C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 je 00007FBFE0B7F1E6h 0x0000000c pushad 0x0000000d popad 0x0000000e pop eax 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D69AD1 second address: D69AE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFE082F7EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007FBFE082F7E6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D69AE8 second address: D69AEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D69AEC second address: D69AF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FBFE082F7E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D69AF8 second address: D69AFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6A026 second address: D6A02C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6A02C second address: D6A030 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6D956 second address: D6D97A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FBFE082F7EAh 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007FBFE082F7E8h 0x00000015 push eax 0x00000016 push edx 0x00000017 jbe 00007FBFE082F7E6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6D97A second address: D6D98A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFE0B7F1ECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6D98A second address: D6D98F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6D98F second address: D6D9A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jg 00007FBFE0B7F1E6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007FBFE0B7F1E6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6D9A4 second address: D6D9BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFE082F7F5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D71D34 second address: D71D3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D71FD1 second address: D71FDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FBFE082F7E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D71FDB second address: D71FF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFE0B7F1F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7212C second address: D72160 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pushad 0x00000009 jno 00007FBFE082F7F4h 0x0000000f jmp 00007FBFE082F7F4h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D72160 second address: D72166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D72166 second address: D7216C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D725BB second address: D725CD instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBFE0B7F1E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007FBFE0B7F1EEh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D725CD second address: D725EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007FBFE082F7F1h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D728D9 second address: D728DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D728DF second address: D728E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D71A2B second address: D71A36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D760B0 second address: D76110 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FBFE082F7EFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnp 00007FBFE082F7FFh 0x00000011 jmp 00007FBFE082F7F9h 0x00000016 jmp 00007FBFE082F7F4h 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FBFE082F7F4h 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D762B0 second address: D762BE instructions: 0x00000000 rdtsc 0x00000002 ja 00007FBFE0B7F1E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D762BE second address: D762D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FBFE082F7EFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D762D3 second address: D762D8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D76437 second address: D7644F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFE082F7F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7644F second address: D7646D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBFE0B7F1F3h 0x00000009 jng 00007FBFE0B7F1E6h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7646D second address: D76487 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBFE082F7F4h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D76487 second address: D7648B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D76613 second address: D76617 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D789D0 second address: D789D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D789D6 second address: D789E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFE082F7EBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7F2C4 second address: D7F2DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFE0B7F1F5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7DD61 second address: D7DD6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7DD6A second address: D7DD72 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7DD72 second address: D7DD77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2E44B second address: D2E44F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2E44F second address: D2E455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2E455 second address: D2E482 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFE0B7F1F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d jmp 00007FBFE0B7F1F1h 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7F00A second address: D7F03C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007FBFE082F81Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FBFE082F7F2h 0x00000015 jmp 00007FBFE082F7F0h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7F03C second address: D7F040 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D83E47 second address: D83E5B instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBFE082F7E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007FBFE082F7E6h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D83E5B second address: D83E5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDE013 second address: CDE01B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDE01B second address: CDE024 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDE024 second address: CDE063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FBFE082F7EFh 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007FBFE082F7ECh 0x00000014 ja 00007FBFE082F7E6h 0x0000001a jmp 00007FBFE082F7EDh 0x0000001f jns 00007FBFE082F7E6h 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8342E second address: D83432 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D838AD second address: D838B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D838B7 second address: D838BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D83A26 second address: D83A44 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFE082F7EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007FBFE082F7F4h 0x0000000f push ebx 0x00000010 jo 00007FBFE082F7E6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D866FC second address: D86703 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D86703 second address: D86734 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBFE082F7F1h 0x00000009 popad 0x0000000a jng 00007FBFE082F7ECh 0x00000010 jg 00007FBFE082F7E6h 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FBFE082F7EBh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D86734 second address: D86739 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8ECD2 second address: D8ECDC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBFE082F7E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D96E9F second address: D96EA7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D96FDA second address: D96FDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D96FDE second address: D97009 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FBFE0B7F1E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jp 00007FBFE0B7F1E6h 0x00000011 push esi 0x00000012 pop esi 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 jmp 00007FBFE0B7F1F3h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D97009 second address: D97012 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D97012 second address: D97036 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBFE0B7F1F5h 0x00000009 pop ecx 0x0000000a popad 0x0000000b jo 00007FBFE0B7F202h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D975C9 second address: D975D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D975D3 second address: D975EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFE0B7F1F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D98E4E second address: D98E62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBFE082F7F0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9A43D second address: D9A447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA3B19 second address: DA3B1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA3B1F second address: DA3B23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA3B23 second address: DA3B27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA3B27 second address: DA3B2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA3B2D second address: DA3B3A instructions: 0x00000000 rdtsc 0x00000002 js 00007FBFE082F7E8h 0x00000008 push eax 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA1BC7 second address: DA1BCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA1BCF second address: DA1BD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA1FF6 second address: DA2032 instructions: 0x00000000 rdtsc 0x00000002 je 00007FBFE0B7F1E6h 0x00000008 jmp 00007FBFE0B7F1EEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edi 0x00000010 pushad 0x00000011 jmp 00007FBFE0B7F1F8h 0x00000016 jl 00007FBFE0B7F1EEh 0x0000001c push eax 0x0000001d pop eax 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA21B1 second address: DA21D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FBFE082F7F4h 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA21D2 second address: DA21D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA21D6 second address: DA21EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFE082F7F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA21EC second address: DA21FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBFE0B7F1EBh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA2371 second address: DA2386 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFE082F7F0h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA2386 second address: DA23B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FBFE0B7F1E6h 0x0000000a jbe 00007FBFE0B7F1E6h 0x00000010 push esi 0x00000011 pop esi 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FBFE0B7F1F3h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA23B2 second address: DA23BE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jnp 00007FBFE082F7E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA277C second address: DA2780 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA2780 second address: DA2786 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA3017 second address: DA305B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFE0B7F1F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FBFE0B7F1F1h 0x00000010 jmp 00007FBFE0B7F1F4h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA305B second address: DA3069 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBFE082F7E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA3069 second address: DA307E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FBFE0B7F1EDh 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAAA10 second address: DAAA18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAAA18 second address: DAAA1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAAA1C second address: DAAA20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAAA20 second address: DAAA41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FBFE0B7F1EFh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pushad 0x00000015 popad 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAAB9A second address: DAAB9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAAB9E second address: DAABE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FBFE0B7F1F6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c pushad 0x0000000d jmp 00007FBFE0B7F1ECh 0x00000012 jnp 00007FBFE0B7F1EEh 0x00000018 push eax 0x00000019 pop eax 0x0000001a jng 00007FBFE0B7F1E6h 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 jp 00007FBFE0B7F1E6h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBAE88 second address: DBAE8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC28FE second address: DC291B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jg 00007FBFE0B7F1F2h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC291B second address: DC2941 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FBFE082F7E6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c jmp 00007FBFE082F7F9h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC2941 second address: DC296C instructions: 0x00000000 rdtsc 0x00000002 ja 00007FBFE0B7F203h 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA9BC second address: DCA9C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA9C2 second address: DCA9C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA9C6 second address: DCA9DA instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBFE082F7E6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jng 00007FBFE082F7ECh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA9DA second address: DCA9DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA9DE second address: DCA9E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA9E4 second address: DCA9E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD4282 second address: DD429C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FBFE082F7EAh 0x0000000f jnc 00007FBFE082F7E6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD429C second address: DD42B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFE0B7F1F7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD42B7 second address: DD42BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD42BD second address: DD42C2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD42C2 second address: DD42CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD2BAF second address: DD2BB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD2BB9 second address: DD2BBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD2D08 second address: DD2D0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD2D0C second address: DD2D2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFE082F7F4h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD2D2C second address: DD2D30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD2ED0 second address: DD2EE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBFE082F7ECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD2EE0 second address: DD2F05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FBFE0B7F1EEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c jmp 00007FBFE0B7F1EDh 0x00000011 push edx 0x00000012 pop edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD2F05 second address: DD2F37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007FBFE082F7ECh 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 pop eax 0x00000019 jmp 00007FBFE082F7F2h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD31D9 second address: DD31F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jns 00007FBFE0B7F1F2h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD31F4 second address: DD31FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD31FA second address: DD31FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD31FE second address: DD3208 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD3208 second address: DD320E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD320E second address: DD3238 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007FBFE082F7F7h 0x0000000f push eax 0x00000010 push edx 0x00000011 js 00007FBFE082F7E6h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD3238 second address: DD3256 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBFE0B7F1E6h 0x00000008 jmp 00007FBFE0B7F1F4h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD3256 second address: DD325C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD325C second address: DD3260 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD33AD second address: DD33B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD594B second address: DD5964 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007FBFE0B7F1F1h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD5964 second address: DD5969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD5969 second address: DD596E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD7D3E second address: DD7D5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FBFE082F7F6h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDEAAD second address: DDEABD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007FBFE0B7F1E6h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDEABD second address: DDEAC7 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBFE082F7E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE66B0 second address: DE66D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFE0B7F1EFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jmp 00007FBFE0B7F1EFh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE66D6 second address: DE66DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF634F second address: DF6353 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF6353 second address: DF635D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF635D second address: DF6363 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF6363 second address: DF6367 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF6367 second address: DF636D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFD326 second address: DFD32A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFD62B second address: DFD682 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FBFE0B7F1ECh 0x00000008 pop ebx 0x00000009 jmp 00007FBFE0B7F1F1h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jns 00007FBFE0B7F1E6h 0x0000001a jmp 00007FBFE0B7F1F4h 0x0000001f jno 00007FBFE0B7F1E6h 0x00000025 popad 0x00000026 jnc 00007FBFE0B7F1ECh 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFD682 second address: DFD68A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFD926 second address: DFD92A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E00F4D second address: E00F76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FBFE082F7FFh 0x0000000c js 00007FBFE082F7E6h 0x00000012 jmp 00007FBFE082F7F3h 0x00000017 push eax 0x00000018 push edx 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E00F76 second address: E00F7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E00F7A second address: E00F80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E00F80 second address: E00F96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FBFE0B7F1EDh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E00F96 second address: E00FAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFE082F7F0h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E00A25 second address: E00A49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBFE0B7F1F0h 0x00000009 jng 00007FBFE0B7F1E6h 0x0000000f popad 0x00000010 push eax 0x00000011 ja 00007FBFE0B7F1E6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E06026 second address: E06030 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBFE082F7E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E078BD second address: E078CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007FBFE0B7F1E6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E078CA second address: E078D6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E078D6 second address: E078DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E078DB second address: E078EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBFE082F7EAh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E09516 second address: E0953E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBFE0B7F1F0h 0x00000009 pop esi 0x0000000a pushad 0x0000000b jmp 00007FBFE0B7F1EEh 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D27605 second address: D27616 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007FBFE082F7ECh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D27616 second address: D2761A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B7DEED instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B7DDF4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 5380000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 54F0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 74F0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF1058 rdtsc 0_2_00CF1058
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D033D9 sidt fword ptr [esp-02h]0_2_00D033D9
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1928Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exe, 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF1058 rdtsc 0_2_00CF1058
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D0302E LdrInitializeThunk,0_2_00D0302E
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, file.exe, 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 'Program Manager

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
Windows Service		1
Windows Service		1
Masquerading		OS Credential Dumping641
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Service Execution		1
DLL Side-Loading		1
Process Injection		41
Disable or Modify Tools		LSASS Memory2
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		271
Virtualization/Sandbox Evasion		Security Account Manager271
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
Bypass User Account Control		1
Process Injection		NTDS22
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
Software Packing		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
Bypass User Account Control		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1562779
Start date and time:2024-11-26 01:40:07 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 27s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.evad.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File
Process:C:\Users\user\Desktop\file.exe
File Type:CSV text
Category:dropped
Size (bytes):226
Entropy (8bit):5.360398796477698
Encrypted:false
SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:3A8957C6382192B71471BD14359D0B12
SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:true
Reputation:high, very likely benign file
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.516164668398922
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:2'752'512 bytes
MD5:22370d009f56cb4eaa0c65191c9ce569
SHA1:61709a4936735ee99136b7dc86de24480146d8b5
SHA256:3c15b93399455363458932130652659f24d2415b1dc2ef02ace1f943cb83e78d
SHA512:b35ac9f727ca14431375b29188029a3ffed85b076de97c3295d2303a9ab329fb0428da444276c2443698f770f2e9f8f85462dd11a36020826d52be7929f81734
SSDEEP:49152:4XIeySa9zQ6le/LQU5tLtRw2Wgw9UGNYlYwV:4XIeySad1le/LQIVtRwPf9UKYl
TLSH:37D57E52B84872CFD88E27789527CD82696D47F86B1458C3A83C64BD7E73DC126BEC24
File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$...........`*.. ...`....@.. ........................*.....r.*...`................................

File Icon

Icon Hash:90cececece8e8eb0

Static PE Info

General

Entrypoint:0x6a6000
Entrypoint Section:.taggant
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FBFE0812EDAh
pmaxub mm5, qword ptr [ecx]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [edx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+00h], ah
add byte ptr [eax], al
mov ah, 90h
dec edi
sldt word ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add cl, byte ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or al, 80h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add eax, 0000000Ah
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x20000x40000x120026cd633aca360a1d7bb76cac1cfaa235False0.9301215277777778data7.771151121677305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
nddcsido0xa0000x29a0000x29a000209a7aecfbcd3f180ea2308b3d1cd9a5unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
dwmsfeeq0x2a40000x20000x4002c0207dbc8cb738c983f7d2a4b7e6a61False0.765625data6.06019922085009IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant0x2a60000x40000x2200c2dcfccc7aaa9fc55f482e618b396fb6False0.061810661764705885DOS executable (COM)0.7650570663068007IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x60900x30cdata0.42948717948717946
RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

Imports

DLLImport
kernel32.dlllstrcpy

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:19:41:08
Start date:25/11/2024
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\file.exe"
Imagebase:0xb70000
File size:2'752'512 bytes
MD5 hash:22370D009F56CB4EAA0C65191C9CE569
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:3.8%
    Dynamic/Decrypted Code Coverage:6.2%
    Signature Coverage:2.3%
    Total number of Nodes:259
    Total number of Limit Nodes:18
    execution_graph 9042 b7b7b2 9043 b7b7b7 9042->9043 9043->9043 9044 b7b922 LdrInitializeThunk 9043->9044 9045 d4a611 9056 d4894f GetCurrentThreadId 9045->9056 9047 d4a61d 9048 d4a667 9047->9048 9060 d49061 9047->9060 9064 d489fa 9048->9064 9053 d4a643 9055 d489fa Sleep 9053->9055 9054 d4a685 9055->9054 9057 d48967 9056->9057 9058 d489ae 9057->9058 9059 d4899d Sleep 9057->9059 9058->9047 9059->9057 9061 d49072 9060->9061 9062 d490af 9060->9062 9061->9062 9068 d48f02 9061->9068 9062->9048 9062->9053 9065 d48a06 9064->9065 9088 d4f6f4 9065->9088 9067 d48a15 GetModuleHandleExA 9067->9054 9069 d48f2f 9068->9069 9070 d48f5d PathAddExtensionA 9069->9070 9071 d48f78 9069->9071 9077 d49035 9069->9077 9070->9071 9073 d48f9a 9071->9073 9080 d48ba3 9071->9080 9074 d48ba3 lstrcmpiA 9073->9074 9073->9077 9078 d48fe3 9073->9078 9074->9078 9075 d48ba3 lstrcmpiA 9079 d4900c 9075->9079 9076 d48ba3 lstrcmpiA 9076->9077 9077->9061 9078->9075 9078->9077 9078->9079 9079->9076 9079->9077 9081 d48bc1 9080->9081 9082 d48bd8 9081->9082 9084 d48b20 9081->9084 9082->9073 9085 d48b4b 9084->9085 9086 d48b7d lstrcmpiA 9085->9086 9087 d48b93 9085->9087 9086->9087 9087->9082 9090 d4f6fa 9088->9090 9091 d4f701 9090->9091 9092 d4f714 Sleep 9091->9092 9093 d4f723 9091->9093 9092->9091 9308 d4a27c 9309 d4a285 17 API calls 9308->9309 9094 d4aede 9096 d4aefc 9094->9096 9095 d4b066 9096->9095 9102 d4a8a5 9096->9102 9098 d4b05b 9099 d4b69a 5 API calls 9098->9099 9099->9095 9101 d4af39 9101->9098 9108 d4b69a 9101->9108 9103 d4a8b2 9102->9103 9104 d4a8eb CreateFileA 9103->9104 9107 d4a9ad 9103->9107 9105 d4a937 9104->9105 9105->9107 9110 d4a768 CloseHandle 9105->9110 9107->9101 9112 d4b6a3 9108->9112 9111 d4a77c 9110->9111 9111->9107 9113 d4894f 2 API calls 9112->9113 9114 d4b6af 9113->9114 9115 d4b6d8 9114->9115 9116 d4b6c8 9114->9116 9118 d489fa Sleep 9115->9118 9123 d4a78f 9116->9123 9120 d4b6dd CloseHandle 9118->9120 9121 d4b6f2 9120->9121 9122 d489fa Sleep 9122->9121 9126 d487fa 9123->9126 9127 d48810 9126->9127 9128 d4882a 9127->9128 9130 d487de 9127->9130 9128->9122 9131 d4a768 CloseHandle 9130->9131 9132 d487ee 9131->9132 9132->9128 9310 d4a4be 9312 d4a4ca 9310->9312 9313 d4a4de 9312->9313 9315 d4a506 9313->9315 9316 d4a51f 9313->9316 9318 d4a528 9316->9318 9319 d4a537 9318->9319 9320 d4a53f 9319->9320 9321 d4894f 2 API calls 9319->9321 9323 d4a5f0 GetModuleHandleA 9320->9323 9324 d4a5e2 GetModuleHandleW 9320->9324 9322 d4a549 9321->9322 9325 d4a581 9322->9325 9327 d49061 2 API calls 9322->9327 9326 d4a5f9 9323->9326 9324->9326 9328 d4a5b5 9325->9328 9329 d4a564 9327->9329 9330 d489fa Sleep 9328->9330 9329->9328 9331 d4a577 9329->9331 9330->9320 9332 d489fa Sleep 9331->9332 9332->9326 9133 53c10f0 9134 53c1131 9133->9134 9136 d4b6a3 5 API calls 9134->9136 9135 53c1151 9136->9135 9333 53c1510 9334 53c1558 ControlService 9333->9334 9335 53c158f 9334->9335 9336 53c15d0 9337 53c164e ChangeServiceConfigA 9336->9337 9339 53c18da 9337->9339 9137 cfd7c2 9138 cfd7dd 9137->9138 9139 cfd7ec RegOpenKeyA 9138->9139 9140 cfd813 RegOpenKeyA 9138->9140 9139->9140 9141 cfd809 9139->9141 9142 cfd830 9140->9142 9141->9140 9143 cfd874 GetNativeSystemInfo 9142->9143 9144 cfd08f 9142->9144 9143->9144 9145 cf0f81 9146 cf0f91 CreateFileA 9145->9146 9147 cf0fa0 9146->9147 9150 cf1130 9146->9150 9152 cf1058 9147->9152 9153 cf1066 CreateFileA 9152->9153 9155 cf10fb 9153->9155 9340 b7e786 9341 b7f316 VirtualAlloc 9340->9341 9342 b7f32d 9341->9342 9343 d4a166 9344 d49fae 17 API calls 9343->9344 9345 d4a179 9344->9345 9156 d4a187 9159 d49fc7 9156->9159 9161 d49fd3 9159->9161 9162 d49fe8 9161->9162 9164 d4a006 9162->9164 9165 d4a015 9162->9165 9167 d4a022 9165->9167 9169 d4a038 9167->9169 9168 d4a040 9170 d4a120 9168->9170 9171 d4a10d 9168->9171 9169->9168 9172 d4894f 2 API calls 9169->9172 9174 d4a13e LoadLibraryExA 9170->9174 9175 d4a12a LoadLibraryExW 9170->9175 9202 d49e4d 9171->9202 9176 d4a062 9172->9176 9177 d4a11b 9174->9177 9175->9177 9178 d49061 2 API calls 9176->9178 9181 d4a073 9178->9181 9179 d4a09b 9180 d489fa Sleep 9179->9180 9180->9168 9181->9179 9182 d4a0a1 9181->9182 9186 d4998d 9182->9186 9184 d4a0e4 9185 d489fa Sleep 9184->9185 9185->9177 9187 d499b3 9186->9187 9188 d499a9 9186->9188 9206 d491e0 9187->9206 9188->9184 9195 d49a03 9196 d49a30 9195->9196 9201 d49a68 9195->9201 9216 d493be 9195->9216 9220 d49659 9196->9220 9199 d49a3b 9199->9201 9225 d495d0 9199->9225 9201->9188 9229 d4a19f 9201->9229 9203 d49e58 9202->9203 9204 d49e68 9203->9204 9205 d49e79 LoadLibraryExA 9203->9205 9204->9177 9205->9204 9207 d491fc 9206->9207 9208 d49255 9206->9208 9207->9208 9209 d4922c VirtualAlloc 9207->9209 9208->9188 9210 d49286 VirtualAlloc 9208->9210 9209->9208 9211 d492cb 9210->9211 9211->9201 9212 d49303 9211->9212 9215 d4932b 9212->9215 9213 d49344 VirtualAlloc 9214 d493a2 9213->9214 9213->9215 9214->9195 9215->9213 9215->9214 9217 d493d9 9216->9217 9219 d493de 9216->9219 9217->9196 9218 d49411 lstrcmpiA 9218->9217 9218->9219 9219->9217 9219->9218 9221 d49765 9220->9221 9223 d49686 9220->9223 9221->9199 9223->9221 9231 d4916b 9223->9231 9239 d4a27c 9223->9239 9226 d495f9 9225->9226 9227 d4963a 9226->9227 9228 d49611 VirtualProtect 9226->9228 9227->9201 9228->9226 9228->9227 9271 d4a1ab 9229->9271 9241 d49fae 9231->9241 9233 d4917e 9234 d491d0 9233->9234 9236 d491a7 9233->9236 9238 d491c4 9233->9238 9235 d4a19f 4 API calls 9234->9235 9235->9238 9237 d4a19f 4 API calls 9236->9237 9236->9238 9237->9238 9238->9223 9244 d4a285 9239->9244 9242 d4a015 17 API calls 9241->9242 9243 d49fc3 9242->9243 9243->9233 9245 d4a294 9244->9245 9246 d4a29c 9245->9246 9248 d4894f 2 API calls 9245->9248 9247 d4a2c9 GetProcAddress 9246->9247 9249 d4a2e1 9247->9249 9250 d4a2a6 9248->9250 9251 d4a2c4 9250->9251 9252 d4a2b6 9250->9252 9254 d489fa Sleep 9251->9254 9257 d49cdd 9252->9257 9254->9247 9256 d489fa Sleep 9256->9249 9258 d49dc9 9257->9258 9259 d49cfc 9257->9259 9258->9256 9259->9258 9260 d49d39 lstrcmpiA 9259->9260 9261 d49d63 9259->9261 9260->9259 9260->9261 9261->9258 9263 d49c26 9261->9263 9265 d49c37 9263->9265 9264 d49cc2 9264->9258 9265->9264 9266 d49c67 lstrcpyn 9265->9266 9266->9264 9267 d49c83 9266->9267 9267->9264 9268 d4916b 16 API calls 9267->9268 9269 d49cb1 9268->9269 9269->9264 9270 d4a27c 16 API calls 9269->9270 9270->9264 9272 d4a1ba 9271->9272 9273 d4a1c2 9272->9273 9274 d4894f 2 API calls 9272->9274 9275 d4a210 FreeLibrary 9273->9275 9276 d4a1cc 9274->9276 9277 d4a223 9275->9277 9278 d4a20b 9276->9278 9280 d4a1dc 9276->9280 9279 d489fa Sleep 9278->9279 9279->9275 9284 d49b8d 9280->9284 9282 d4a1f7 9283 d489fa Sleep 9282->9283 9283->9277 9285 d49bb0 9284->9285 9287 d49bf0 9284->9287 9285->9287 9288 d48749 9285->9288 9287->9282 9291 d48752 9288->9291 9289 d4876a 9289->9287 9291->9289 9292 d48730 9291->9292 9293 d4a19f GetCurrentThreadId Sleep FreeLibrary Sleep 9292->9293 9294 d4873d 9293->9294 9294->9291 9295 b7eb23 VirtualAlloc 9296 cfcb9b 9297 cfd8ce LoadLibraryA 9296->9297 9346 53c1308 9347 53c1349 ImpersonateLoggedOnUser 9346->9347 9348 53c1376 9347->9348 9349 53c0d48 9351 53c0d93 OpenSCManagerW 9349->9351 9352 53c0ddc 9351->9352 9299 cf10da 9300 cf10e1 CreateFileA 9299->9300 9301 cf10fb 9300->9301 9353 ceec7b LoadLibraryA 9354 ceec83 9353->9354 9302 d4b089 9304 d4b0a0 9302->9304 9303 d4b19d 9304->9303 9305 d4b109 CreateFileA 9304->9305 9306 d4b14e 9305->9306 9306->9303 9307 d4a768 CloseHandle 9306->9307 9307->9303 9355 cf0cf2 CreateFileA 9356 cf0d04 9355->9356

    Executed Functions

    Function 00CF1058 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 140 cf1058-cf10b7 147 cf10bd-cf10c4 140->147 148 cf10c5-cf10f5 CreateFileA 140->148 147->148 151 cf10fb-cf1108 148->151 152 cf1130-cf1159 call cf115c 148->152 154 cf1203-cf1212 call cf1215 151->154 152->154
    APIs
    • CreateFileA.KERNELBASE(?,00CF1054,00000003,00000000,00000003), ref: 00CF10E7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID: C
    • API String ID: 823142352-1037565863
    • Opcode ID: f52cb41c10c00c27742fdf2e366cc75122bb1cc42741d6e51e671a1e14cefc5f
    • Instruction ID: 5155ecac28267e21fb175df72a27a6090e16343f679d441b8c32baeee5543dd1
    • Opcode Fuzzy Hash: f52cb41c10c00c27742fdf2e366cc75122bb1cc42741d6e51e671a1e14cefc5f
    • Instruction Fuzzy Hash: 4611387610828DEED750CE658950BFF77ACEB52370F388415FE01C7641D6A14D889B36
    Function 053C15D0 Relevance: 1.8, APIs: 1, Instructions: 299COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 301 53c15d0-53c165a 303 53c165c-53c1666 301->303 304 53c1693-53c16b5 301->304 303->304 305 53c1668-53c166a 303->305 309 53c16b7-53c16c4 304->309 310 53c16f1-53c1712 304->310 307 53c166c-53c1676 305->307 308 53c168d-53c1690 305->308 311 53c1678 307->311 312 53c167a-53c1689 307->312 308->304 309->310 313 53c16c6-53c16c8 309->313 320 53c174b-53c176d 310->320 321 53c1714-53c171e 310->321 311->312 312->312 314 53c168b 312->314 315 53c16ca-53c16d4 313->315 316 53c16eb-53c16ee 313->316 314->308 318 53c16d8-53c16e7 315->318 319 53c16d6 315->319 316->310 318->318 322 53c16e9 318->322 319->318 327 53c176f-53c177c 320->327 328 53c17a9-53c17ca 320->328 321->320 323 53c1720-53c1722 321->323 322->316 325 53c1724-53c172e 323->325 326 53c1745-53c1748 323->326 329 53c1730 325->329 330 53c1732-53c1741 325->330 326->320 327->328 332 53c177e-53c1780 327->332 336 53c17cc-53c17d6 328->336 337 53c1803-53c1825 328->337 329->330 330->330 331 53c1743 330->331 331->326 333 53c1782-53c178c 332->333 334 53c17a3-53c17a6 332->334 338 53c178e 333->338 339 53c1790-53c179f 333->339 334->328 336->337 340 53c17d8-53c17da 336->340 347 53c1827-53c1834 337->347 348 53c1861-53c18d8 ChangeServiceConfigA 337->348 338->339 339->339 341 53c17a1 339->341 342 53c17dc-53c17e6 340->342 343 53c17fd-53c1800 340->343 341->334 345 53c17e8 342->345 346 53c17ea-53c17f9 342->346 343->337 345->346 346->346 349 53c17fb 346->349 347->348 350 53c1836-53c1838 347->350 354 53c18da-53c18e0 348->354 355 53c18e1-53c1920 348->355 349->343 352 53c183a-53c1844 350->352 353 53c185b-53c185e 350->353 356 53c1848-53c1857 352->356 357 53c1846 352->357 353->348 354->355 361 53c1930-53c1934 355->361 362 53c1922-53c1926 355->362 356->356 359 53c1859 356->359 357->356 359->353 364 53c1944-53c1948 361->364 365 53c1936-53c193a 361->365 362->361 363 53c1928-53c192b call 53c013c 362->363 363->361 366 53c1958-53c195c 364->366 367 53c194a-53c194e 364->367 365->364 369 53c193c-53c193f call 53c013c 365->369 371 53c196c-53c1970 366->371 372 53c195e-53c1962 366->372 367->366 370 53c1950-53c1953 call 53c013c 367->370 369->364 370->366 376 53c1980-53c1984 371->376 377 53c1972-53c1976 371->377 372->371 375 53c1964-53c1967 call 53c013c 372->375 375->371 380 53c1994 376->380 381 53c1986-53c198a 376->381 377->376 379 53c1978-53c197b call 53c013c 377->379 379->376 384 53c1995 380->384 381->380 383 53c198c-53c198f call 53c013c 381->383 383->380 384->384
    APIs
    • ChangeServiceConfigA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 053C18C8
    Memory Dump Source
    • Source File: 00000000.00000002.1938646227.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_53c0000_file.jbxd
    Similarity
    • API ID: ChangeConfigService
    • String ID:
    • API String ID: 3849694230-0
    • Opcode ID: efc27c563d5d21e78580df99b73a92dc1a9633386ab5e0371c813f86ca8a66f2
    • Instruction ID: b38b0da12633188b61f450f0f1b8ef653c8d8f82914acc3df942d84f4eecd7c0
    • Opcode Fuzzy Hash: efc27c563d5d21e78580df99b73a92dc1a9633386ab5e0371c813f86ca8a66f2
    • Instruction Fuzzy Hash: 49C16A71D102599FDB10CFA8C8857AEBBF2FF45310F1482A9EC55E7281DBB48891DB82
    Function 00D4A022 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • LoadLibraryExW.KERNEL32(?,?,?), ref: 00D4A133
    • LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 00D4A147
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: .dll$.exe$1002
    • API String ID: 1029625771-847511843
    • Opcode ID: 42d318072617604bc623061929f05eb07ddbd63bc3c55f7a94a691553bb0de8d
    • Instruction ID: eebbd5af893a65849e94edb72b7e8cb7e8491fbacedef229376c6e902b825846
    • Opcode Fuzzy Hash: 42d318072617604bc623061929f05eb07ddbd63bc3c55f7a94a691553bb0de8d
    • Instruction Fuzzy Hash: A6317831444209EFCF25AF58D801AADBB75FF08390F14412AF842A6165CB70D9A0EFB2
    Function 00D4A528 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 39 d4a528-d4a539 call d49e8c 42 d4a544-d4a54d call d4894f 39->42 43 d4a53f 39->43 49 d4a581-d4a588 42->49 50 d4a553-d4a55f call d49061 42->50 45 d4a5d8-d4a5dc 43->45 47 d4a5f0-d4a5f3 GetModuleHandleA 45->47 48 d4a5e2-d4a5eb GetModuleHandleW 45->48 51 d4a5f9 47->51 48->51 54 d4a5d3 call d489fa 49->54 55 d4a58e-d4a595 49->55 56 d4a564-d4a566 50->56 53 d4a603-d4a605 51->53 54->45 55->54 57 d4a59b-d4a5a2 55->57 56->54 59 d4a56c-d4a571 56->59 57->54 60 d4a5a8-d4a5af 57->60 59->54 61 d4a577-d4a5fe call d489fa 59->61 60->54 62 d4a5b5-d4a5c9 60->62 61->53 62->54
    APIs
    • GetModuleHandleW.KERNEL32(?,?,?,?,00D4A4BA,?,00000000,00000000), ref: 00D4A5E5
    • GetModuleHandleA.KERNEL32(00000000,?,?,?,00D4A4BA,?,00000000,00000000), ref: 00D4A5F3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: HandleModule
    • String ID: .dll
    • API String ID: 4139908857-2738580789
    • Opcode ID: 4b4341fb1caa019e80cd9e89d69d1a0122a924befcb0b5cb191e33d7af70c2f8
    • Instruction ID: 7ff82f18d8b43d28b7c071a224bc6429a6060e24026cbdde0912abca2d4e7a74
    • Opcode Fuzzy Hash: 4b4341fb1caa019e80cd9e89d69d1a0122a924befcb0b5cb191e33d7af70c2f8
    • Instruction Fuzzy Hash: 01112E30185586EBEF30EF18C9097AE76B0FF00359F088125B805554A1DB79D6D5EEB3
    Function 00CFD7C2 Relevance: 4.6, APIs: 3, Instructions: 90registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 66 cfd7c2-cfd7ea 68 cfd7ec-cfd807 RegOpenKeyA 66->68 69 cfd813-cfd82e RegOpenKeyA 66->69 68->69 70 cfd809 68->70 71 cfd846-cfd872 69->71 72 cfd830-cfd83a 69->72 70->69 75 cfd87f-cfd889 71->75 76 cfd874-cfd87d GetNativeSystemInfo 71->76 72->71 77 cfd88b 75->77 78 cfd895-cfd8a3 75->78 76->75 77->78 80 cfd8af-cfd8b6 78->80 81 cfd8a5 78->81 82 cfd8bc-cfd8c3 80->82 83 cfd8c9 80->83 81->80 82->83 84 cfd932-cfd939 82->84 83->84 85 cfd08f-cfd0c0 84->85 86 cfd93f-cfe6e8 84->86
    APIs
    • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00CFD7FF
    • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00CFD826
    • GetNativeSystemInfo.KERNELBASE(?), ref: 00CFD87D
    Memory Dump Source
    • Source File: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: Open$InfoNativeSystem
    • String ID:
    • API String ID: 1247124224-0
    • Opcode ID: c1b72dbe3aaa7708de0de22d0c068cb33a424b975f1e1a66056ccac2bea6eab2
    • Instruction ID: cd8b1730378e8c8eaa57ee8b2bd42ed9911b17d9f7d8375581a80652417ac284
    • Opcode Fuzzy Hash: c1b72dbe3aaa7708de0de22d0c068cb33a424b975f1e1a66056ccac2bea6eab2
    • Instruction Fuzzy Hash: 183158B540410EDFEF51DF10C849BEF3BEAEF54341F110426AA4282990DBB65CA49F5A
    Function 00D48F02 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 89 d48f02-d48f32 91 d4905d-d4905e 89->91 92 d48f38-d48f4d 89->92 92->91 94 d48f53-d48f57 92->94 95 d48f5d-d48f6f PathAddExtensionA 94->95 96 d48f79-d48f80 94->96 102 d48f78 95->102 97 d48f86-d48f95 call d48ba3 96->97 98 d48fa2-d48fa9 96->98 103 d48f9a-d48f9c 97->103 100 d48faf-d48fb6 98->100 101 d48feb-d48ff2 98->101 104 d48fbc-d48fc5 100->104 105 d48fcf-d48fde call d48ba3 100->105 106 d49014-d4901b 101->106 107 d48ff8-d4900e call d48ba3 101->107 102->96 103->91 103->98 104->105 110 d48fcb 104->110 115 d48fe3-d48fe5 105->115 108 d49021-d49037 call d48ba3 106->108 109 d4903d-d49044 106->109 107->91 107->106 108->91 108->109 109->91 114 d4904a-d49057 call d48bdc 109->114 110->105 114->91 115->91 115->101
    APIs
    • PathAddExtensionA.KERNELBASE(?,00000000), ref: 00D48F64
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: ExtensionPath
    • String ID: \\?\
    • API String ID: 158807944-4282027825
    • Opcode ID: bb0571b4bd5a091a831f5865947113a48a38af774bf3dfe00f96c0aa8e7f7dd3
    • Instruction ID: 532f744c9e0b45d944bae757e09d9fddc6e6c2f2c3007eb501810c8ac3f2b1f1
    • Opcode Fuzzy Hash: bb0571b4bd5a091a831f5865947113a48a38af774bf3dfe00f96c0aa8e7f7dd3
    • Instruction Fuzzy Hash: 8D31F635600209BFDF21DF99CC09F9EBB7AFF49354F080161FA00A54A0D7729A65EB60
    Function 00CF0F75 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 120 cf0f75-cf0f9a CreateFileA 122 cf1130-cf1212 call cf115c call cf1215 120->122 123 cf0fa0-cf0fa6 120->123 125 cf0fac 123->125 126 cf0fb5-cf1006 123->126 125->126 128 cf0fb2 125->128 132 cf100c 126->132 133 cf1012-cf1056 call cf1058 126->133 128->126 132->133
    APIs
    • CreateFileA.KERNELBASE(?,00CF0E63,00000003,00000000), ref: 00CF0F91
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID: C
    • API String ID: 823142352-1037565863
    • Opcode ID: da0a4adec9a90ad331b181bea264063aa4b4f0599eb9cb1fafa0969db9dd33c1
    • Instruction ID: bc24dd58399ab708ae051de488feea6fdf007344c0e897683b32fd68157dfe57
    • Opcode Fuzzy Hash: da0a4adec9a90ad331b181bea264063aa4b4f0599eb9cb1fafa0969db9dd33c1
    • Instruction Fuzzy Hash: DF112EB618824D6DEB518F54C9407FE765EFB93730F304015FA01D6983D2E10D585666
    Function 00CF10A5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 159 cf10a5-cf10b7 160 cf10bd-cf10c4 159->160 161 cf10c5-cf10f5 CreateFileA 159->161 160->161 164 cf10fb-cf1108 161->164 165 cf1130-cf1159 call cf115c 161->165 167 cf1203-cf1212 call cf1215 164->167 165->167
    APIs
    • CreateFileA.KERNELBASE(?,00CF1054,00000003,00000000,00000003), ref: 00CF10E7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID: -Q1
    • API String ID: 823142352-3920935146
    • Opcode ID: b7561bb7c38bee6f94dbac4ce9585befd78f5d6b2a419e4ef891a19d6ea3cd78
    • Instruction ID: 5e1770cedde3316b20499ee6b9b55b2bc7a4c56117cef926675bf70faccc9ef4
    • Opcode Fuzzy Hash: b7561bb7c38bee6f94dbac4ce9585befd78f5d6b2a419e4ef891a19d6ea3cd78
    • Instruction Fuzzy Hash: 0CF0B43560928EEEDB90DEB5C855BEF37A4EF64790F28841AEE11C3541D9210C849F67
    Function 00D4A611 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 172 d4a611-d4a624 call d4894f 175 d4a667-d4a67b call d489fa GetModuleHandleExA 172->175 176 d4a62a-d4a636 call d49061 172->176 182 d4a685-d4a687 175->182 179 d4a63b-d4a63d 176->179 179->175 181 d4a643-d4a64a 179->181 183 d4a650 181->183 184 d4a653-d4a680 call d489fa 181->184 183->184 184->182
    APIs
      • Part of subcall function 00D4894F: GetCurrentThreadId.KERNEL32 ref: 00D4895E
      • Part of subcall function 00D4894F: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00D489A1
    • GetModuleHandleExA.KERNELBASE(?,?,?), ref: 00D4A675
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: CurrentHandleModuleSleepThread
    • String ID: .dll
    • API String ID: 683542999-2738580789
    • Opcode ID: d02a03150db441f458918545947f85ac9a9de69a50d20b0392ab2daf32173f42
    • Instruction ID: 2c4327baf6984b3a9f804bdd446a1255560b45c9ce7acb90b8828f9b19a8a0c7
    • Opcode Fuzzy Hash: d02a03150db441f458918545947f85ac9a9de69a50d20b0392ab2daf32173f42
    • Instruction Fuzzy Hash: 17F06DB2100605EFDF10EF58C845BAD7BA5FF08354F198115FE058A051CB31C490AA32
    Function 00CF0CF2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 187 cf0cf2-cf0cfe CreateFileA 188 cf0d04-cf0d0c call cf0d0f 187->188 189 cf1130-cf1212 call cf115c call cf1215 187->189
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID: C
    • API String ID: 823142352-1037565863
    • Opcode ID: 65f2eaa43dd3f9f4aba278a0f81bbc7b7eccbafabc7be36ca208af3ea7f8a6ca
    • Instruction ID: b681eac2569a0f7f88cc13095f2fabf5b3319a7e3dac8f88e520874700c47245
    • Opcode Fuzzy Hash: 65f2eaa43dd3f9f4aba278a0f81bbc7b7eccbafabc7be36ca208af3ea7f8a6ca
    • Instruction Fuzzy Hash: CBE0683510835E21C7519F34CCD07DFB6849F60310F14C115A6046B2C2C1B52D048A2C
    Function 00D4894F Relevance: 3.0, APIs: 2, Instructions: 33sleepthreadCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 198 d4894f-d48965 GetCurrentThreadId 199 d48967-d48973 198->199 200 d489ae-d489bb call d4f7ce 199->200 201 d48979-d4897b 199->201 201->200 202 d48981-d48988 201->202 204 d4899d-d489a9 Sleep 202->204 205 d4898e-d48995 202->205 204->199 205->204 207 d4899b 205->207 207->204
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00D4895E
    • Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00D489A1
    Memory Dump Source
    • Source File: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: CurrentSleepThread
    • String ID:
    • API String ID: 1164918020-0
    • Opcode ID: 0d28c1c52f9eb0ff9ec12d068a357b75af61c1db9ab7cf26585783e622c511ab
    • Instruction ID: 2b679a0d5c668b3e6cc753c371ae19ef2fc54739e29bef5dd46c1c4833ee3c48
    • Opcode Fuzzy Hash: 0d28c1c52f9eb0ff9ec12d068a357b75af61c1db9ab7cf26585783e622c511ab
    • Instruction Fuzzy Hash: 02F0E231501A0AFFDB219F60C98877EB3B4FF4135AF28013AD20195561DB745985EEA2
    Function 053C15C4 Relevance: 1.8, APIs: 1, Instructions: 302COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 216 53c15c4-53c165a 218 53c165c-53c1666 216->218 219 53c1693-53c16b5 216->219 218->219 220 53c1668-53c166a 218->220 224 53c16b7-53c16c4 219->224 225 53c16f1-53c1712 219->225 222 53c166c-53c1676 220->222 223 53c168d-53c1690 220->223 226 53c1678 222->226 227 53c167a-53c1689 222->227 223->219 224->225 228 53c16c6-53c16c8 224->228 235 53c174b-53c176d 225->235 236 53c1714-53c171e 225->236 226->227 227->227 229 53c168b 227->229 230 53c16ca-53c16d4 228->230 231 53c16eb-53c16ee 228->231 229->223 233 53c16d8-53c16e7 230->233 234 53c16d6 230->234 231->225 233->233 237 53c16e9 233->237 234->233 242 53c176f-53c177c 235->242 243 53c17a9-53c17ca 235->243 236->235 238 53c1720-53c1722 236->238 237->231 240 53c1724-53c172e 238->240 241 53c1745-53c1748 238->241 244 53c1730 240->244 245 53c1732-53c1741 240->245 241->235 242->243 247 53c177e-53c1780 242->247 251 53c17cc-53c17d6 243->251 252 53c1803-53c1825 243->252 244->245 245->245 246 53c1743 245->246 246->241 248 53c1782-53c178c 247->248 249 53c17a3-53c17a6 247->249 253 53c178e 248->253 254 53c1790-53c179f 248->254 249->243 251->252 255 53c17d8-53c17da 251->255 262 53c1827-53c1834 252->262 263 53c1861-53c1867 252->263 253->254 254->254 256 53c17a1 254->256 257 53c17dc-53c17e6 255->257 258 53c17fd-53c1800 255->258 256->249 260 53c17e8 257->260 261 53c17ea-53c17f9 257->261 258->252 260->261 261->261 264 53c17fb 261->264 262->263 265 53c1836-53c1838 262->265 266 53c1871-53c18d8 ChangeServiceConfigA 263->266 264->258 267 53c183a-53c1844 265->267 268 53c185b-53c185e 265->268 269 53c18da-53c18e0 266->269 270 53c18e1-53c1920 266->270 271 53c1848-53c1857 267->271 272 53c1846 267->272 268->263 269->270 276 53c1930-53c1934 270->276 277 53c1922-53c1926 270->277 271->271 274 53c1859 271->274 272->271 274->268 279 53c1944-53c1948 276->279 280 53c1936-53c193a 276->280 277->276 278 53c1928-53c192b call 53c013c 277->278 278->276 281 53c1958-53c195c 279->281 282 53c194a-53c194e 279->282 280->279 284 53c193c-53c193f call 53c013c 280->284 286 53c196c-53c1970 281->286 287 53c195e-53c1962 281->287 282->281 285 53c1950-53c1953 call 53c013c 282->285 284->279 285->281 291 53c1980-53c1984 286->291 292 53c1972-53c1976 286->292 287->286 290 53c1964-53c1967 call 53c013c 287->290 290->286 295 53c1994 291->295 296 53c1986-53c198a 291->296 292->291 294 53c1978-53c197b call 53c013c 292->294 294->291 299 53c1995 295->299 296->295 298 53c198c-53c198f call 53c013c 296->298 298->295 299->299
    APIs
    • ChangeServiceConfigA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 053C18C8
    Memory Dump Source
    • Source File: 00000000.00000002.1938646227.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_53c0000_file.jbxd
    Similarity
    • API ID: ChangeConfigService
    • String ID:
    • API String ID: 3849694230-0
    • Opcode ID: 0eb8ca9434cfb5dec0745fd20f6a8a728dde7ba7898b01e5c45b3119ba5ecc8f
    • Instruction ID: 654df5a902dd80bedc3c6bca3807cc86083c98fa51dd2f4896f0ce81b957f5d6
    • Opcode Fuzzy Hash: 0eb8ca9434cfb5dec0745fd20f6a8a728dde7ba7898b01e5c45b3119ba5ecc8f
    • Instruction Fuzzy Hash: 16C16971D106599FDB10CFA8C8857AEBBB2FF45310F1482A9EC55E7281DBB48891DF82
    Function 00CF0E91 Relevance: 1.6, APIs: 1, Instructions: 148fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 386 cf0e91-cf0e96 387 cf0ebd 386->387 388 cf0e98-cf0eaa 386->388 390 cf0ebf-cf0f14 387->390 388->390 394 cf0f1f-cf0f50 390->394 395 cf0f1a 390->395 399 cf0f66-cf0f9a call cf0f75 CreateFileA 394->399 400 cf0f56 394->400 395->394 404 cf1130-cf1212 call cf115c call cf1215 399->404 405 cf0fa0-cf0fa6 399->405 400->399 407 cf0fac 405->407 408 cf0fb5-cf1006 405->408 407->408 410 cf0fb2 407->410 414 cf100c 408->414 415 cf1012-cf1056 call cf1058 408->415 410->408 414->415
    APIs
    • CreateFileA.KERNELBASE(?,00CF0E63,00000003,00000000), ref: 00CF0F91
    Memory Dump Source
    • Source File: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: d871f72ea3824dc9aedae2daa5cd1061f6d8b50ccf7b79cc977f4066ae4edb81
    • Instruction ID: d45a0c1754470e96282abb2e1441d1b514003d0d066fb6de8c63620d6c45b2b1
    • Opcode Fuzzy Hash: d871f72ea3824dc9aedae2daa5cd1061f6d8b50ccf7b79cc977f4066ae4edb81
    • Instruction Fuzzy Hash: 6E316EB618C24D6ED7928E9196005FA7B69EBD3B30B30442AE642DB543D2900D4AA777
    Function 00CF0E67 Relevance: 1.6, APIs: 1, Instructions: 142fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 422 cf0e67-cf0f14 430 cf0f1f-cf0f50 422->430 431 cf0f1a 422->431 435 cf0f66-cf0f9a call cf0f75 CreateFileA 430->435 436 cf0f56 430->436 431->430 440 cf1130-cf1212 call cf115c call cf1215 435->440 441 cf0fa0-cf0fa6 435->441 436->435 443 cf0fac 441->443 444 cf0fb5-cf1006 441->444 443->444 446 cf0fb2 443->446 450 cf100c 444->450 451 cf1012-cf1056 call cf1058 444->451 446->444 450->451
    APIs
    • CreateFileA.KERNELBASE(?,00CF0E63,00000003,00000000), ref: 00CF0F91
    Memory Dump Source
    • Source File: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 02885dd5af124a663f388fd97bc30b9be1087a811d79c5a192216a3418aebd15
    • Instruction ID: a820bd53880d00be7efa3d98cc678f92cc7a9a1741d8871d3197df4bf6311044
    • Opcode Fuzzy Hash: 02885dd5af124a663f388fd97bc30b9be1087a811d79c5a192216a3418aebd15
    • Instruction Fuzzy Hash: 0631ECF718C10D7DE6918E819B00AFB776DE6D3B30B30482AFA43D5443D1900D496677
    Function 00CF0EAF Relevance: 1.6, APIs: 1, Instructions: 128fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,00CF0E63,00000003,00000000), ref: 00CF0F91
    Memory Dump Source
    • Source File: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 6d953291de947f00b06c390338800f41c9bdb8973c4aa10c8af9005386946412
    • Instruction ID: 277e41ef8c56054d787185bcaae103c7d429fcadc5a04b9665114c25893a0fed
    • Opcode Fuzzy Hash: 6d953291de947f00b06c390338800f41c9bdb8973c4aa10c8af9005386946412
    • Instruction Fuzzy Hash: 2631AFB618C24D6ED792CF959A406FE3B6EEBD3B30B30042AE642DA543D1900D4A6677
    Function 00CF0E84 Relevance: 1.6, APIs: 1, Instructions: 125fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,00CF0E63,00000003,00000000), ref: 00CF0F91
    Memory Dump Source
    • Source File: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 04802c5ef590f19762ac650ab325b470931332e156612267d91f7e90f284a90e
    • Instruction ID: 785bf806cc514319b6d67a2ef6e77a3ab9cf085c8898956d3cfede2a891dd01a
    • Opcode Fuzzy Hash: 04802c5ef590f19762ac650ab325b470931332e156612267d91f7e90f284a90e
    • Instruction Fuzzy Hash: 76313CBA18C24DBED6918E919A00AFA776EE7D3B30B30482AF643D6543D1A00D496677
    Function 00CF0EE3 Relevance: 1.6, APIs: 1, Instructions: 111fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,00CF0E63,00000003,00000000), ref: 00CF0F91
    Memory Dump Source
    • Source File: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: dbc742b5f7f60b4e324f5b648b7221abf73ac16221615f513dde4aca1172530f
    • Instruction ID: 0194306f4f741bce309acd3b44bc674f6f24a49f58ba555a17fcff4102cc63a4
    • Opcode Fuzzy Hash: dbc742b5f7f60b4e324f5b648b7221abf73ac16221615f513dde4aca1172530f
    • Instruction Fuzzy Hash: F5213EB718C20D7EE6918E919A406FE376EE7D3B30F300426EA03D6943D2910E566567
    Function 00CF0EF7 Relevance: 1.6, APIs: 1, Instructions: 104fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,00CF0E63,00000003,00000000), ref: 00CF0F91
    Memory Dump Source
    • Source File: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: cee744c0520c85761aa06b363cfe85ff0384ea86a561c3a50d6acdbde485da7e
    • Instruction ID: 99b7cdcef278599095c4b45e7bfee9ff114dfd7745740faa27f3a8260efff1f9
    • Opcode Fuzzy Hash: cee744c0520c85761aa06b363cfe85ff0384ea86a561c3a50d6acdbde485da7e
    • Instruction Fuzzy Hash: AB212DB618D20DADD6D18E919A406FE376EEB93B30F30042AFA02D5943D1900D596666
    Function 00D4B089 Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 00D4B13E
    Memory Dump Source
    • Source File: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 25e537ed91e4fcae21648545f2844088e494ceab6760d15845071ea910dfe8c3
    • Instruction ID: 595fd34b7e90131c61bce579d5c4e079055b762713ed77676f9f3a9e558aaf50
    • Opcode Fuzzy Hash: 25e537ed91e4fcae21648545f2844088e494ceab6760d15845071ea910dfe8c3
    • Instruction Fuzzy Hash: 4B315E71500208FBEB20AF64DC85F9EBBB8FF58324F248266F515AA191C771D951DB70
    Function 00CEEC7B Relevance: 1.6, APIs: 1, Instructions: 99libraryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 037f7f0b725e0dd51045d443bebaeb74df057618d6761c6d422310c09ecd9e3c
    • Instruction ID: 66adbbe1f46d57e2e8fcb3d83537218903a718a85a625ce98cc27a4ae5f32de0
    • Opcode Fuzzy Hash: 037f7f0b725e0dd51045d443bebaeb74df057618d6761c6d422310c09ecd9e3c
    • Instruction Fuzzy Hash: 2C3135B250C300AFE7117F19E8816BAFBE8FF88710F12492DE6C482201E73594848B5B
    Function 00CF0F25 Relevance: 1.6, APIs: 1, Instructions: 98fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,00CF0E63,00000003,00000000), ref: 00CF0F91
    Memory Dump Source
    • Source File: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: a38a880a62f27aef4a0ff1ca1cf3fbe1b980b88061c7099df36323b13925b93f
    • Instruction ID: 5237228d7d18dfcfed01f1105b944df5ce9af53833654d6410c895d72ef01f21
    • Opcode Fuzzy Hash: a38a880a62f27aef4a0ff1ca1cf3fbe1b980b88061c7099df36323b13925b93f
    • Instruction Fuzzy Hash: 17115BAB18C20D7DE6A15ED19A00AFE776EE7D3B30F30042AF603D9943D6900D892577
    Function 00D4A8A5 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 00D4A927
    Memory Dump Source
    • Source File: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: a99e9b21ea5640a1c1491d33f91c919c38adf0077a48e838e8f40de87c73460e
    • Instruction ID: 6a22c10f25dc9ffa81804ebfa6ebb143c5472bcf6ca513414efcdb7bf9803956
    • Opcode Fuzzy Hash: a99e9b21ea5640a1c1491d33f91c919c38adf0077a48e838e8f40de87c73460e
    • Instruction Fuzzy Hash: 9D316171680204FFEB20AF68DC45F9977B8FB04724F248265F614EE1D1C7B1A9428B75
    Function 00CF0F48 Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,00CF0E63,00000003,00000000), ref: 00CF0F91
    Memory Dump Source
    • Source File: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 6189940891fe0d7d121df3a10e57710fbb3abc8da65e4d476ca6aca80a6343cd
    • Instruction ID: d4949089fcd71c4901b44024d28ca296a83b2f036b4ae4beb3be941018210a15
    • Opcode Fuzzy Hash: 6189940891fe0d7d121df3a10e57710fbb3abc8da65e4d476ca6aca80a6343cd
    • Instruction Fuzzy Hash: B8117BBB18824D7DDA919E915A006FA776EEBD3B30F30042AF602D9943D2900E496677
    Function 00CF0F5B Relevance: 1.6, APIs: 1, Instructions: 82COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 32bbcb6218613d54ff9bd48a259f6f43d705de20ceeca0d75a38000cacbc6df2
    • Instruction ID: 1eb4f6daa54efd41389a5b930d8fdcdba25bdc25a5891f20e5665fa807bb018c
    • Opcode Fuzzy Hash: 32bbcb6218613d54ff9bd48a259f6f43d705de20ceeca0d75a38000cacbc6df2
    • Instruction Fuzzy Hash: FD1197FB0882497EEA915E908A00BF9766EFBD3B30F30042AF902D9943E2800E491126
    Function 00CF0F81 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,00CF0E63,00000003,00000000), ref: 00CF0F91
    Memory Dump Source
    • Source File: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: d7591035366ad9f986aef2b2101f0bdeb89b49560ef4e6f891da8dfaf15583ed
    • Instruction ID: 2426003d11289be07a735d842c8d4e0fc014fc24f0e5779f44fb2de0af3a3c46
    • Opcode Fuzzy Hash: d7591035366ad9f986aef2b2101f0bdeb89b49560ef4e6f891da8dfaf15583ed
    • Instruction Fuzzy Hash: A41159F70882097EE6915F958A00BF9376FF793730F34002AF902C5843E6D50D492526
    Function 053C0D42 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 053C0DCD
    Memory Dump Source
    • Source File: 00000000.00000002.1938646227.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_53c0000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 8c6843cf52014f96383b8cb1bb820007beab25c196e02f4acdc980a6c645b1fd
    • Instruction ID: 5917610f337805f437e86438471c6e4d9189b0ac6fca5bc3eb28ae63738b467d
    • Opcode Fuzzy Hash: 8c6843cf52014f96383b8cb1bb820007beab25c196e02f4acdc980a6c645b1fd
    • Instruction Fuzzy Hash: C32134B6800258DFCB14CF99D888BDEFBB4FB88320F14815AD808AB204D774A940CBA4
    Function 053C0D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 053C0DCD
    Memory Dump Source
    • Source File: 00000000.00000002.1938646227.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_53c0000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 3e1dd6361bd9766e51dae3904961a1cba1fc0fcdd96056bfaf982e00e06d890b
    • Instruction ID: 8efa6c6c63cd69af6a53329a3c3f4567e3fb62b04fd0097decaa93c5cd4d4c87
    • Opcode Fuzzy Hash: 3e1dd6361bd9766e51dae3904961a1cba1fc0fcdd96056bfaf982e00e06d890b
    • Instruction Fuzzy Hash: 0F2104B6801258DFCB54CF99D988ADEFBB4FB88320F14855AD809AB205D774A940CBA5
    Function 053C1510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 053C1580
    Memory Dump Source
    • Source File: 00000000.00000002.1938646227.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_53c0000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: e164a4ffb2a7ac091341411ad028cc633e984a2aba66523ecfe83202a6c89c19
    • Instruction ID: c2ede39e76d6c5c98fc5e20c8f3252ab4498cd07e907a34dbc339f41cf2acdaa
    • Opcode Fuzzy Hash: e164a4ffb2a7ac091341411ad028cc633e984a2aba66523ecfe83202a6c89c19
    • Instruction Fuzzy Hash: 4611E4B5900249DFDB10CF9AC584BDEFBF4EB48320F148429E559A7251D378AA44CFA5
    Function 00CF0C85 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: f877f2240db4eef20c92b9d291c0bb22fb8706683b751d56de7fd2b2f9fdccb8
    • Instruction ID: e0ab0cdd994bd688efd917f3a8c5a5c4f04f34edb1d84ecb8c14c6d55b69f025
    • Opcode Fuzzy Hash: f877f2240db4eef20c92b9d291c0bb22fb8706683b751d56de7fd2b2f9fdccb8
    • Instruction Fuzzy Hash: 0EF04FBB2481293CB642D9526E61AFF631DC6C1B70730852BFA11C6083C5944C4A6677
    Function 053C1509 Relevance: 1.6, APIs: 1, Instructions: 53serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 053C1580
    Memory Dump Source
    • Source File: 00000000.00000002.1938646227.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_53c0000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: d38c5ed4d197133cd8ffbe1c10ded3a996f770c24d0220f95c84636f9d02789e
    • Instruction ID: 40c6e3dfedfac067a07efba5b6eece2de3eb384f5e8f3f99536f7ab41553d28c
    • Opcode Fuzzy Hash: d38c5ed4d197133cd8ffbe1c10ded3a996f770c24d0220f95c84636f9d02789e
    • Instruction Fuzzy Hash: 781114B6D00209DFDB10CF9AC585BDEFBF4AF48320F14842AE559A7251D378AA44CFA5
    Function 053C1301 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 053C1367
    Memory Dump Source
    • Source File: 00000000.00000002.1938646227.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_53c0000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 8ee6f1149810a61fe14fe7a307b8b3753858c65c46fe6709d41bdae49567c97e
    • Instruction ID: e3ad96d272ec919e2a7e7fd19ad3bcb14b2e8849b13b71ea7167dd200b3c3c3c
    • Opcode Fuzzy Hash: 8ee6f1149810a61fe14fe7a307b8b3753858c65c46fe6709d41bdae49567c97e
    • Instruction Fuzzy Hash: DC1113B1800249CFDB10DF9AC545BDEBBF4EF48324F24846AD558A3251D778AA44CFA5
    Function 053C1308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 053C1367
    Memory Dump Source
    • Source File: 00000000.00000002.1938646227.00000000053C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053C0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_53c0000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 8f6df7ae8927bf7f9ff23390e5be726593ff01e05a738f4a90fb0496cc28a0ae
    • Instruction ID: 3c601ab6f1b2c8e08100bb5d9e28f83a180afa51ece59d30e99bf001c9881bc4
    • Opcode Fuzzy Hash: 8f6df7ae8927bf7f9ff23390e5be726593ff01e05a738f4a90fb0496cc28a0ae
    • Instruction Fuzzy Hash: C71136B1800249CFDB10CF9AC545BDEFBF4EB48324F24846AD558A3251D778A944CFA5
    Function 00CF1075 Relevance: 1.5, APIs: 1, Instructions: 46fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,00CF1054,00000003,00000000,00000003), ref: 00CF10E7
    Memory Dump Source
    • Source File: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 0dc6365d4301df1dfce4a16cfaab40be10e5897c544f1ebea9764d08011d8724
    • Instruction ID: c0857c1e818c1ca8aab10b2259b57249324ecd8f8f2e2a9201bf3b87315b8d49
    • Opcode Fuzzy Hash: 0dc6365d4301df1dfce4a16cfaab40be10e5897c544f1ebea9764d08011d8724
    • Instruction Fuzzy Hash: 19F0F975A0C18DEED790CE6585456FF37B4EB61370F384015EE01D7141D9604D84AB27
    Function 00CF1097 Relevance: 1.5, APIs: 1, Instructions: 34fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,00CF1054,00000003,00000000,00000003), ref: 00CF10E7
    Memory Dump Source
    • Source File: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: a5adbdb0ef14ace1528934e9e7eea7a828b9328ac974ec00e8f7868e24ac3844
    • Instruction ID: 9624dc1b6214842c66a103a54944418815cd61ea10ed0af65b638a9786b8ebe9
    • Opcode Fuzzy Hash: a5adbdb0ef14ace1528934e9e7eea7a828b9328ac974ec00e8f7868e24ac3844
    • Instruction Fuzzy Hash: 7CF0903160828EDED790DEA68485AEF37A0EB627A0F388415EA11C7241C5614D84AF66
    Function 00D4A285 Relevance: 1.5, APIs: 1, Instructions: 27libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetProcAddress.KERNEL32(00D49A3B,00D49A3B), ref: 00D4A2D0
    Memory Dump Source
    • Source File: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: AddressProc
    • String ID:
    • API String ID: 190572456-0
    • Opcode ID: 0513499fbcb6b8aa7ff40f9bd2b6caf122cb2791e91c82539a1346ff186d998e
    • Instruction ID: 9a2f28dde02082e2fc972d5c1532136c08ee604fcc4370cdbeb24a8d4f1ee09c
    • Opcode Fuzzy Hash: 0513499fbcb6b8aa7ff40f9bd2b6caf122cb2791e91c82539a1346ff186d998e
    • Instruction Fuzzy Hash: 4EE06D22140500F78F113F79C84986E3A55EF503907049121B80AB8056CF72C451FE36
    Function 00CF0CD0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: dd469270f880ed4068f115aafa257107a643305e5be06055261e678e9d540945
    • Instruction ID: 3f9936b316d06a0565133429e32ec21c23c43b0ffb81eff72d7ea9ba762fa0cd
    • Opcode Fuzzy Hash: dd469270f880ed4068f115aafa257107a643305e5be06055261e678e9d540945
    • Instruction Fuzzy Hash: C5E07D36A0822169CB03AE715C957AD7300CFC0320F30CB7ADA308F0C2C42454465FE7
    Function 00CF10DA Relevance: 1.5, APIs: 1, Instructions: 20fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,00CF1054,00000003,00000000,00000003), ref: 00CF10E7
    Memory Dump Source
    • Source File: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 1fe4d3f1fc1341106315e6ad74f913186840009f7791afd2a3b5d361e95ed982
    • Instruction ID: a2f030ede549221e94a89ff856ccac6d74e01a6e0bea033a8d93d191904823ab
    • Opcode Fuzzy Hash: 1fe4d3f1fc1341106315e6ad74f913186840009f7791afd2a3b5d361e95ed982
    • Instruction Fuzzy Hash: 36E0267050C28E9EE750DFB58892BEE3BA0DB60340F2C4419AD50C3181C0620D144B23
    Function 00CFCB9B Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 24c47d56bdfcc915c106b46d55edca768a0dc5edcbe614faac31eeaa59fa8c72
    • Instruction ID: 814b3faf1b17160acd34033455008dd9e00dafa168952e23d54de84b5a574cf2
    • Opcode Fuzzy Hash: 24c47d56bdfcc915c106b46d55edca768a0dc5edcbe614faac31eeaa59fa8c72
    • Instruction Fuzzy Hash: B3D0673540C70ECEC7467FA9D44902EF7E4FB18340F51092D96D242621E7312460EA47
    Function 00D48B20 Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: lstrcmpi
    • String ID:
    • API String ID: 1586166983-0
    • Opcode ID: c90a69b56c096933a496f9104c2bc522f82d6ad52f78148df0b60ecf152c6348
    • Instruction ID: 8a7f8a4978c01e79d21e9f212478df4d24f8c6765e40526348c08384aa072aa7
    • Opcode Fuzzy Hash: c90a69b56c096933a496f9104c2bc522f82d6ad52f78148df0b60ecf152c6348
    • Instruction Fuzzy Hash: 2801F676A0020AFFDF12EFA9CC05DDEBB76EF48380F040161F904A4164DB728A61EB60
    Function 00D4F6FA Relevance: 1.3, APIs: 1, Instructions: 37sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNELBASE(00000000,00D48A15,00D4A210,?,?), ref: 00D4F717
    Memory Dump Source
    • Source File: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: Sleep
    • String ID:
    • API String ID: 3472027048-0
    • Opcode ID: 9adc0fb40a5ff5728a71aceb14f418259def00fcd6289b1ab62b55eca9f76095
    • Instruction ID: c625917535de38645336397e2c352e0bef252f0f5503c25ffdf57f359263c17e
    • Opcode Fuzzy Hash: 9adc0fb40a5ff5728a71aceb14f418259def00fcd6289b1ab62b55eca9f76095
    • Instruction Fuzzy Hash: FE016D71A40202CBEB38DF28C544714B690FF0E360F548578C4C39BAA6D7B898D0CBE5
    Function 00D4B6A3 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00D4894F: GetCurrentThreadId.KERNEL32 ref: 00D4895E
      • Part of subcall function 00D4894F: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00D489A1
    • CloseHandle.KERNELBASE(00D4B066,-11755FEC,?,?,00D4B066,?), ref: 00D4B6E1
    Memory Dump Source
    • Source File: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: CloseCurrentHandleSleepThread
    • String ID:
    • API String ID: 4003616898-0
    • Opcode ID: 56389eea8e4a8e375aec6937c57fbd47436565fd29175b97dc27bb1a732fb480
    • Instruction ID: dcbf8b738572df4173edc16fd2d30097494af0807ee56f2990493867dad19055
    • Opcode Fuzzy Hash: 56389eea8e4a8e375aec6937c57fbd47436565fd29175b97dc27bb1a732fb480
    • Instruction Fuzzy Hash: C1E08663200442EBCE107BBDD81DD6E2B69EFE47E47110232B54A9E055DF24D0D1EE76
    Function 00B7E786 Relevance: 1.3, APIs: 1, Instructions: 20memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 00B7F31B
    Memory Dump Source
    • Source File: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: b8ad59a08486e9ed97983a12baa9d408e96af880f5e8718bb31406927f4e2799
    • Instruction ID: 6b4c91191face11072803e3177b461b37fd55d2eef59ca4a983900fdb4c94946
    • Opcode Fuzzy Hash: b8ad59a08486e9ed97983a12baa9d408e96af880f5e8718bb31406927f4e2799
    • Instruction Fuzzy Hash: A4E048B5508509DFDB04AF54C44476E77E0FFC4322F15C529EDA583690E7354C118A66
    Function 00D4A768 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNELBASE(?,?,00D487EE,?,?), ref: 00D4A76E
    Memory Dump Source
    • Source File: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: 90e23a0c2cb3d7aa4bd7ca2cef461ed4a7c870a09c1f6a84e0afeff61d4f899e
    • Instruction ID: 01b871387df93292a0f6f39df70c40cef374dd7c8ff0c5b5c772ee372522bf03
    • Opcode Fuzzy Hash: 90e23a0c2cb3d7aa4bd7ca2cef461ed4a7c870a09c1f6a84e0afeff61d4f899e
    • Instruction Fuzzy Hash: D0B09232000508BBCF41BF55DC06C4DBF69FF29398B408120B95A45031CB76FAA19BA1
    Function 00B7EB23 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 00B7EB25
    Memory Dump Source
    • Source File: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: f6f88b275d2d366cb15592711b320ae2692014bec953f12ae4f7edab097fbbc2
    • Instruction ID: cfd880f198b9b7ac87a7b0743dc037fd61a08555a3a6390f8744e876916dd9db
    • Opcode Fuzzy Hash: f6f88b275d2d366cb15592711b320ae2692014bec953f12ae4f7edab097fbbc2
    • Instruction Fuzzy Hash: B4C04C74009309DFD7046F6085856AEFAF4EF49702F11C45EDC96C1590D7720850DA5B

    Non-executed Functions

    Function 00B7DDD8 Relevance: 1.6, Strings: 1, Instructions: 342COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID:
    • String ID: NTDL
    • API String ID: 0-3662016964
    • Opcode ID: d022408a9b9046ea45d501aafe411eff4b228a2e08ee2ff19f50f1d6498c0c81
    • Instruction ID: db4365fa31a71e7a2bfd4b236ea5c8662379679ea9b5bdb0beb76e305a6c4335
    • Opcode Fuzzy Hash: d022408a9b9046ea45d501aafe411eff4b228a2e08ee2ff19f50f1d6498c0c81
    • Instruction Fuzzy Hash: EEB1267250820A8FCB11CF14C5815EF77F5EF9A360B20C5EAE87A9B902D2B29D119F59
    Function 00CF4502 Relevance: .2, Instructions: 222COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: aad16d49451228cf6684ca568d04c0fa43583dd9f54e0d468699cec6a344e8cc
    • Instruction ID: 4253d265fa31edce964493eb45c8d2ea02d6c08eb5e5fdba9b947c79a57e38bb
    • Opcode Fuzzy Hash: aad16d49451228cf6684ca568d04c0fa43583dd9f54e0d468699cec6a344e8cc
    • Instruction Fuzzy Hash: 0571F4F290C218DFD3887F2AD84563BB7E5AB94310F26892EEBC687704E6354855D783
    Function 00DBB0F2 Relevance: .2, Instructions: 202COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 18e92e2da07ae1a8c4d5f3b1f66b4eb3765e4272bb9f98f0cc01bd2dd4318cab
    • Instruction ID: 317e8a600ff98ac8a088919f4135c2347064ac12e0aae324d62506807d083428
    • Opcode Fuzzy Hash: 18e92e2da07ae1a8c4d5f3b1f66b4eb3765e4272bb9f98f0cc01bd2dd4318cab
    • Instruction Fuzzy Hash: 6C51B5B250C210DFD304AE6CDD956BEB7E4EB44360F56492EEAC7C7340E6B598408BA7
    Function 00CF32A7 Relevance: .1, Instructions: 105COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 3c861ef0c221d8a050f5a9a7183437579c437d3ea9701c5aefd40785f74fbb32
    • Instruction ID: d252dc39deb3228fc5efcbc238f69e604add4e6d41fbaa023d97188bc04339c4
    • Opcode Fuzzy Hash: 3c861ef0c221d8a050f5a9a7183437579c437d3ea9701c5aefd40785f74fbb32
    • Instruction Fuzzy Hash: B83134F220C144EFE348EE2ADC9277EB7E5EB90300F25892DD7C286714E63559428687
    Function 00DFD56E Relevance: .1, Instructions: 56COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0fc0571ec2e79d97e52b5571678e1a13477dca1db47b3b944fe75566810a0b2c
    • Instruction ID: 95e843a3de2776499beba6f3605a840ff850dfd86cc711eeda5c2a8a174b86a7
    • Opcode Fuzzy Hash: 0fc0571ec2e79d97e52b5571678e1a13477dca1db47b3b944fe75566810a0b2c
    • Instruction Fuzzy Hash: 35115EB381C214EFD305FE69DC456AAF7E6EB68350F164A1DEAD4D3310E73198108A86
    Function 00D033D9 Relevance: .0, Instructions: 21COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ab75c5a32ccd8aea6ef1d5ded34e7edff4df5f0fdced559484cd3b7e3aadcbae
    • Instruction ID: f4ed419e2e9876ee7da77d995a79e9b17db540be9f258247b2b46527a0acc46a
    • Opcode Fuzzy Hash: ab75c5a32ccd8aea6ef1d5ded34e7edff4df5f0fdced559484cd3b7e3aadcbae
    • Instruction Fuzzy Hash: ACE04F760151019EC7009F54C84599FFBF8FF19310F258845E884CB622C3358D41CB29
    Function 00D0302E Relevance: .0, Instructions: 12COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1935693478.0000000000D01000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true
    • Associated: 00000000.00000002.1935352821.0000000000B70000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935370033.0000000000B72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935387085.0000000000B76000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935403574.0000000000B7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935440144.0000000000B86000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935560501.0000000000CD9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935577694.0000000000CDB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CEC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935599028.0000000000CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935632948.0000000000CFC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935656528.0000000000CFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935677326.0000000000D00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935719228.0000000000D0A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935742156.0000000000D0B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935760585.0000000000D12000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935779251.0000000000D13000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935813090.0000000000D2E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935836210.0000000000D3F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935941012.0000000000D4C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935962411.0000000000D4F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935978094.0000000000D50000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1935996362.0000000000D52000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936027033.0000000000D69000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936042749.0000000000D6E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936058551.0000000000D6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936076707.0000000000D74000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936096504.0000000000D75000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936129080.0000000000D79000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936148034.0000000000D87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936165317.0000000000D88000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936187068.0000000000D8F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936204384.0000000000D94000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936224058.0000000000D95000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936245630.0000000000D9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936263860.0000000000DA3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936282945.0000000000DA7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936303783.0000000000DB5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936320645.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936345250.0000000000DD5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936361551.0000000000DD6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000DFF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936387159.0000000000E05000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936424957.0000000000E14000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1936443642.0000000000E16000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b70000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a613a0d247a298960baf959d8f8b350371f9d94a5b2f29af38d68a891360f823
    • Instruction ID: 1339d19ebccd4a80b37baea3d9bff9387358aaf37cc67903e1f308fd15e37955
    • Opcode Fuzzy Hash: a613a0d247a298960baf959d8f8b350371f9d94a5b2f29af38d68a891360f823
    • Instruction Fuzzy Hash: BDC02BE053D33219CA1018BD0C71379AA8D1B87F08E34C32472C52E2C7C4898344B2B3