Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1546539
MD5:481c8b24c57da4a1a61f3ba321f84c5c
SHA1:57b83e709ddf9067f94e3831f6cc2e18f59c42ee
SHA256:f3daf351dc8d9b8ec19991e83ad7344d18124790592e971cf3d93070c0800c33
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 64 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 481C8B24C57DA4A1A61F3BA321F84C5C)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: file.exeReversingLabs: Detection: 36%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.2327069380.0000000000672000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2192766894.0000000005240000.00000004.00001000.00020000.00000000.sdmp

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EF9270_2_007EF927
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007ECA6D0_2_007ECA6D
Source: file.exe, 00000000.00000002.2336985253.000000000159E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000000.2153345254.0000000000676000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeReversingLabs: Detection: 36%
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 2778624 > 1048576
Source: file.exeStatic PE information: Raw size of cfyesryy is bigger than: 0x100000 < 0x2a0600
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.2327069380.0000000000672000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2192766894.0000000005240000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.670000.0.unpack :EW;.rsrc:W;.idata :W;cfyesryy:EW;gwntuilp:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x2a786b should be: 0x2a96e2
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name: cfyesryy
Source: file.exeStatic PE information: section name: gwntuilp
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067F306 push edx; mov dword ptr [esp], 7FF24C0Fh0_2_0067F313
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007FC6FB push ebx; mov dword ptr [esp], 75FF5AA7h0_2_00800391
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EE752 push 1AA157B5h; mov dword ptr [esp], ebx0_2_007EE7E9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EE752 push ebx; mov dword ptr [esp], esi0_2_007EE81B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EE752 push ebp; mov dword ptr [esp], edi0_2_007EE84A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067E871 push edx; mov dword ptr [esp], edi0_2_0067EB33
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EE922 push ebx; mov dword ptr [esp], ebp0_2_007EE9AA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EE922 push edi; mov dword ptr [esp], eax0_2_007EEA68
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007FB076 push 0775148Fh; mov dword ptr [esp], eax0_2_007FB081
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00681064 push esi; mov dword ptr [esp], 74EF328Ah0_2_00683161
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00681064 push 7193EE01h; mov dword ptr [esp], ebp0_2_00683BC5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008AD085 push 111338B1h; mov dword ptr [esp], edi0_2_008AD0AD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067C054 push esi; mov dword ptr [esp], edi0_2_0067C055
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067F05E push edx; mov dword ptr [esp], eax0_2_0067E9D6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F7026 push ss; ret 0_2_007F703A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008720E6 push eax; mov dword ptr [esp], ecx0_2_008721A3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007FC000 push 22A0110Fh; mov dword ptr [esp], ecx0_2_007FC00B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F80F3 push edx; mov dword ptr [esp], ebp0_2_007F81E9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F80F3 push eax; mov dword ptr [esp], esi0_2_007F81ED
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067D0F0 push edi; iretd 0_2_0067D0FB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067D0FC push 148DDD91h; mov dword ptr [esp], ebp0_2_0067D846
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007FF0DA push edx; mov dword ptr [esp], edi0_2_007FF0EE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EF0C1 push eax; mov dword ptr [esp], ebp0_2_007EF12C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EF0C1 push 16D9FD06h; mov dword ptr [esp], ebx0_2_007EF18E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EF0C1 push ebx; mov dword ptr [esp], ebp0_2_007EF1B2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EF0C1 push ebx; mov dword ptr [esp], ecx0_2_007EF1D5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007EF0C1 push ebp; mov dword ptr [esp], ecx0_2_007EF256
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006810A2 push ebx; mov dword ptr [esp], eax0_2_006810AE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006810A2 push esi; mov dword ptr [esp], edx0_2_0068313F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067C0B4 push ecx; mov dword ptr [esp], eax0_2_0067C0BB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081D07E push ecx; mov dword ptr [esp], 7F3E914Ah0_2_0081D0B8
Source: file.exeStatic PE information: section name: entropy: 7.80234292244424

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E0F7B second address: 7E0F7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EE604 second address: 7EE613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jnc 00007FB5DCEC5E08h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EE772 second address: 7EE7BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 pushad 0x00000007 push esi 0x00000008 jno 00007FB5DCC70B26h 0x0000000e jmp 00007FB5DCC70B30h 0x00000013 pop esi 0x00000014 push esi 0x00000015 jmp 00007FB5DCC70B38h 0x0000001a pop esi 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FB5DCC70B30h 0x00000022 push edi 0x00000023 pop edi 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EEDD9 second address: 7EEDF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5DCEC5E11h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EEDF2 second address: 7EEDF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7EEDF6 second address: 7EEDFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F1E7F second address: 7F1E83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F1E83 second address: 7F1E89 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F1E89 second address: 7F1ED0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB5DCC70B38h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 mov esi, 1474B0ECh 0x00000015 push 00000000h 0x00000017 call 00007FB5DCC70B29h 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FB5DCC70B32h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F1ED0 second address: 7F1ED6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F1ED6 second address: 7F1EDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F1EDA second address: 7F1F10 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB5DCEC5E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007FB5DCEC5E10h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push edi 0x00000017 jnl 00007FB5DCEC5E0Ch 0x0000001d pop edi 0x0000001e mov eax, dword ptr [eax] 0x00000020 push eax 0x00000021 push edx 0x00000022 push ecx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F1F10 second address: 7F1F15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F1F15 second address: 7F1F80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5DCEC5E0Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jmp 00007FB5DCEC5E15h 0x00000012 pop eax 0x00000013 jl 00007FB5DCEC5E19h 0x00000019 call 00007FB5DCEC5E11h 0x0000001e stc 0x0000001f pop ecx 0x00000020 push 00000003h 0x00000022 xor dword ptr [ebp+122D29DDh], eax 0x00000028 push 00000000h 0x0000002a mov ecx, edx 0x0000002c push 00000003h 0x0000002e or dword ptr [ebp+122D2442h], edx 0x00000034 call 00007FB5DCEC5E09h 0x00000039 jc 00007FB5DCEC5E10h 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F1F80 second address: 7F1F8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F1F8B second address: 7F200B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007FB5DCEC5E10h 0x0000000f mov eax, dword ptr [eax] 0x00000011 push ebx 0x00000012 push ecx 0x00000013 jns 00007FB5DCEC5E06h 0x00000019 pop ecx 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f jmp 00007FB5DCEC5E19h 0x00000024 pop eax 0x00000025 call 00007FB5DCEC5E19h 0x0000002a mov di, dx 0x0000002d pop ecx 0x0000002e lea ebx, dword ptr [ebp+12447D6Dh] 0x00000034 jmp 00007FB5DCEC5E0Eh 0x00000039 xchg eax, ebx 0x0000003a push eax 0x0000003b push edx 0x0000003c jl 00007FB5DCEC5E08h 0x00000042 pushad 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F20A1 second address: 7F2110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnc 00007FB5DCC70B2Ch 0x0000000b popad 0x0000000c xor dword ptr [esp], 1BB7F37Bh 0x00000013 jnl 00007FB5DCC70B2Ch 0x00000019 push 00000003h 0x0000001b push edi 0x0000001c push esi 0x0000001d movzx edi, si 0x00000020 pop esi 0x00000021 pop edx 0x00000022 push 00000000h 0x00000024 push esi 0x00000025 add dword ptr [ebp+122D1CA0h], eax 0x0000002b pop edx 0x0000002c push 00000003h 0x0000002e push ecx 0x0000002f mov dword ptr [ebp+122D2530h], eax 0x00000035 pop ecx 0x00000036 push D109BDD1h 0x0000003b push edx 0x0000003c push eax 0x0000003d pushad 0x0000003e popad 0x0000003f pop eax 0x00000040 pop edx 0x00000041 xor dword ptr [esp], 1109BDD1h 0x00000048 mov edx, dword ptr [ebp+122D3B33h] 0x0000004e lea ebx, dword ptr [ebp+12447D76h] 0x00000054 mov di, si 0x00000057 sub dword ptr [ebp+122D288Fh], edx 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F2110 second address: 7F2117 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7F2117 second address: 7F211C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 803B7D second address: 803B82 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 811F6B second address: 811F71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 811F71 second address: 811F8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007FB5DCEC5E10h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 80FE82 second address: 80FE86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810186 second address: 810192 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB5DCEC5E0Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810192 second address: 8101AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FB5DCC70B34h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8101AE second address: 8101B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810440 second address: 810445 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81073E second address: 81076F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB5DCEC5E06h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d push eax 0x0000000e jbe 00007FB5DCEC5E08h 0x00000014 pushad 0x00000015 jmp 00007FB5DCEC5E12h 0x0000001a jbe 00007FB5DCEC5E06h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810A3D second address: 810A41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810A41 second address: 810A6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB5DCEC5E0Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FB5DCEC5E12h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810A6A second address: 810A72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810A72 second address: 810AA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB5DCEC5E0Eh 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007FB5DCEC5E14h 0x00000013 jno 00007FB5DCEC5E0Ah 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 810AA6 second address: 810ABD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FB5DCC70B26h 0x00000009 jc 00007FB5DCC70B26h 0x0000000f jg 00007FB5DCC70B26h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 811041 second address: 811054 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jns 00007FB5DCEC5E0Ch 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 811054 second address: 811059 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 808DB1 second address: 808DE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FB5DCEC5E16h 0x0000000b popad 0x0000000c jmp 00007FB5DCEC5E13h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 808DE1 second address: 808DF1 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB5DCC70B32h 0x00000008 jnl 00007FB5DCC70B26h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 811725 second address: 81172F instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB5DCEC5E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81198F second address: 811999 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB5DCC70B26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 811999 second address: 8119B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jnl 00007FB5DCEC5E06h 0x0000000d jnl 00007FB5DCEC5E06h 0x00000013 pop edi 0x00000014 pop edx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a push esi 0x0000001b pop esi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8119B5 second address: 8119D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5DCC70B38h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8119D1 second address: 8119DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 811B51 second address: 811B61 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB5DCC70B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 811B61 second address: 811B65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 815FAD second address: 815FD2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5DCC70B32h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB5DCC70B2Bh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 815FD2 second address: 815FF1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 jnp 00007FB5DCEC5E0Ch 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 816275 second address: 81627B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81627B second address: 81627F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 819868 second address: 81986E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81986E second address: 81987C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jnc 00007FB5DCEC5E06h 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81987C second address: 819882 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81D7F1 second address: 81D80D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB5DCEC5E17h 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81D80D second address: 81D81C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnc 00007FB5DCC70B26h 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DDA25 second address: 7DDA29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81D056 second address: 81D06C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB5DCC70B26h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007FB5DCC70B26h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81D3AD second address: 81D3B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8204A7 second address: 8204B9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007FB5DCC70B2Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8204B9 second address: 8204BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82092C second address: 820930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 820930 second address: 820934 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 820AD5 second address: 820AD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 820AD9 second address: 820AEA instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB5DCEC5E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 821084 second address: 8210A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FB5DCC70B2Ch 0x0000000c jbe 00007FB5DCC70B26h 0x00000012 popad 0x00000013 push eax 0x00000014 jl 00007FB5DCC70B3Ah 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 821159 second address: 8211B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FB5DCEC5E11h 0x0000000d xchg eax, ebx 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007FB5DCEC5E08h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 jmp 00007FB5DCEC5E16h 0x0000002d push eax 0x0000002e pushad 0x0000002f push ebx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8211B1 second address: 8211BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8213F8 second address: 82140D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jl 00007FB5DCEC5E06h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8214C6 second address: 8214CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8216A9 second address: 8216B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FB5DCEC5E06h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82170F second address: 82172B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5DCC70B38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82172B second address: 821730 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 821730 second address: 821744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FB5DCC70B26h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push esi 0x0000000f pushad 0x00000010 push eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 822568 second address: 82256C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 824183 second address: 824187 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 823EFE second address: 823F04 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 823F04 second address: 823F0E instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB5DCC70B2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8260DC second address: 826100 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5DCEC5E18h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 826100 second address: 82610A instructions: 0x00000000 rdtsc 0x00000002 js 00007FB5DCC70B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 825391 second address: 825395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 825395 second address: 82539B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DF458 second address: 7DF45E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7DF45E second address: 7DF464 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82B157 second address: 82B182 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5DCEC5E13h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB5DCEC5E11h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82D01D second address: 82D022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82D022 second address: 82D02C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FB5DCEC5E06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82A416 second address: 82A41A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82B294 second address: 82B298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82D02C second address: 82D030 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82A41A second address: 82A420 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82B298 second address: 82B347 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 ja 00007FB5DCC70B2Ch 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007FB5DCC70B28h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 00000016h 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 mov ebx, dword ptr [ebp+122D240Ah] 0x0000002f push dword ptr fs:[00000000h] 0x00000036 add dword ptr [ebp+122D1CF9h], esi 0x0000003c mov dword ptr fs:[00000000h], esp 0x00000043 jmp 00007FB5DCC70B2Ah 0x00000048 sub edi, 6411E91Dh 0x0000004e mov eax, dword ptr [ebp+122D0D99h] 0x00000054 push 00000000h 0x00000056 push edi 0x00000057 call 00007FB5DCC70B28h 0x0000005c pop edi 0x0000005d mov dword ptr [esp+04h], edi 0x00000061 add dword ptr [esp+04h], 00000019h 0x00000069 inc edi 0x0000006a push edi 0x0000006b ret 0x0000006c pop edi 0x0000006d ret 0x0000006e jmp 00007FB5DCC70B33h 0x00000073 push FFFFFFFFh 0x00000075 jmp 00007FB5DCC70B31h 0x0000007a nop 0x0000007b pushad 0x0000007c pushad 0x0000007d push eax 0x0000007e push edx 0x0000007f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82A420 second address: 82A437 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB5DCEC5E08h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007FB5DCEC5E08h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82B347 second address: 82B34D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82E0AC second address: 82E0B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E7C6E second address: 7E7C9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5DCC70B2Ch 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007FB5DCC70B2Ch 0x00000014 jmp 00007FB5DCC70B2Bh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82E28D second address: 82E297 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB5DCEC5E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E7C9D second address: 7E7CA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82E297 second address: 82E2AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007FB5DCEC5E0Ah 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E7CA2 second address: 7E7CAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 ja 00007FB5DCC70B26h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82E2AF second address: 82E2B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8337EB second address: 833862 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FB5DCC70B28h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 sub dword ptr [ebp+122D2530h], edx 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push esi 0x0000002f call 00007FB5DCC70B28h 0x00000034 pop esi 0x00000035 mov dword ptr [esp+04h], esi 0x00000039 add dword ptr [esp+04h], 00000019h 0x00000041 inc esi 0x00000042 push esi 0x00000043 ret 0x00000044 pop esi 0x00000045 ret 0x00000046 push edx 0x00000047 push edx 0x00000048 or ebx, dword ptr [ebp+122D3BAFh] 0x0000004e pop ebx 0x0000004f pop ebx 0x00000050 push 00000000h 0x00000052 jmp 00007FB5DCC70B2Eh 0x00000057 xchg eax, esi 0x00000058 push ebx 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007FB5DCC70B2Ah 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 833862 second address: 833874 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB5DCEC5E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 833874 second address: 83387A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83387A second address: 83388F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB5DCEC5E11h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 834878 second address: 83487C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83487C second address: 834882 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 834882 second address: 83488C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FB5DCC70B26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83592F second address: 83594B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007FB5DCEC5E0Dh 0x0000000c pop ecx 0x0000000d popad 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83594B second address: 83594F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 833A92 second address: 833A97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 836947 second address: 836958 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB5DCC70B2Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8379CB second address: 8379CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 837A7D second address: 837A81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 837A81 second address: 837A92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pop edi 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8388F3 second address: 8388FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FB5DCC70B26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8388FD second address: 838918 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB5DCEC5E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jbe 00007FB5DCEC5E26h 0x00000013 push eax 0x00000014 push edx 0x00000015 jbe 00007FB5DCEC5E06h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 838918 second address: 838998 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5DCC70B34h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FB5DCC70B28h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push ebx 0x00000029 call 00007FB5DCC70B28h 0x0000002e pop ebx 0x0000002f mov dword ptr [esp+04h], ebx 0x00000033 add dword ptr [esp+04h], 0000001Dh 0x0000003b inc ebx 0x0000003c push ebx 0x0000003d ret 0x0000003e pop ebx 0x0000003f ret 0x00000040 xor bx, 496Bh 0x00000045 push 00000000h 0x00000047 mov edi, dword ptr [ebp+12441ED9h] 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 je 00007FB5DCC70B2Ch 0x00000056 jnl 00007FB5DCC70B26h 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 838998 second address: 8389AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB5DCEC5E0Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8349A9 second address: 834A33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FB5DCC70B26h 0x0000000a popad 0x0000000b pop esi 0x0000000c push eax 0x0000000d jmp 00007FB5DCC70B31h 0x00000012 nop 0x00000013 add dword ptr [ebp+12442388h], edx 0x00000019 push dword ptr fs:[00000000h] 0x00000020 mov di, BF57h 0x00000024 mov dword ptr fs:[00000000h], esp 0x0000002b push 00000000h 0x0000002d push edx 0x0000002e call 00007FB5DCC70B28h 0x00000033 pop edx 0x00000034 mov dword ptr [esp+04h], edx 0x00000038 add dword ptr [esp+04h], 0000001Bh 0x00000040 inc edx 0x00000041 push edx 0x00000042 ret 0x00000043 pop edx 0x00000044 ret 0x00000045 mov edi, ecx 0x00000047 mov eax, dword ptr [ebp+122D1411h] 0x0000004d push 00000000h 0x0000004f push ecx 0x00000050 call 00007FB5DCC70B28h 0x00000055 pop ecx 0x00000056 mov dword ptr [esp+04h], ecx 0x0000005a add dword ptr [esp+04h], 00000016h 0x00000062 inc ecx 0x00000063 push ecx 0x00000064 ret 0x00000065 pop ecx 0x00000066 ret 0x00000067 push FFFFFFFFh 0x00000069 movsx ebx, dx 0x0000006c nop 0x0000006d push ecx 0x0000006e push eax 0x0000006f push eax 0x00000070 push edx 0x00000071 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 837C8E second address: 837C92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 837C92 second address: 837CA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b jne 00007FB5DCC70B26h 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83FE02 second address: 83FE29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB5DCEC5E19h 0x0000000d ja 00007FB5DCEC5E06h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83FE29 second address: 83FE2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 83FE2D second address: 83FE60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB5DCEC5E11h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pop esi 0x00000012 jmp 00007FB5DCEC5E15h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8430F2 second address: 8430F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8430F8 second address: 8430FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8430FE second address: 843102 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 843102 second address: 843112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jns 00007FB5DCEC5E06h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8446B5 second address: 8446C5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8446C5 second address: 8446CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8501D5 second address: 8501DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 850383 second address: 8503A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB5DCEC5E19h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8503A0 second address: 8503A6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8503A6 second address: 8503AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8503AC second address: 8503BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB5DCC70B2Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8506F8 second address: 8506FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8506FC second address: 850700 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 850700 second address: 85071F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 jmp 00007FB5DCEC5E14h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E451B second address: 7E451F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E451F second address: 7E454E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5DCEC5E13h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB5DCEC5E14h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E454E second address: 7E4566 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5DCC70B34h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E4566 second address: 7E456F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E456F second address: 7E4575 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85AF89 second address: 85AF94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85AF94 second address: 85AF98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85AF98 second address: 85AFA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85AFA3 second address: 85AFB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB5DCC70B2Dh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85AFB5 second address: 85AFBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85AFBB second address: 85AFD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB5DCC70B32h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85F257 second address: 85F263 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85F263 second address: 85F267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85F822 second address: 85F826 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85F9B6 second address: 85F9BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85F9BA second address: 85F9C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB5DCEC5E06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85F9C6 second address: 85F9CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85F9CC second address: 85F9D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85F9D0 second address: 85F9E4 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB5DCC70B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007FB5DCC70B2Eh 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85FB1F second address: 85FB48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB5DCEC5E13h 0x0000000a pop edi 0x0000000b pushad 0x0000000c jnp 00007FB5DCEC5E0Ah 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85FE30 second address: 85FE68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5DCC70B2Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007FB5DCC70B51h 0x0000000f jmp 00007FB5DCC70B2Bh 0x00000014 pushad 0x00000015 jmp 00007FB5DCC70B30h 0x0000001a push eax 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85FFC3 second address: 85FFC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 85FFC9 second address: 85FFCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8602B6 second address: 8602DC instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB5DCEC5E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jns 00007FB5DCEC5E1Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8602DC second address: 86033D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5DCC70B38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007FB5DCC70B84h 0x0000000f push ecx 0x00000010 jmp 00007FB5DCC70B38h 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FB5DCC70B2Ch 0x0000001d jmp 00007FB5DCC70B37h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86033D second address: 860356 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5DCEC5E15h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 866FF0 second address: 866FFE instructions: 0x00000000 rdtsc 0x00000002 je 00007FB5DCC70B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 866FFE second address: 867004 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 867004 second address: 86700A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 86700A second address: 867028 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5DCEC5E18h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8672D3 second address: 8672D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8676C0 second address: 8676D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FB5DCEC5E10h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8676D7 second address: 8676DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8676DD second address: 8676E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FB5DCEC5E06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 867847 second address: 867855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007FB5DCC70B26h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 867CA0 second address: 867CA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 867CA6 second address: 867CAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 867CAF second address: 867CB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FB5DCEC5E06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E2A75 second address: 7E2AA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB5DCC70B2Ch 0x00000009 popad 0x0000000a jmp 00007FB5DCC70B39h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7E2AA3 second address: 7E2AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 870037 second address: 87003B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87003B second address: 870063 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5DCEC5E0Fh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007FB5DCEC5E11h 0x00000013 jmp 00007FB5DCEC5E0Bh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 870063 second address: 87006B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8701A7 second address: 8701B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87084D second address: 870851 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 870851 second address: 870855 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 870C13 second address: 870C1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FB5DCC70B26h 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87806A second address: 878082 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB5DCEC5E12h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 878082 second address: 87808B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81EF37 second address: 81EF41 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB5DCEC5E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81EF41 second address: 81EF47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81EF47 second address: 81EF64 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB5DCEC5E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FB5DCEC5E0Eh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81F2E9 second address: 81F2EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81F2EF second address: 67DDB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 mov dx, 7082h 0x0000000b push dword ptr [ebp+122D04A9h] 0x00000011 mov edx, dword ptr [ebp+122D3A4Bh] 0x00000017 call dword ptr [ebp+122D1E0Dh] 0x0000001d pushad 0x0000001e clc 0x0000001f xor eax, eax 0x00000021 jne 00007FB5DCEC5E0Ch 0x00000027 add dword ptr [ebp+122D1D50h], ebx 0x0000002d mov edx, dword ptr [esp+28h] 0x00000031 jmp 00007FB5DCEC5E15h 0x00000036 mov dword ptr [ebp+122D3B9Bh], eax 0x0000003c pushad 0x0000003d jmp 00007FB5DCEC5E0Ah 0x00000042 xor cx, 5A86h 0x00000047 popad 0x00000048 mov esi, 0000003Ch 0x0000004d or dword ptr [ebp+122D1D16h], eax 0x00000053 add esi, dword ptr [esp+24h] 0x00000057 pushad 0x00000058 add dword ptr [ebp+122D1D16h], edx 0x0000005e mov esi, dword ptr [ebp+122D3C7Fh] 0x00000064 popad 0x00000065 lodsw 0x00000067 jno 00007FB5DCEC5E0Ch 0x0000006d add eax, dword ptr [esp+24h] 0x00000071 ja 00007FB5DCEC5E0Ch 0x00000077 mov ebx, dword ptr [esp+24h] 0x0000007b pushad 0x0000007c mov di, si 0x0000007f mov edx, dword ptr [ebp+122D3AEFh] 0x00000085 popad 0x00000086 nop 0x00000087 jl 00007FB5DCEC5E10h 0x0000008d push eax 0x0000008e push edx 0x0000008f pushad 0x00000090 popad 0x00000091 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81F3C8 second address: 81F3CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81F3CC second address: 81F3E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 jl 00007FB5DCEC5E18h 0x0000000e push eax 0x0000000f push edx 0x00000010 jne 00007FB5DCEC5E06h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81F3E2 second address: 81F3E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81F3E6 second address: 67DDB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 mov dword ptr [ebp+122D279Ch], edx 0x0000000d push dword ptr [ebp+122D04A9h] 0x00000013 xor dword ptr [ebp+1244200Dh], esi 0x00000019 call dword ptr [ebp+122D1E0Dh] 0x0000001f pushad 0x00000020 clc 0x00000021 xor eax, eax 0x00000023 jne 00007FB5DCEC5E0Ch 0x00000029 add dword ptr [ebp+122D1D50h], ebx 0x0000002f mov edx, dword ptr [esp+28h] 0x00000033 jmp 00007FB5DCEC5E15h 0x00000038 mov dword ptr [ebp+122D3B9Bh], eax 0x0000003e pushad 0x0000003f jmp 00007FB5DCEC5E0Ah 0x00000044 xor cx, 5A86h 0x00000049 popad 0x0000004a mov esi, 0000003Ch 0x0000004f or dword ptr [ebp+122D1D16h], eax 0x00000055 add esi, dword ptr [esp+24h] 0x00000059 pushad 0x0000005a add dword ptr [ebp+122D1D16h], edx 0x00000060 mov esi, dword ptr [ebp+122D3C7Fh] 0x00000066 popad 0x00000067 lodsw 0x00000069 jno 00007FB5DCEC5E0Ch 0x0000006f mov dword ptr [ebp+122D1D96h], ecx 0x00000075 add eax, dword ptr [esp+24h] 0x00000079 ja 00007FB5DCEC5E0Ch 0x0000007f mov ebx, dword ptr [esp+24h] 0x00000083 pushad 0x00000084 mov di, si 0x00000087 mov edx, dword ptr [ebp+122D3AEFh] 0x0000008d popad 0x0000008e nop 0x0000008f jl 00007FB5DCEC5E10h 0x00000095 push eax 0x00000096 push edx 0x00000097 pushad 0x00000098 popad 0x00000099 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81F4B2 second address: 81F4D5 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB5DCC70B28h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB5DCC70B34h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81F4D5 second address: 81F4DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81F4DB second address: 81F52A instructions: 0x00000000 rdtsc 0x00000002 je 00007FB5DCC70B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jno 00007FB5DCC70B41h 0x00000016 mov eax, dword ptr [eax] 0x00000018 jne 00007FB5DCC70B2Eh 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 js 00007FB5DCC70B34h 0x00000028 push eax 0x00000029 push edx 0x0000002a push edx 0x0000002b pop edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81F52A second address: 81F52E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81F5F8 second address: 81F5FD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81F67F second address: 81F683 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81F683 second address: 81F68C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81F971 second address: 81F976 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81F976 second address: 81F98E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jbe 00007FB5DCC70B2Ch 0x0000000f jnl 00007FB5DCC70B26h 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81F98E second address: 81F9C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 nop 0x00000007 mov dword ptr [ebp+122D1DD2h], edi 0x0000000d push 00000004h 0x0000000f jno 00007FB5DCEC5E0Ch 0x00000015 nop 0x00000016 push edx 0x00000017 jnl 00007FB5DCEC5E0Ch 0x0000001d pop edx 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jo 00007FB5DCEC5E0Ch 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81F9C3 second address: 81F9C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81F9C7 second address: 81F9D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FB5DCEC5E06h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81FD0D second address: 81FD17 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB5DCC70B2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81FD17 second address: 81FD51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edx 0x0000000a call 00007FB5DCEC5E08h 0x0000000f pop edx 0x00000010 mov dword ptr [esp+04h], edx 0x00000014 add dword ptr [esp+04h], 0000001Ah 0x0000001c inc edx 0x0000001d push edx 0x0000001e ret 0x0000001f pop edx 0x00000020 ret 0x00000021 push 0000001Eh 0x00000023 mov dx, BEF7h 0x00000027 nop 0x00000028 jl 00007FB5DCEC5E14h 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81FFB9 second address: 81FFBE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81FFBE second address: 81FFC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81FFC4 second address: 81FFE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b jmp 00007FB5DCC70B36h 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81FFE6 second address: 81FFEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 81FFEC second address: 81FFF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 878320 second address: 87835F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB5DCEC5E12h 0x0000000b popad 0x0000000c pushad 0x0000000d push edi 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 pop edi 0x00000013 jns 00007FB5DCEC5E0Ah 0x00000019 push eax 0x0000001a push edx 0x0000001b push edx 0x0000001c pop edx 0x0000001d jmp 00007FB5DCEC5E11h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8788E0 second address: 8788F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 jne 00007FB5DCC70B2Eh 0x0000000b pushad 0x0000000c popad 0x0000000d jnl 00007FB5DCC70B26h 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 878BDC second address: 878C09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 jo 00007FB5DCEC5E06h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FB5DCEC5E18h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 878C09 second address: 878C0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87E6F3 second address: 87E6F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 87E6F7 second address: 87E6FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 882492 second address: 8824B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5DCEC5E17h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8824B1 second address: 8824BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FB5DCC70B26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8824BB second address: 8824BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 882603 second address: 88260D instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB5DCC70B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 882778 second address: 88277E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88277E second address: 882784 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8828E9 second address: 8828ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8828ED second address: 8828F9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jc 00007FB5DCC70B26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8828F9 second address: 8828FE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 882A33 second address: 882A39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8879CD second address: 8879D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8879D1 second address: 8879D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8879D7 second address: 8879E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8879E0 second address: 8879FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007FB5DCC70B26h 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB5DCC70B2Fh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 887B5C second address: 887B62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 887B62 second address: 887B6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 887CC0 second address: 887CC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 887CC4 second address: 887CDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB5DCC70B2Fh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 887E97 second address: 887E9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88802D second address: 88803C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jl 00007FB5DCC70B26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88C3C2 second address: 88C3D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB5DCEC5E0Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88C538 second address: 88C53C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88C53C second address: 88C54B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FB5DCEC5E06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88C54B second address: 88C552 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88C552 second address: 88C55F instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB5DCEC5E08h 0x00000008 push edx 0x00000009 pop edx 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88C695 second address: 88C69B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88C69B second address: 88C6A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 88C966 second address: 88C96E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 895237 second address: 895252 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB5DCEC5E17h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89329B second address: 8932BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5DCC70B31h 0x00000007 jnp 00007FB5DCC70B26h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8932BA second address: 8932C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8932C0 second address: 8932CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8932CA second address: 8932D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8932D0 second address: 8932D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89371D second address: 893732 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FB5DCEC5E06h 0x0000000a jmp 00007FB5DCEC5E0Bh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 893732 second address: 893736 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 893A01 second address: 893A05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 893A05 second address: 893A0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89439C second address: 8943A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8943A4 second address: 8943A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8946C6 second address: 8946D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8946D4 second address: 894706 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5DCC70B35h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FB5DCC70B32h 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8949B1 second address: 8949BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8949BB second address: 8949C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 894C84 second address: 894C88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 894F59 second address: 894F5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 894F5F second address: 894F65 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 894F65 second address: 894F7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB5DCC70B2Dh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 899D51 second address: 899D59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 899D59 second address: 899D5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 899D5D second address: 899D63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89DBD7 second address: 89DBDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89DBDB second address: 89DBE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89D043 second address: 89D04D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FB5DCC70B26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89D59B second address: 89D5B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5DCEC5E0Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 89D5B1 second address: 89D5B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A74F6 second address: 8A7525 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB5DCEC5E17h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FB5DCEC5E0Fh 0x0000000f popad 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A5A36 second address: 8A5A40 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB5DCC70B26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A5A40 second address: 8A5A50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push edx 0x00000008 jl 00007FB5DCEC5E0Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A5E7A second address: 8A5E8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB5DCC70B2Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A5E8A second address: 8A5E97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jbe 00007FB5DCEC5E06h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A619F second address: 8A61ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007FB5DCC70B2Eh 0x0000000c jmp 00007FB5DCC70B30h 0x00000011 popad 0x00000012 pushad 0x00000013 jns 00007FB5DCC70B28h 0x00000019 pushad 0x0000001a popad 0x0000001b push ebx 0x0000001c push ebx 0x0000001d pop ebx 0x0000001e pop ebx 0x0000001f je 00007FB5DCC70B38h 0x00000025 pushad 0x00000026 popad 0x00000027 jmp 00007FB5DCC70B30h 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A61ED second address: 8A6207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB5DCEC5E16h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A6207 second address: 8A620B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A64EA second address: 8A650F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB5DCEC5E10h 0x00000009 popad 0x0000000a jmp 00007FB5DCEC5E0Dh 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A6AE3 second address: 8A6AE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A6AE7 second address: 8A6AF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FB5DCEC5E0Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8A5164 second address: 8A5169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8AD232 second address: 8AD236 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ACCE2 second address: 8ACCE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ACCE8 second address: 8ACCEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ACCEC second address: 8ACCF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ACF84 second address: 8ACF8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ACF8A second address: 8ACF8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8ACF8E second address: 8ACF9C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007FB5DCEC5E06h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BB5B6 second address: 8BB5BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8BD7AF second address: 8BD7B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C3BCE second address: 8C3BD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C3BD2 second address: 8C3BEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jng 00007FB5DCEC5E06h 0x00000013 je 00007FB5DCEC5E06h 0x00000019 push edi 0x0000001a pop edi 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C3BEE second address: 8C3BF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C3BF6 second address: 8C3C04 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB5DCEC5E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C3C04 second address: 8C3C08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C2955 second address: 8C296F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push esi 0x00000006 jmp 00007FB5DCEC5E12h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C6089 second address: 8C60A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB5DCC70B37h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C60A9 second address: 8C60AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C60AF second address: 8C60C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5DCC70B2Fh 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8C60C3 second address: 8C60EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB5DCEC5E12h 0x00000011 jmp 00007FB5DCEC5E0Ah 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CE662 second address: 8CE671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007FB5DCC70B26h 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8CE671 second address: 8CE69A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 ja 00007FB5DCEC5E1Fh 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D3084 second address: 8D308E instructions: 0x00000000 rdtsc 0x00000002 je 00007FB5DCC70B26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D8D07 second address: 8D8D1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB5DCEC5E14h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D8D1F second address: 8D8D23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D8D23 second address: 8D8D29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D8D29 second address: 8D8D5A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007FB5DCC70B31h 0x0000000a pop ecx 0x0000000b pushad 0x0000000c jnc 00007FB5DCC70B26h 0x00000012 jmp 00007FB5DCC70B31h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D8D5A second address: 8D8D60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D7769 second address: 8D776D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D776D second address: 8D7786 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB5DCEC5E0Fh 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D7786 second address: 8D778C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D778C second address: 8D7796 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB5DCEC5E0Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D78E9 second address: 8D7905 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5DCC70B38h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D7D1C second address: 8D7D21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D7D21 second address: 8D7D32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB5DCC70B2Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D7D32 second address: 8D7D5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FB5DCEC5E1Dh 0x0000000c jmp 00007FB5DCEC5E0Ah 0x00000011 jmp 00007FB5DCEC5E0Dh 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 pushad 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D7D5D second address: 8D7D6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FB5DCC70B26h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D7D6C second address: 8D7D70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D7D70 second address: 8D7DA3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5DCC70B37h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jp 00007FB5DCC70B26h 0x00000012 jmp 00007FB5DCC70B2Dh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D8008 second address: 8D8010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D8010 second address: 8D8018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8D8A2B second address: 8D8A2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DCC23 second address: 8DCC2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8DCC2C second address: 8DCC32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E787A second address: 8E7880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E7880 second address: 8E789C instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB5DCEC5E11h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8E789C second address: 8E78A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EABC9 second address: 8EABD9 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB5DCEC5E0Ah 0x00000008 push edx 0x00000009 pop edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EC2DA second address: 8EC2F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5DCC70B35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EC2F7 second address: 8EC2FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EC2FB second address: 8EC305 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB5DCC70B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EC305 second address: 8EC317 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB5DCEC5E0Ch 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8EC317 second address: 8EC31B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FBBE0 second address: 8FBBE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FBBE6 second address: 8FBBEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FB7B5 second address: 8FB7C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5DCEC5E0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FB7C8 second address: 8FB7CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FB7CE second address: 8FB7D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FB92B second address: 8FB951 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB5DCC70B39h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FB951 second address: 8FB957 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 8FB957 second address: 8FB972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FB5DCC70B32h 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 903F54 second address: 903F63 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB5DCEC5E06h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 903810 second address: 90381C instructions: 0x00000000 rdtsc 0x00000002 je 00007FB5DCC70B26h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90381C second address: 903821 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 903990 second address: 903994 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 903994 second address: 90399A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90399A second address: 9039AD instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB5DCC70B28h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b jl 00007FB5DCC70B26h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 903C1C second address: 903C34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FB5DCEC5E06h 0x0000000a jmp 00007FB5DCEC5E0Dh 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 906D10 second address: 906D31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5DCC70B39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push esi 0x0000000b pop esi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 906D31 second address: 906D63 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB5DCEC5E0Ch 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b je 00007FB5DCEC5E06h 0x00000011 jnl 00007FB5DCEC5E06h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push edi 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e ja 00007FB5DCEC5E06h 0x00000024 pushad 0x00000025 popad 0x00000026 pushad 0x00000027 popad 0x00000028 popad 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 906D63 second address: 906D69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90B06D second address: 90B073 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90B073 second address: 90B07D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB5DCC70B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90B07D second address: 90B09C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB5DCEC5E19h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90B09C second address: 90B0A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90B0A0 second address: 90B0A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90D902 second address: 90D908 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90D908 second address: 90D90C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90D90C second address: 90D91A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90D91A second address: 90D91E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90D9D2 second address: 90DA0A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FB5DCC70B36h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB5DCC70B39h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90F8DD second address: 90F8EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ebx 0x00000007 js 00007FB5DCEC5E06h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90F8EC second address: 90F8F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90F8F1 second address: 90F8F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90F8F6 second address: 90F912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB5DCC70B36h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90F912 second address: 90F92E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FB5DCEC5E12h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 908260 second address: 908267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 906EA6 second address: 906ED5 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB5DCEC5E0Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007FB5DCEC5E06h 0x00000010 jmp 00007FB5DCEC5E19h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 906ED5 second address: 906ED9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 67DE26 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 844723 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 81EFC1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 67DD51 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 8AE6C4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 685D83 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 5420000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 55F0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 75F0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F2177 rdtsc 0_2_007F2177
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6288Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0085186C GetSystemInfo,VirtualAlloc,0_2_0085186C
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.2335150907.00000000007F6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2335150907.00000000007F6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F2177 rdtsc 0_2_007F2177
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067B7C6 LdrInitializeThunk,0_2_0067B7C6
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, file.exe, 00000000.00000002.2335632926.000000000084D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: \_PProgram Manager

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping641
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		41
Disable or Modify Tools		LSASS Memory2
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Bypass User Account Control		261
Virtualization/Sandbox Evasion		Security Account Manager261
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS23
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
Software Packing		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
Bypass User Account Control		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe37%ReversingLabsWin32.Infostealer.Tinba
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1546539
Start date and time:2024-11-01 05:01:09 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 7s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:8
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.evad.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, tile-service.weather.microsoft.com, ctldl.windowsupdate.com
  • Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File
Process:C:\Users\user\Desktop\file.exe
File Type:CSV text
Category:dropped
Size (bytes):226
Entropy (8bit):5.360398796477698
Encrypted:false
SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:3A8957C6382192B71471BD14359D0B12
SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:true
Reputation:high, very likely benign file
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.510150934407278
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:2'778'624 bytes
MD5:481c8b24c57da4a1a61f3ba321f84c5c
SHA1:57b83e709ddf9067f94e3831f6cc2e18f59c42ee
SHA256:f3daf351dc8d9b8ec19991e83ad7344d18124790592e971cf3d93070c0800c33
SHA512:3e5018be21d277141c1ffd1716d43e9f809bd9e260612cd0dae27f62c0973f37a3154905d6e532353808dcddd15c979cade9250e016282c09d5f1fb1c7fd1a34
SSDEEP:49152:RIEdKjoDJjVnbnxKiZJp+6BuVhEEi+Vt+c:SEdKjkJjVnbbprBg2EZt+
TLSH:D2D54C91B40A72CFE89E27789527CD86795D07FA4B2109C3EC6CA5BA7E63CC111F6C24
File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............*.. ...`....@.. ....................... +.....kx*...`................................

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x6ae000
Entrypoint Section:.taggant
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FB5DCFB734Ah
cmove ebp, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [edi], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add eax, 0000000Ah
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x20000x40000x1200a5e7d0940609e877fa23f0ab24c33ac1False0.9331597222222222data7.80234292244424IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
cfyesryy0xa0000x2a20000x2a0600943b89f4f7faa075c80e886ba14731aaunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
gwntuilp0x2ac0000x20000x400224fd22e232044e0567ea684c06588a3False0.7470703125data5.865188569418854IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant0x2ae0000x40000x2200f8201a55d3fc9055922289487445ebf2False0.06284466911764706DOS executable (COM)0.7032531057950687IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x60900x30cdata0.42948717948717946
RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

Imports

DLLImport
kernel32.dlllstrcpy

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:00:02:04
Start date:01/11/2024
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\file.exe"
Imagebase:0x670000
File size:2'778'624 bytes
MD5 hash:481C8B24C57DA4A1A61F3BA321F84C5C
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:4.5%
    Dynamic/Decrypted Code Coverage:10.2%
    Signature Coverage:23.9%
    Total number of Nodes:88
    Total number of Limit Nodes:10
    execution_graph 6709 67b7c6 6710 67b7cb 6709->6710 6711 67b936 LdrInitializeThunk 6710->6711 6712 67f306 VirtualAlloc 6713 852806 6715 852812 6713->6715 6716 852824 6715->6716 6719 85242d 6716->6719 6720 85243e 6719->6720 6721 8524c1 6719->6721 6720->6721 6723 852298 VirtualProtect 6720->6723 6724 8520d7 6720->6724 6723->6720 6727 8520de 6724->6727 6726 852128 6726->6720 6727->6726 6729 851fe5 6727->6729 6733 852298 6727->6733 6730 851ffa 6729->6730 6731 852084 GetModuleFileNameA 6730->6731 6732 8520ba 6730->6732 6731->6730 6732->6727 6736 8522ac 6733->6736 6734 8522c4 6734->6727 6735 8523e7 VirtualProtect 6735->6736 6736->6734 6736->6735 6737 7fc6fb 6738 80006c 6737->6738 6744 7fc41a 6737->6744 6739 8002c2 RegOpenKeyA 6738->6739 6740 80029b RegOpenKeyA 6738->6740 6741 8002df 6739->6741 6740->6739 6742 8002b8 6740->6742 6743 800323 GetNativeSystemInfo 6741->6743 6741->6744 6742->6739 6743->6744 6745 7f2179 6747 7f2143 6745->6747 6750 7f2410 6745->6750 6746 7f2198 6747->6746 6749 7f2177 CreateFileA 6747->6749 6751 7f2177 CreateFileA 6747->6751 6749->6747 6749->6750 6753 7f2143 6751->6753 6754 7f2410 6751->6754 6752 7f2198 6753->6751 6753->6752 6755 85186c GetSystemInfo 6756 8518ca VirtualAlloc 6755->6756 6759 85188c 6755->6759 6770 851bb8 6756->6770 6758 851911 6760 851bb8 VirtualAlloc GetModuleFileNameA VirtualProtect 6758->6760 6768 8519e6 6758->6768 6759->6756 6762 85193b 6760->6762 6761 851a02 GetModuleFileNameA VirtualProtect 6769 8519aa 6761->6769 6763 851bb8 VirtualAlloc GetModuleFileNameA VirtualProtect 6762->6763 6762->6768 6764 851965 6763->6764 6765 851bb8 VirtualAlloc GetModuleFileNameA VirtualProtect 6764->6765 6764->6768 6766 85198f 6765->6766 6767 851bb8 VirtualAlloc GetModuleFileNameA VirtualProtect 6766->6767 6766->6768 6766->6769 6767->6768 6768->6761 6768->6769 6772 851bc0 6770->6772 6773 851bd4 6772->6773 6774 851bec 6772->6774 6780 851a84 6773->6780 6776 851a84 2 API calls 6774->6776 6777 851bfd 6776->6777 6782 851c0f 6777->6782 6785 851a8c 6780->6785 6783 851c20 VirtualAlloc 6782->6783 6784 851c0b 6782->6784 6783->6784 6787 851a9f 6785->6787 6786 851ae2 6787->6786 6788 8520d7 2 API calls 6787->6788 6788->6786 6789 5420d48 6790 5420d93 OpenSCManagerW 6789->6790 6792 5420ddc 6790->6792 6793 5421308 6794 5421349 ImpersonateLoggedOnUser 6793->6794 6795 5421376 6794->6795 6796 7ee752 LoadLibraryA 6797 7ee769 6796->6797 6798 7f2012 6800 7f2018 CreateFileA 6798->6800 6801 7f2053 6800->6801 6801->6801 6802 5421510 6803 5421558 ControlService 6802->6803 6804 542158f 6803->6804 6805 852870 6807 85287c 6805->6807 6809 85288e 6807->6809 6808 8528b6 6809->6808 6810 85242d 2 API calls 6809->6810 6810->6808 6811 67e871 VirtualAlloc 6812 67e883 6811->6812

    Executed Functions

    Function 007F2177 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 91 7f2177-7f2182 CreateFileA 92 7f242b-7f244e call 7f2450 91->92 93 7f2188-7f2196 call 7f219e 91->93 100 7f2410-7f2427 call 7f2424 92->100 101 7f2450-7f2452 92->101 98 7f2198-7f21ae call 7f21b1 93->98 99 7f2143-7f2176 call 7f2177 93->99 99->91 100->92 104 7f245a-7f245c 101->104 105 7f2458-7f2459 101->105 109 7f247b-7f247e 104->109 110 7f2462 104->110 105->104 113 7f2484-7f2491 109->113 114 7f2492-7f2496 109->114 110->109 113->114 116 7f249c 114->116 117 7f24a9-7f24f0 114->117 116->117 120 7f24f6-7f25b0 call 7f2510 117->120 121 7f2512-7f251a 117->121 133 7f25bb-7f25cf 120->133 134 7f25b2-7f25b9 120->134 125 7f2526-7f2540 121->125 126 7f2520 121->126 130 7f254c-7f2575 125->130 131 7f2546 125->131 126->125 140 7f257b 130->140 131->130 135 7f25d0-7f25dd call 7f25e0 133->135 134->133 134->135 140->140
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2335150907.00000000007EB000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.2327049004.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327069380.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327149809.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327341724.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327892332.0000000000684000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2328184217.0000000000685000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2331028252.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335035989.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335069016.00000000007DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335150907.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335319888.00000000007FD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335341717.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335407791.00000000007FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335433494.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335461530.000000000080B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335480433.000000000080E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335496452.0000000000811000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335514878.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335538719.0000000000827000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335556180.0000000000828000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335574731.000000000082A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335598638.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335616448.000000000084C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335632926.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335653622.0000000000854000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335672007.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335698535.000000000085E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335718180.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335741113.0000000000869000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335759478.000000000086B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335782466.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335802079.0000000000875000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335827184.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335842405.0000000000879000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335872128.000000000087A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335893448.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335915097.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335935952.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335957780.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335981412.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335999538.000000000089B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336018560.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336038408.00000000008A7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336065562.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336084201.00000000008B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336107787.00000000008B6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336126062.00000000008C0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336142412.00000000008C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336169264.00000000008D8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336186780.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336205866.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336228672.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336253909.00000000008F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336268704.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.0000000000905000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.000000000090D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336334325.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336354629.000000000091E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID: C
    • API String ID: 823142352-1037565863
    • Opcode ID: 5c61fcec73323fc9034551f493ca75aa422e1297bdae6b1807c68efd62cc2682
    • Instruction ID: e342a850df089d8e583a79f915021fe0d41c45837f4c5d003c48f89bb9e9f490
    • Opcode Fuzzy Hash: 5c61fcec73323fc9034551f493ca75aa422e1297bdae6b1807c68efd62cc2682
    • Instruction Fuzzy Hash: 9321663210C2CEAED702DF7488919FA3BA09E47334720449AEA81CB783D2A90C079765
    Function 0085186C Relevance: 3.1, APIs: 2, Instructions: 107memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 141 85186c-851886 GetSystemInfo 142 85188c-8518c4 141->142 143 8518ca-851913 VirtualAlloc call 851bb8 141->143 142->143 147 8519f9 call 851a02 143->147 148 851919-85193d call 851bb8 143->148 153 8519fe 147->153 148->147 154 851943-851967 call 851bb8 148->154 155 851a00-851a01 153->155 154->147 158 85196d-851991 call 851bb8 154->158 158->147 161 851997-8519a4 158->161 162 8519ca-8519e1 call 851bb8 161->162 163 8519aa-8519c5 161->163 166 8519e6-8519e8 162->166 167 8519f4 163->167 166->147 168 8519ee 166->168 167->155 168->167
    APIs
    • GetSystemInfo.KERNELBASE(?,-11C55FEC), ref: 00851878
    • VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 008518D9
    Memory Dump Source
    • Source File: 00000000.00000002.2335632926.000000000084D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.2327049004.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327069380.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327149809.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327341724.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327892332.0000000000684000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2328184217.0000000000685000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2331028252.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335035989.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335069016.00000000007DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335150907.00000000007EB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335150907.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335319888.00000000007FD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335341717.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335407791.00000000007FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335433494.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335461530.000000000080B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335480433.000000000080E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335496452.0000000000811000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335514878.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335538719.0000000000827000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335556180.0000000000828000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335574731.000000000082A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335598638.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335616448.000000000084C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335653622.0000000000854000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335672007.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335698535.000000000085E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335718180.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335741113.0000000000869000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335759478.000000000086B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335782466.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335802079.0000000000875000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335827184.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335842405.0000000000879000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335872128.000000000087A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335893448.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335915097.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335935952.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335957780.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335981412.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335999538.000000000089B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336018560.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336038408.00000000008A7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336065562.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336084201.00000000008B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336107787.00000000008B6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336126062.00000000008C0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336142412.00000000008C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336169264.00000000008D8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336186780.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336205866.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336228672.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336253909.00000000008F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336268704.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.0000000000905000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.000000000090D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336334325.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336354629.000000000091E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: AllocInfoSystemVirtual
    • String ID:
    • API String ID: 3440192736-0
    • Opcode ID: 314f69365bd383fb7673096a5fec25806e006e2c351a04b6562b44e9fdccfebd
    • Instruction ID: 49dbd313174ca52cbdde4acfe21eb7c11f6fe60f243a7b708755777f481a44fb
    • Opcode Fuzzy Hash: 314f69365bd383fb7673096a5fec25806e006e2c351a04b6562b44e9fdccfebd
    • Instruction Fuzzy Hash: F84123B1E40206AEE73EDF648C45F9A77ECFB08742F0045A6B603CD586EA7095D48BA1
    Function 0067B7C6 Relevance: 1.3, Strings: 1, Instructions: 18COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2327341724.000000000067A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.2327049004.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327069380.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327149809.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327892332.0000000000684000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2328184217.0000000000685000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2331028252.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335035989.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335069016.00000000007DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335150907.00000000007EB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335150907.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335319888.00000000007FD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335341717.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335407791.00000000007FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335433494.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335461530.000000000080B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335480433.000000000080E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335496452.0000000000811000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335514878.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335538719.0000000000827000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335556180.0000000000828000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335574731.000000000082A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335598638.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335616448.000000000084C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335632926.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335653622.0000000000854000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335672007.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335698535.000000000085E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335718180.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335741113.0000000000869000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335759478.000000000086B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335782466.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335802079.0000000000875000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335827184.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335842405.0000000000879000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335872128.000000000087A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335893448.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335915097.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335935952.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335957780.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335981412.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335999538.000000000089B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336018560.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336038408.00000000008A7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336065562.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336084201.00000000008B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336107787.00000000008B6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336126062.00000000008C0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336142412.00000000008C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336169264.00000000008D8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336186780.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336205866.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336228672.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336253909.00000000008F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336268704.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.0000000000905000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.000000000090D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336334325.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336354629.000000000091E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID:
    • String ID: !!iH
    • API String ID: 0-3430752988
    • Opcode ID: 2fb9eb5f46292da2a611c0bf3090f30930d0861c358ca579815c8ca197de9432
    • Instruction ID: 7e2456fefc142a5bb9c3feadf9962cae6a82c4a9f5aeb18faafb208740bbcd6a
    • Opcode Fuzzy Hash: 2fb9eb5f46292da2a611c0bf3090f30930d0861c358ca579815c8ca197de9432
    • Instruction Fuzzy Hash: 21E0CD311048C999CB96DF208841799361FDB42700F50A118F7195EE49CB3D4D1287D9
    Function 007FC6FB Relevance: 4.6, APIs: 3, Instructions: 102registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 7fc6fb-7fc721 1 80006c-800299 0->1 2 7fc782-7fc78b 0->2 5 8002c2-8002dd RegOpenKeyA 1->5 6 80029b-8002b6 RegOpenKeyA 1->6 7 8002f5-800321 5->7 8 8002df-8002e9 5->8 6->5 9 8002b8 6->9 12 800323-80032c GetNativeSystemInfo 7->12 13 80032e-800338 7->13 8->7 9->5 12->13 14 800344-800352 13->14 15 80033a 13->15 17 800354 14->17 18 80035e-800365 14->18 15->14 17->18 19 800378 18->19 20 80036b-800372 18->20 21 80037d-800384 19->21 20->19 20->21 22 7fc41a-7fc431 21->22 23 80038a-800398 21->23 22->2
    APIs
    • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 008002AE
    • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 008002D5
    • GetNativeSystemInfo.KERNELBASE(?), ref: 0080032C
    Memory Dump Source
    • Source File: 00000000.00000002.2335150907.00000000007F6000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.2327049004.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327069380.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327149809.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327341724.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327892332.0000000000684000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2328184217.0000000000685000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2331028252.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335035989.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335069016.00000000007DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335150907.00000000007EB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335319888.00000000007FD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335341717.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335407791.00000000007FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335433494.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335461530.000000000080B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335480433.000000000080E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335496452.0000000000811000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335514878.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335538719.0000000000827000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335556180.0000000000828000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335574731.000000000082A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335598638.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335616448.000000000084C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335632926.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335653622.0000000000854000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335672007.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335698535.000000000085E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335718180.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335741113.0000000000869000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335759478.000000000086B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335782466.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335802079.0000000000875000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335827184.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335842405.0000000000879000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335872128.000000000087A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335893448.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335915097.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335935952.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335957780.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335981412.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335999538.000000000089B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336018560.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336038408.00000000008A7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336065562.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336084201.00000000008B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336107787.00000000008B6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336126062.00000000008C0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336142412.00000000008C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336169264.00000000008D8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336186780.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336205866.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336228672.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336253909.00000000008F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336268704.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.0000000000905000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.000000000090D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336334325.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336354629.000000000091E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: Open$InfoNativeSystem
    • String ID:
    • API String ID: 1247124224-0
    • Opcode ID: c7ff1d21a793286a87a35b97002dbc87c2ad302888e01f7445af932dbc9acd88
    • Instruction ID: 3714eb6086ca2c6fe42527c4b8c5e82f8f94bab872a161f090a552a20f272ffc
    • Opcode Fuzzy Hash: c7ff1d21a793286a87a35b97002dbc87c2ad302888e01f7445af932dbc9acd88
    • Instruction Fuzzy Hash: 6B413BB200420ECFDB22DF64CC88BAE77A4FF08314F450529DA8186A51D7765DA4CF59
    Function 007F1F9C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 183COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 24 7f1f9c-7f1fa0 25 7f1fb4-7f2029 call 7f1fe8 24->25 26 7f1fa2-7f1fb1 24->26 32 7f203d-7f204d CreateFileA 25->32 33 7f202b-7f203c 25->33 26->25 34 7f242b-7f244e call 7f2450 32->34 35 7f2053-7f2062 32->35 33->32 41 7f2410-7f2427 call 7f2424 34->41 42 7f2450-7f2452 34->42 37 7f206a-7f20a6 35->37 38 7f2068-7f2069 35->38 44 7f20ac 37->44 45 7f20b2-7f20ba 37->45 38->37 41->34 47 7f245a-7f245c 42->47 48 7f2458-7f2459 42->48 44->45 49 7f20c6-7f212e call 7f2131 45->49 50 7f20c0 45->50 52 7f247b-7f247e 47->52 53 7f2462 47->53 48->47 50->49 56 7f2484-7f2491 52->56 57 7f2492-7f2496 52->57 53->52 56->57 60 7f249c 57->60 61 7f24a9-7f24f0 57->61 60->61 65 7f24f6-7f25b0 call 7f2510 61->65 66 7f2512-7f251a 61->66 78 7f25bb-7f25cf 65->78 79 7f25b2-7f25b9 65->79 70 7f2526-7f2540 66->70 71 7f2520 66->71 75 7f254c-7f2575 70->75 76 7f2546 70->76 71->70 85 7f257b 75->85 76->75 80 7f25d0-7f25dd call 7f25e0 78->80 79->78 79->80 85->85
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2335150907.00000000007EB000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.2327049004.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327069380.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327149809.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327341724.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327892332.0000000000684000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2328184217.0000000000685000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2331028252.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335035989.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335069016.00000000007DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335150907.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335319888.00000000007FD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335341717.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335407791.00000000007FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335433494.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335461530.000000000080B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335480433.000000000080E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335496452.0000000000811000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335514878.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335538719.0000000000827000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335556180.0000000000828000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335574731.000000000082A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335598638.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335616448.000000000084C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335632926.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335653622.0000000000854000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335672007.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335698535.000000000085E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335718180.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335741113.0000000000869000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335759478.000000000086B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335782466.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335802079.0000000000875000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335827184.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335842405.0000000000879000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335872128.000000000087A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335893448.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335915097.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335935952.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335957780.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335981412.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335999538.000000000089B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336018560.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336038408.00000000008A7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336065562.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336084201.00000000008B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336107787.00000000008B6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336126062.00000000008C0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336142412.00000000008C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336169264.00000000008D8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336186780.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336205866.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336228672.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336253909.00000000008F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336268704.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.0000000000905000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.000000000090D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336334325.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336354629.000000000091E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID:
    • String ID: C
    • API String ID: 0-1037565863
    • Opcode ID: 72fa965cf2a4cc1e78ab16f8b45600e02b9591149947766f5d6cd02a9386e80f
    • Instruction ID: 4c9a6c56a919af0353272accb4aa2ca143fe6c9621c022327ee2c0a341fb7de0
    • Opcode Fuzzy Hash: 72fa965cf2a4cc1e78ab16f8b45600e02b9591149947766f5d6cd02a9386e80f
    • Instruction Fuzzy Hash: 3D4138B314C24EAEE711DE54A951AFF77A8EBD1330F30842BFA41C6A43D2A90D069635
    Function 007EE922 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 105libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 86 7ee922-7ee924 LoadLibraryA 87 7ee938 86->87 88 7ee93e-7ee95c 87->88 89 7ee95d-7eea98 87->89 88->89
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2335150907.00000000007EB000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.2327049004.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327069380.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327149809.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327341724.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327892332.0000000000684000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2328184217.0000000000685000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2331028252.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335035989.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335069016.00000000007DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335150907.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335319888.00000000007FD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335341717.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335407791.00000000007FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335433494.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335461530.000000000080B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335480433.000000000080E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335496452.0000000000811000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335514878.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335538719.0000000000827000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335556180.0000000000828000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335574731.000000000082A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335598638.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335616448.000000000084C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335632926.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335653622.0000000000854000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335672007.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335698535.000000000085E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335718180.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335741113.0000000000869000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335759478.000000000086B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335782466.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335802079.0000000000875000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335827184.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335842405.0000000000879000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335872128.000000000087A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335893448.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335915097.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335935952.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335957780.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335981412.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335999538.000000000089B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336018560.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336038408.00000000008A7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336065562.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336084201.00000000008B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336107787.00000000008B6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336126062.00000000008C0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336142412.00000000008C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336169264.00000000008D8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336186780.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336205866.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336228672.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336253909.00000000008F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336268704.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.0000000000905000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.000000000090D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336334325.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336354629.000000000091E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: gO7
    • API String ID: 1029625771-3612920928
    • Opcode ID: e13cf59f81f1a4825d2aeb812e6bc4c53e27d0e42e1dce916e0f24c776f0448a
    • Instruction ID: 341b8d538932a4d9cafd54fd19a99f2502bc2bed6cac64a5f46a673d062d107c
    • Opcode Fuzzy Hash: e13cf59f81f1a4825d2aeb812e6bc4c53e27d0e42e1dce916e0f24c776f0448a
    • Instruction Fuzzy Hash: E13139B290C6009FD345AF29D88266AFBF9EF98710F164C2DE6C5C3214E6355894CB97
    Function 007EE752 Relevance: 1.6, APIs: 1, Instructions: 122libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 169 7ee752-7ee755 LoadLibraryA 170 7ee769-7ee91c 169->170 178 7ee91d 170->178 178->178
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2335150907.00000000007EB000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.2327049004.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327069380.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327149809.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327341724.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327892332.0000000000684000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2328184217.0000000000685000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2331028252.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335035989.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335069016.00000000007DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335150907.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335319888.00000000007FD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335341717.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335407791.00000000007FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335433494.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335461530.000000000080B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335480433.000000000080E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335496452.0000000000811000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335514878.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335538719.0000000000827000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335556180.0000000000828000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335574731.000000000082A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335598638.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335616448.000000000084C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335632926.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335653622.0000000000854000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335672007.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335698535.000000000085E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335718180.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335741113.0000000000869000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335759478.000000000086B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335782466.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335802079.0000000000875000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335827184.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335842405.0000000000879000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335872128.000000000087A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335893448.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335915097.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335935952.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335957780.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335981412.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335999538.000000000089B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336018560.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336038408.00000000008A7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336065562.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336084201.00000000008B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336107787.00000000008B6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336126062.00000000008C0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336142412.00000000008C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336169264.00000000008D8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336186780.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336205866.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336228672.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336253909.00000000008F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336268704.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.0000000000905000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.000000000090D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336334325.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336354629.000000000091E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 8c9fea50e17c5c75b6b475b1e860bbf332d0c76f5d1b90fd83b0d1ea2f305ba8
    • Instruction ID: 01384022f73984bf0098a5b2f0e3fe3bde6f2bc51d0943f58a9ab1ebd73f3251
    • Opcode Fuzzy Hash: 8c9fea50e17c5c75b6b475b1e860bbf332d0c76f5d1b90fd83b0d1ea2f305ba8
    • Instruction Fuzzy Hash: 03416DB290D210EFE3056E29DC856BABBE9FF58320F160C2DE6C593250D73954509B97
    Function 007F2012 Relevance: 1.6, APIs: 1, Instructions: 119fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 179 7f2012-7f2016 180 7f201e-7f2029 179->180 181 7f2018-7f201c 179->181 184 7f203d-7f204d CreateFileA 180->184 185 7f202b-7f203c 180->185 181->180 186 7f242b-7f244e call 7f2450 184->186 187 7f2053-7f2062 184->187 185->184 193 7f2410-7f2427 call 7f2424 186->193 194 7f2450-7f2452 186->194 189 7f206a-7f20a6 187->189 190 7f2068-7f2069 187->190 196 7f20ac 189->196 197 7f20b2-7f20ba 189->197 190->189 193->186 199 7f245a-7f245c 194->199 200 7f2458-7f2459 194->200 196->197 201 7f20c6-7f212e call 7f2131 197->201 202 7f20c0 197->202 204 7f247b-7f247e 199->204 205 7f2462 199->205 200->199 202->201 208 7f2484-7f2491 204->208 209 7f2492-7f2496 204->209 205->204 208->209 212 7f249c 209->212 213 7f24a9-7f24f0 209->213 212->213 217 7f24f6-7f25b0 call 7f2510 213->217 218 7f2512-7f251a 213->218 230 7f25bb-7f25cf 217->230 231 7f25b2-7f25b9 217->231 222 7f2526-7f2540 218->222 223 7f2520 218->223 227 7f254c-7f2575 222->227 228 7f2546 222->228 223->222 237 7f257b 227->237 228->227 232 7f25d0-7f25dd call 7f25e0 230->232 231->230 231->232 237->237
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2335150907.00000000007EB000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.2327049004.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327069380.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327149809.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327341724.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327892332.0000000000684000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2328184217.0000000000685000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2331028252.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335035989.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335069016.00000000007DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335150907.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335319888.00000000007FD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335341717.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335407791.00000000007FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335433494.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335461530.000000000080B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335480433.000000000080E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335496452.0000000000811000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335514878.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335538719.0000000000827000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335556180.0000000000828000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335574731.000000000082A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335598638.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335616448.000000000084C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335632926.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335653622.0000000000854000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335672007.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335698535.000000000085E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335718180.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335741113.0000000000869000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335759478.000000000086B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335782466.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335802079.0000000000875000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335827184.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335842405.0000000000879000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335872128.000000000087A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335893448.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335915097.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335935952.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335957780.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335981412.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335999538.000000000089B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336018560.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336038408.00000000008A7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336065562.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336084201.00000000008B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336107787.00000000008B6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336126062.00000000008C0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336142412.00000000008C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336169264.00000000008D8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336186780.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336205866.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336228672.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336253909.00000000008F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336268704.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.0000000000905000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.000000000090D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336334325.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336354629.000000000091E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: b31c40ced36e54f09652ba7424efaa275d880a3725fe9b83b0457e3e7179e381
    • Instruction ID: 262c2a7a134cfcfe0b1b3eeaf28c7d1f2c3f2f1c7d5c103d0810225eb3e0ba39
    • Opcode Fuzzy Hash: b31c40ced36e54f09652ba7424efaa275d880a3725fe9b83b0457e3e7179e381
    • Instruction Fuzzy Hash: DE3124B724D14ABEE710AE45AD50EFB77ADEBC2330F30842AF941C6582E2650D4A8631
    Function 007F1FF7 Relevance: 1.6, APIs: 1, Instructions: 117fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 238 7f1ff7-7f2003 240 7f200b-7f2029 238->240 241 7f2009-7f200a 238->241 244 7f203d-7f204d CreateFileA 240->244 245 7f202b-7f203c 240->245 241->240 246 7f242b-7f244e call 7f2450 244->246 247 7f2053-7f2062 244->247 245->244 253 7f2410-7f2427 call 7f2424 246->253 254 7f2450-7f2452 246->254 249 7f206a-7f20a6 247->249 250 7f2068-7f2069 247->250 256 7f20ac 249->256 257 7f20b2-7f20ba 249->257 250->249 253->246 259 7f245a-7f245c 254->259 260 7f2458-7f2459 254->260 256->257 261 7f20c6-7f212e call 7f2131 257->261 262 7f20c0 257->262 264 7f247b-7f247e 259->264 265 7f2462 259->265 260->259 262->261 268 7f2484-7f2491 264->268 269 7f2492-7f2496 264->269 265->264 268->269 272 7f249c 269->272 273 7f24a9-7f24f0 269->273 272->273 277 7f24f6-7f25b0 call 7f2510 273->277 278 7f2512-7f251a 273->278 290 7f25bb-7f25cf 277->290 291 7f25b2-7f25b9 277->291 282 7f2526-7f2540 278->282 283 7f2520 278->283 287 7f254c-7f2575 282->287 288 7f2546 282->288 283->282 297 7f257b 287->297 288->287 292 7f25d0-7f25dd call 7f25e0 290->292 291->290 291->292 297->297
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2335150907.00000000007EB000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.2327049004.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327069380.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327149809.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327341724.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327892332.0000000000684000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2328184217.0000000000685000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2331028252.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335035989.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335069016.00000000007DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335150907.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335319888.00000000007FD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335341717.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335407791.00000000007FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335433494.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335461530.000000000080B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335480433.000000000080E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335496452.0000000000811000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335514878.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335538719.0000000000827000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335556180.0000000000828000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335574731.000000000082A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335598638.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335616448.000000000084C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335632926.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335653622.0000000000854000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335672007.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335698535.000000000085E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335718180.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335741113.0000000000869000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335759478.000000000086B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335782466.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335802079.0000000000875000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335827184.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335842405.0000000000879000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335872128.000000000087A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335893448.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335915097.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335935952.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335957780.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335981412.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335999538.000000000089B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336018560.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336038408.00000000008A7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336065562.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336084201.00000000008B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336107787.00000000008B6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336126062.00000000008C0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336142412.00000000008C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336169264.00000000008D8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336186780.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336205866.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336228672.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336253909.00000000008F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336268704.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.0000000000905000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.000000000090D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336334325.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336354629.000000000091E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 066ddc5c8b41547bd45618a9df54981bf4fc384f02302b25f5116e62b27c8cac
    • Instruction ID: 7b22e564ba7fc7caaa7a7a05ea862d0598b74ba283aab2d1055ed463cca53a91
    • Opcode Fuzzy Hash: 066ddc5c8b41547bd45618a9df54981bf4fc384f02302b25f5116e62b27c8cac
    • Instruction Fuzzy Hash: 452120B724810ABEF3209E41AE50EFB73ACE7C2330F30842AF941C6A82D2650D469234
    Function 007F1FE8 Relevance: 1.6, APIs: 1, Instructions: 116fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 298 7f1fe8-7f2003 300 7f200b-7f2029 298->300 301 7f2009-7f200a 298->301 304 7f203d-7f204d CreateFileA 300->304 305 7f202b-7f203c 300->305 301->300 306 7f242b-7f244e call 7f2450 304->306 307 7f2053-7f2062 304->307 305->304 313 7f2410-7f2427 call 7f2424 306->313 314 7f2450-7f2452 306->314 309 7f206a-7f20a6 307->309 310 7f2068-7f2069 307->310 316 7f20ac 309->316 317 7f20b2-7f20ba 309->317 310->309 313->306 319 7f245a-7f245c 314->319 320 7f2458-7f2459 314->320 316->317 321 7f20c6-7f212e call 7f2131 317->321 322 7f20c0 317->322 324 7f247b-7f247e 319->324 325 7f2462 319->325 320->319 322->321 328 7f2484-7f2491 324->328 329 7f2492-7f2496 324->329 325->324 328->329 332 7f249c 329->332 333 7f24a9-7f24f0 329->333 332->333 337 7f24f6-7f25b0 call 7f2510 333->337 338 7f2512-7f251a 333->338 350 7f25bb-7f25cf 337->350 351 7f25b2-7f25b9 337->351 342 7f2526-7f2540 338->342 343 7f2520 338->343 347 7f254c-7f2575 342->347 348 7f2546 342->348 343->342 357 7f257b 347->357 348->347 352 7f25d0-7f25dd call 7f25e0 350->352 351->350 351->352 357->357
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2335150907.00000000007EB000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.2327049004.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327069380.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327149809.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327341724.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327892332.0000000000684000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2328184217.0000000000685000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2331028252.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335035989.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335069016.00000000007DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335150907.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335319888.00000000007FD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335341717.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335407791.00000000007FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335433494.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335461530.000000000080B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335480433.000000000080E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335496452.0000000000811000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335514878.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335538719.0000000000827000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335556180.0000000000828000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335574731.000000000082A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335598638.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335616448.000000000084C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335632926.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335653622.0000000000854000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335672007.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335698535.000000000085E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335718180.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335741113.0000000000869000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335759478.000000000086B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335782466.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335802079.0000000000875000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335827184.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335842405.0000000000879000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335872128.000000000087A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335893448.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335915097.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335935952.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335957780.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335981412.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335999538.000000000089B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336018560.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336038408.00000000008A7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336065562.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336084201.00000000008B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336107787.00000000008B6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336126062.00000000008C0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336142412.00000000008C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336169264.00000000008D8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336186780.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336205866.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336228672.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336253909.00000000008F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336268704.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.0000000000905000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.000000000090D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336334325.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336354629.000000000091E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: ceea8c2702497e356667a1b36c04487bc90628030407baa1a1a9a20f1ac48b9b
    • Instruction ID: b58842713041821e99e5bb1b0a694bc5f74581ec6d835ba195cc46f9b54394e9
    • Opcode Fuzzy Hash: ceea8c2702497e356667a1b36c04487bc90628030407baa1a1a9a20f1ac48b9b
    • Instruction Fuzzy Hash: 6521F2B714810ABDF721DE45AE50EFF77ADE7C1330F30842AF901C6A82D6650D4A9234
    Function 007F1FDB Relevance: 1.6, APIs: 1, Instructions: 113fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 358 7f1fdb-7f1fe3 359 7f201e-7f2029 358->359 360 7f1fe5-7f1fe7 358->360 363 7f203d-7f204d CreateFileA 359->363 364 7f202b-7f203c 359->364 360->359 365 7f242b-7f244e call 7f2450 363->365 366 7f2053-7f2062 363->366 364->363 372 7f2410-7f2427 call 7f2424 365->372 373 7f2450-7f2452 365->373 368 7f206a-7f20a6 366->368 369 7f2068-7f2069 366->369 375 7f20ac 368->375 376 7f20b2-7f20ba 368->376 369->368 372->365 378 7f245a-7f245c 373->378 379 7f2458-7f2459 373->379 375->376 380 7f20c6-7f212e call 7f2131 376->380 381 7f20c0 376->381 383 7f247b-7f247e 378->383 384 7f2462 378->384 379->378 381->380 387 7f2484-7f2491 383->387 388 7f2492-7f2496 383->388 384->383 387->388 391 7f249c 388->391 392 7f24a9-7f24f0 388->392 391->392 396 7f24f6-7f25b0 call 7f2510 392->396 397 7f2512-7f251a 392->397 409 7f25bb-7f25cf 396->409 410 7f25b2-7f25b9 396->410 401 7f2526-7f2540 397->401 402 7f2520 397->402 406 7f254c-7f2575 401->406 407 7f2546 401->407 402->401 416 7f257b 406->416 407->406 411 7f25d0-7f25dd call 7f25e0 409->411 410->409 410->411 416->416
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2335150907.00000000007EB000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.2327049004.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327069380.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327149809.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327341724.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327892332.0000000000684000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2328184217.0000000000685000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2331028252.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335035989.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335069016.00000000007DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335150907.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335319888.00000000007FD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335341717.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335407791.00000000007FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335433494.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335461530.000000000080B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335480433.000000000080E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335496452.0000000000811000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335514878.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335538719.0000000000827000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335556180.0000000000828000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335574731.000000000082A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335598638.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335616448.000000000084C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335632926.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335653622.0000000000854000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335672007.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335698535.000000000085E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335718180.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335741113.0000000000869000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335759478.000000000086B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335782466.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335802079.0000000000875000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335827184.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335842405.0000000000879000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335872128.000000000087A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335893448.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335915097.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335935952.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335957780.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335981412.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335999538.000000000089B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336018560.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336038408.00000000008A7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336065562.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336084201.00000000008B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336107787.00000000008B6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336126062.00000000008C0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336142412.00000000008C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336169264.00000000008D8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336186780.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336205866.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336228672.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336253909.00000000008F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336268704.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.0000000000905000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.000000000090D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336334325.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336354629.000000000091E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: ce3d0b292aa0d117c4a8d869de8f2bb1c2b1166de397f94480860975869b4cc6
    • Instruction ID: b4aeeff764cf0d7a9a897884db9573384f3f7393f3af5adb7ee57afc2139b32c
    • Opcode Fuzzy Hash: ce3d0b292aa0d117c4a8d869de8f2bb1c2b1166de397f94480860975869b4cc6
    • Instruction Fuzzy Hash: 3A2137B324925AAEE711EE15AD50EFF77ADEBC2330F30442BF941C6982D2650D4A8635
    Function 00852298 Relevance: 1.6, APIs: 1, Instructions: 112COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 417 852298-8522a6 418 8522ac-8522be 417->418 419 8522c9-8522d3 call 85212d 417->419 418->419 423 8522c4 418->423 424 8522de-8522e7 419->424 425 8522d9 419->425 426 852428-85242a 423->426 427 8522ed-8522f4 424->427 428 8522ff-852306 424->428 425->426 427->428 431 8522fa 427->431 429 852311-852321 428->429 430 85230c 428->430 429->426 432 852327-852333 call 852202 429->432 430->426 431->426 435 852336-85233a 432->435 435->426 436 852340-85234a 435->436 437 852371-852374 436->437 438 852350-852363 436->438 439 852377-85237a 437->439 438->437 443 852369-85236b 438->443 441 852420-852423 439->441 442 852380-852387 439->442 441->435 444 8523b5-8523ce 442->444 445 85238d-852393 442->445 443->437 443->441 451 8523d4-8523e2 444->451 452 8523e7-8523ef VirtualProtect 444->452 446 8523b0 445->446 447 852399-85239e 445->447 449 852418-85241b 446->449 447->446 448 8523a4-8523aa 447->448 448->444 448->446 449->439 453 8523f5-8523f8 451->453 452->453 453->449 455 8523fe-852417 453->455 455->449
    Memory Dump Source
    • Source File: 00000000.00000002.2335632926.000000000084D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.2327049004.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327069380.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327149809.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327341724.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327892332.0000000000684000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2328184217.0000000000685000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2331028252.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335035989.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335069016.00000000007DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335150907.00000000007EB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335150907.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335319888.00000000007FD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335341717.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335407791.00000000007FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335433494.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335461530.000000000080B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335480433.000000000080E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335496452.0000000000811000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335514878.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335538719.0000000000827000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335556180.0000000000828000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335574731.000000000082A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335598638.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335616448.000000000084C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335653622.0000000000854000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335672007.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335698535.000000000085E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335718180.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335741113.0000000000869000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335759478.000000000086B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335782466.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335802079.0000000000875000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335827184.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335842405.0000000000879000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335872128.000000000087A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335893448.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335915097.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335935952.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335957780.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335981412.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335999538.000000000089B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336018560.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336038408.00000000008A7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336065562.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336084201.00000000008B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336107787.00000000008B6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336126062.00000000008C0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336142412.00000000008C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336169264.00000000008D8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336186780.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336205866.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336228672.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336253909.00000000008F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336268704.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.0000000000905000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.000000000090D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336334325.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336354629.000000000091E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a002d887596f5dc96b564fc0398650d4bd170cb65081f81d443ca51aedcd0968
    • Instruction ID: 02ef961f9691d1169a7578b04c99f95ea03cb8c0ced4640e2666c0b523a119ea
    • Opcode Fuzzy Hash: a002d887596f5dc96b564fc0398650d4bd170cb65081f81d443ca51aedcd0968
    • Instruction Fuzzy Hash: 40419D71900209EFDF25CF14D944BAEBBB0FF0631AF144095ED02EA691CB75AC98DBA5
    Function 00851FE5 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 457 851fe5-851ff4 458 852000-852014 457->458 459 851ffa 457->459 461 8520d2-8520d4 458->461 462 85201a-852024 458->462 459->458 463 8520c1-8520cd 462->463 464 85202a-852034 462->464 463->458 464->463 465 85203a-852044 464->465 465->463 466 85204a-852059 465->466 468 852064-852069 466->468 469 85205f 466->469 468->463 470 85206f-85207e 468->470 469->463 470->463 471 852084-85209b GetModuleFileNameA 470->471 471->463 472 8520a1-8520af call 851f41 471->472 475 8520b5 472->475 476 8520ba-8520bc 472->476 475->463 476->461
    APIs
    • GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,00000000), ref: 00852092
    Memory Dump Source
    • Source File: 00000000.00000002.2335632926.000000000084D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.2327049004.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327069380.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327149809.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327341724.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327892332.0000000000684000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2328184217.0000000000685000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2331028252.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335035989.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335069016.00000000007DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335150907.00000000007EB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335150907.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335319888.00000000007FD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335341717.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335407791.00000000007FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335433494.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335461530.000000000080B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335480433.000000000080E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335496452.0000000000811000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335514878.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335538719.0000000000827000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335556180.0000000000828000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335574731.000000000082A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335598638.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335616448.000000000084C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335653622.0000000000854000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335672007.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335698535.000000000085E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335718180.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335741113.0000000000869000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335759478.000000000086B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335782466.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335802079.0000000000875000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335827184.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335842405.0000000000879000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335872128.000000000087A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335893448.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335915097.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335935952.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335957780.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335981412.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335999538.000000000089B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336018560.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336038408.00000000008A7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336065562.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336084201.00000000008B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336107787.00000000008B6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336126062.00000000008C0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336142412.00000000008C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336169264.00000000008D8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336186780.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336205866.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336228672.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336253909.00000000008F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336268704.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.0000000000905000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.000000000090D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336334325.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336354629.000000000091E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: FileModuleName
    • String ID:
    • API String ID: 514040917-0
    • Opcode ID: 50795a426262bb44394aa777e28939e462446092ec44e0cbb325a89e572f94a7
    • Instruction ID: 512dca5396024f14c538707af1fd4884ccc4471a3f0e84c45256679240e03623
    • Opcode Fuzzy Hash: 50795a426262bb44394aa777e28939e462446092ec44e0cbb325a89e572f94a7
    • Instruction Fuzzy Hash: A71184B1A03A299FEB305A148C48BAAFB6CFF16716F104095ED05E70C1DF709DC8CAA1
    Function 05420D42 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 477 5420d42-5420d97 480 5420d99-5420d9c 477->480 481 5420d9f-5420da3 477->481 480->481 482 5420da5-5420da8 481->482 483 5420dab-5420dda OpenSCManagerW 481->483 482->483 484 5420de3-5420df7 483->484 485 5420ddc-5420de2 483->485 485->484
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 05420DCD
    Memory Dump Source
    • Source File: 00000000.00000002.2339136474.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5420000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: ebb6c69c3a92921b279e93c6f6f9e76781d8eac4b22cbf491eb3c0072003f19a
    • Instruction ID: 90cc7b583f7c8dd8e3c5c342e5075adf1c3b02ea236baf04f6df0ee257e4d925
    • Opcode Fuzzy Hash: ebb6c69c3a92921b279e93c6f6f9e76781d8eac4b22cbf491eb3c0072003f19a
    • Instruction Fuzzy Hash: A02134B68112299FCB50CF99D984BDEFBF4FF88720F14815AE909AB204D774A540CBA4
    Function 05420D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 487 5420d48-5420d97 489 5420d99-5420d9c 487->489 490 5420d9f-5420da3 487->490 489->490 491 5420da5-5420da8 490->491 492 5420dab-5420dda OpenSCManagerW 490->492 491->492 493 5420de3-5420df7 492->493 494 5420ddc-5420de2 492->494 494->493
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 05420DCD
    Memory Dump Source
    • Source File: 00000000.00000002.2339136474.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5420000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 0f808f17091f005ddf74d478a7bc1c01f263a7779dddfd5ac2f4962c4ff0146d
    • Instruction ID: fc04653127755284feabd3dcd2b0858c34e49441ff6c0e7d25fde5cdafdda9cb
    • Opcode Fuzzy Hash: 0f808f17091f005ddf74d478a7bc1c01f263a7779dddfd5ac2f4962c4ff0146d
    • Instruction Fuzzy Hash: 642104B68112299FCB50CF99D984ADEFBF4FF88720F14815AD909AB204D774A544CBA4
    Function 05421510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 496 5421510-542158d ControlService 498 5421596-54215b7 496->498 499 542158f-5421595 496->499 499->498
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 05421580
    Memory Dump Source
    • Source File: 00000000.00000002.2339136474.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5420000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: d3a0a3c5eca0d6fff98f90277e14a798dfbd7e17e42b0587d16685de29379539
    • Instruction ID: af07d3e2be351ea3d89f0eafbdb68c45d7e0bcc2a6df358f22c4fb519d7ce638
    • Opcode Fuzzy Hash: d3a0a3c5eca0d6fff98f90277e14a798dfbd7e17e42b0587d16685de29379539
    • Instruction Fuzzy Hash: C511E4B19003599FDB10CF9AC584BDEFBF4FB48720F10846AE959A3250D778AA44CFA5
    Function 05421509 Relevance: 1.6, APIs: 1, Instructions: 53serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 05421580
    Memory Dump Source
    • Source File: 00000000.00000002.2339136474.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5420000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: cdd387784f30b135714299ffb2692ee173227800cff11e5910aba8754bed8a40
    • Instruction ID: a915b173e9243725fd1d980563561dd06f7fb697cd72889a9ca0efd41e73a0ce
    • Opcode Fuzzy Hash: cdd387784f30b135714299ffb2692ee173227800cff11e5910aba8754bed8a40
    • Instruction Fuzzy Hash: 302103B69002598FDB10CF9AC584BDEBBF4BB48320F10846AE519A3240D378A644CFA5
    Function 05421301 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 05421367
    Memory Dump Source
    • Source File: 00000000.00000002.2339136474.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5420000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 883fd1910f9cd7b9413bcd3f30259e1f551a129c7821f7306f5511c2a5e592ad
    • Instruction ID: 16a72a44d6239f9b970c3ecb0e4beed8a07cca0caec6078c0d105650a79fe89f
    • Opcode Fuzzy Hash: 883fd1910f9cd7b9413bcd3f30259e1f551a129c7821f7306f5511c2a5e592ad
    • Instruction Fuzzy Hash: E51125B1800259CFDB10CF9AC945BDEBBF8EF48724F24845AD518A3240D7B9A554CFA5
    Function 05421308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 05421367
    Memory Dump Source
    • Source File: 00000000.00000002.2339136474.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5420000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 156520ada0eb07722474d4def728a5ccff5531e1dbeeb0406196867bc2edc6f4
    • Instruction ID: c1213fa875887b5735dcd4b5c39837dd21912a1083128da4d1a3ac18359230ec
    • Opcode Fuzzy Hash: 156520ada0eb07722474d4def728a5ccff5531e1dbeeb0406196867bc2edc6f4
    • Instruction Fuzzy Hash: 941122B180025ACFDB10CF9AC944BDEBBF8EB48720F20846AD518A3240D778A944CBA5
    Function 00851C0F Relevance: 1.3, APIs: 1, Instructions: 37memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,?,00851C0B,?,?,00851911,?,?,00851911,?,?,00851911), ref: 00851C2F
    Memory Dump Source
    • Source File: 00000000.00000002.2335632926.000000000084D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.2327049004.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327069380.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327149809.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327341724.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327892332.0000000000684000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2328184217.0000000000685000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2331028252.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335035989.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335069016.00000000007DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335150907.00000000007EB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335150907.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335319888.00000000007FD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335341717.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335407791.00000000007FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335433494.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335461530.000000000080B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335480433.000000000080E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335496452.0000000000811000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335514878.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335538719.0000000000827000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335556180.0000000000828000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335574731.000000000082A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335598638.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335616448.000000000084C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335653622.0000000000854000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335672007.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335698535.000000000085E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335718180.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335741113.0000000000869000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335759478.000000000086B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335782466.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335802079.0000000000875000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335827184.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335842405.0000000000879000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335872128.000000000087A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335893448.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335915097.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335935952.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335957780.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335981412.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335999538.000000000089B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336018560.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336038408.00000000008A7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336065562.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336084201.00000000008B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336107787.00000000008B6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336126062.00000000008C0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336142412.00000000008C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336169264.00000000008D8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336186780.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336205866.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336228672.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336253909.00000000008F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336268704.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.0000000000905000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.000000000090D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336334325.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336354629.000000000091E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 3830fe695e630f4a44b7711b024146c662f3129d41f5ec6bff5919a409063bb0
    • Instruction ID: 1aa80f2c093b55121e152250282b4194fdb451b7167b4938ff963a9a2af5ee21
    • Opcode Fuzzy Hash: 3830fe695e630f4a44b7711b024146c662f3129d41f5ec6bff5919a409063bb0
    • Instruction Fuzzy Hash: C9F06DB1904209EFDB258F54CD09B59BBE4FB49752F118069F84B9A691D3B698C08B50
    Function 0067E871 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2327341724.000000000067A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.2327049004.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327069380.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327149809.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327892332.0000000000684000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2328184217.0000000000685000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2331028252.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335035989.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335069016.00000000007DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335150907.00000000007EB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335150907.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335319888.00000000007FD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335341717.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335407791.00000000007FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335433494.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335461530.000000000080B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335480433.000000000080E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335496452.0000000000811000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335514878.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335538719.0000000000827000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335556180.0000000000828000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335574731.000000000082A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335598638.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335616448.000000000084C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335632926.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335653622.0000000000854000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335672007.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335698535.000000000085E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335718180.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335741113.0000000000869000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335759478.000000000086B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335782466.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335802079.0000000000875000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335827184.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335842405.0000000000879000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335872128.000000000087A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335893448.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335915097.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335935952.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335957780.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335981412.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335999538.000000000089B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336018560.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336038408.00000000008A7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336065562.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336084201.00000000008B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336107787.00000000008B6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336126062.00000000008C0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336142412.00000000008C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336169264.00000000008D8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336186780.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336205866.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336228672.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336253909.00000000008F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336268704.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.0000000000905000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.000000000090D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336334325.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336354629.000000000091E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: eb64317e78643ab3fe6ea7f3d61eb934f9a09c95dd3b21ab3d38bd8856d5a546
    • Instruction ID: cf3621aeea64b6c7755531f3c413ab6faf8cd7c530a4233f21b1fe5a7631131b
    • Opcode Fuzzy Hash: eb64317e78643ab3fe6ea7f3d61eb934f9a09c95dd3b21ab3d38bd8856d5a546
    • Instruction Fuzzy Hash: 60D0A9B510020D8FCB004F74898CACF7AA8EF18321F208244FD2AC2B80E3720C61CA19
    Function 0067F306 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2327341724.000000000067A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.2327049004.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327069380.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327149809.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327892332.0000000000684000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2328184217.0000000000685000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2331028252.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335035989.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335069016.00000000007DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335150907.00000000007EB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335150907.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335319888.00000000007FD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335341717.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335407791.00000000007FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335433494.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335461530.000000000080B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335480433.000000000080E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335496452.0000000000811000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335514878.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335538719.0000000000827000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335556180.0000000000828000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335574731.000000000082A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335598638.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335616448.000000000084C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335632926.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335653622.0000000000854000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335672007.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335698535.000000000085E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335718180.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335741113.0000000000869000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335759478.000000000086B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335782466.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335802079.0000000000875000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335827184.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335842405.0000000000879000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335872128.000000000087A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335893448.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335915097.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335935952.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335957780.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335981412.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335999538.000000000089B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336018560.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336038408.00000000008A7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336065562.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336084201.00000000008B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336107787.00000000008B6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336126062.00000000008C0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336142412.00000000008C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336169264.00000000008D8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336186780.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336205866.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336228672.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336253909.00000000008F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336268704.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.0000000000905000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.000000000090D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336334325.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336354629.000000000091E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: d7901eb14fbae04af1549d8fabf331514f7ab6ca43ecc65e3b92c3152d9931ee
    • Instruction ID: 1d4b0b4175d09bf7da1d1bce3d140c73e0c6cb0b7518a6c6150cc08c2e0cd093
    • Opcode Fuzzy Hash: d7901eb14fbae04af1549d8fabf331514f7ab6ca43ecc65e3b92c3152d9931ee
    • Instruction Fuzzy Hash: 4DC04CB011C519CFC7006F18C5041BDFBF8FE64706F22584E98C642501DB7248A0DA1A

    Non-executed Functions

    Function 007ECA6D Relevance: .2, Instructions: 163COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2335150907.00000000007EB000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.2327049004.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327069380.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327149809.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327341724.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327892332.0000000000684000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2328184217.0000000000685000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2331028252.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335035989.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335069016.00000000007DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335150907.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335319888.00000000007FD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335341717.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335407791.00000000007FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335433494.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335461530.000000000080B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335480433.000000000080E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335496452.0000000000811000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335514878.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335538719.0000000000827000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335556180.0000000000828000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335574731.000000000082A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335598638.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335616448.000000000084C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335632926.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335653622.0000000000854000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335672007.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335698535.000000000085E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335718180.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335741113.0000000000869000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335759478.000000000086B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335782466.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335802079.0000000000875000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335827184.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335842405.0000000000879000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335872128.000000000087A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335893448.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335915097.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335935952.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335957780.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335981412.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335999538.000000000089B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336018560.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336038408.00000000008A7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336065562.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336084201.00000000008B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336107787.00000000008B6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336126062.00000000008C0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336142412.00000000008C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336169264.00000000008D8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336186780.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336205866.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336228672.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336253909.00000000008F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336268704.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.0000000000905000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.000000000090D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336334325.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336354629.000000000091E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 75e78c8471f6f2a24ad5412655ad51b7c61bb5d52a30a78d25a4a2c174b16072
    • Instruction ID: 26ce140bcbdfd0b3be16cd34112b6fb668d968bb15744c63f028a822e6f170a6
    • Opcode Fuzzy Hash: 75e78c8471f6f2a24ad5412655ad51b7c61bb5d52a30a78d25a4a2c174b16072
    • Instruction Fuzzy Hash: 4661D1A144E7D18FC713CB3888B9955BFB0AE5720434E8ADFC8C14F4A7E259544ACB63
    Function 007EF927 Relevance: .1, Instructions: 123COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2335150907.00000000007EB000.00000040.00000001.01000000.00000003.sdmp, Offset: 00670000, based on PE: true
    • Associated: 00000000.00000002.2327049004.0000000000670000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327069380.0000000000672000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327149809.0000000000676000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327341724.000000000067A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2327892332.0000000000684000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2328184217.0000000000685000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2331028252.0000000000686000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335035989.00000000007DA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335069016.00000000007DD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335150907.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335319888.00000000007FD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335341717.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335407791.00000000007FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335433494.0000000000801000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335461530.000000000080B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335480433.000000000080E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335496452.0000000000811000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335514878.0000000000812000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335538719.0000000000827000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335556180.0000000000828000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335574731.000000000082A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335598638.000000000083D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335616448.000000000084C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335632926.000000000084D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335653622.0000000000854000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335672007.0000000000856000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335698535.000000000085E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335718180.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335741113.0000000000869000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335759478.000000000086B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335782466.0000000000873000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335802079.0000000000875000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335827184.0000000000876000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335842405.0000000000879000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335872128.000000000087A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335893448.000000000087F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335915097.0000000000887000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335935952.000000000088A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335957780.0000000000895000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335981412.000000000089A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2335999538.000000000089B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336018560.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336038408.00000000008A7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336065562.00000000008A9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336084201.00000000008B5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336107787.00000000008B6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336126062.00000000008C0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336142412.00000000008C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336169264.00000000008D8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336186780.00000000008D9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336205866.00000000008DA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336228672.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336253909.00000000008F8000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336268704.00000000008F9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.0000000000905000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336287501.000000000090D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336334325.000000000091C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2336354629.000000000091E000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_670000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 6e00a4b799833c31aedcf929dd8d8cb02f72517261e2f04213179362920d293a
    • Instruction ID: f3236e1d6a64d695bb84514faa242d4ed304a74d0d39474de3050ea1cd28c003
    • Opcode Fuzzy Hash: 6e00a4b799833c31aedcf929dd8d8cb02f72517261e2f04213179362920d293a
    • Instruction Fuzzy Hash: 1341F6B250D240EBD300AF2AD88177DFBE5EF98310F16893DD6C9C6A04D2385451DB83