Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1546673
MD5:a2a68d9fbc4eaf04d07b8dd2e41837b2
SHA1:84daf5828fbb9e6b99af9ad410a009efe2f7b653
SHA256:d493dbe8080a99bc5717fb457532de55d6aa7faec496380b518a951d71cb39f0
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7964 cmdline: "C:\Users\user\Desktop\file.exe" MD5: A2A68D9FBC4EAF04D07B8DD2E41837B2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.1337222139.0000000005220000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1470624828.0000000000C12000.00000040.00000001.01000000.00000003.sdmp

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA0EF40_2_00DA0EF4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C1DF480_2_00C1DF48
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA0F040_2_00DA0F04
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA0F240_2_00DA0F24
Source: file.exe, 00000000.00000002.1475533519.000000000156E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000000.1327626582.0000000000C16000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exeString found in binary or memory: RtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNeQ
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 2797568 > 1048576
Source: file.exeStatic PE information: Raw size of ziejvuqc is bigger than: 0x100000 < 0x2a5000
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.1337222139.0000000005220000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1470624828.0000000000C12000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.c10000.0.unpack :EW;.rsrc:W;.idata :W;ziejvuqc:EW;vpkhfhix:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x2b2e4b should be: 0x2ac679
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name: ziejvuqc
Source: file.exeStatic PE information: section name: vpkhfhix
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA28E6 push ecx; ret 0_2_00DA291E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C1EA74 push edx; mov dword ptr [esp], 6FD1DB13h0_2_00C1F303
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C20C1F push edi; mov dword ptr [esp], ebx0_2_00C20C25
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C20C1F push ebp; mov dword ptr [esp], 7FEF02BCh0_2_00C23C67
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA078A push eax; mov dword ptr [esp], edi0_2_00DA07FA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA078A push 071A97B4h; mov dword ptr [esp], ebx0_2_00DA081D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA48D8 push 04B728DFh; mov dword ptr [esp], edi0_2_00DA4A8E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C1C0D6 push 16F2DDD0h; mov dword ptr [esp], ecx0_2_00C1C0DD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D9D0C1 push 0BC5E901h; mov dword ptr [esp], edi0_2_00D9D0D7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C218D9 push eax; mov dword ptr [esp], ebx0_2_00C2591A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C218DF push 3F666D05h; mov dword ptr [esp], edx0_2_00C24950
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA08C7 push ebx; mov dword ptr [esp], eax0_2_00DA08E9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA08C7 push esi; mov dword ptr [esp], eax0_2_00DA0918
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA08C7 push 45231AF1h; mov dword ptr [esp], edi0_2_00DA096B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C228EC push edx; mov dword ptr [esp], ebx0_2_00C242B3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA60EF push 2AF2284Ch; mov dword ptr [esp], edi0_2_00DA60FA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA60EF push 5824BBEAh; mov dword ptr [esp], edx0_2_00DA6162
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA60EF push eax; mov dword ptr [esp], 37DFF6CFh0_2_00DA619D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA60EF push 5A19BCD3h; mov dword ptr [esp], ecx0_2_00DA61A9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA60EF push ebx; mov dword ptr [esp], edi0_2_00DA61FD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA60EF push 42B499B7h; mov dword ptr [esp], ebx0_2_00DA6225
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA60EF push 2FAEB226h; mov dword ptr [esp], eax0_2_00DA624B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E420D2 push eax; mov dword ptr [esp], 60BA32EAh0_2_00E42108
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E420D2 push 192880C5h; mov dword ptr [esp], ebx0_2_00E421A4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C218FF push 6BC3B1C0h; mov dword ptr [esp], ecx0_2_00C2467E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA38E5 push eax; mov dword ptr [esp], edx0_2_00DA3915
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C1C091 push 265C386Fh; mov dword ptr [esp], eax0_2_00C1C473
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C2109E push 6A13829Bh; mov dword ptr [esp], ecx0_2_00C21B65
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3988A push 5E179141h; mov dword ptr [esp], ebp0_2_00E398FA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C1E8AA push edx; mov dword ptr [esp], ecx0_2_00C1FCA8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C240B1 push 233F9455h; mov dword ptr [esp], edi0_2_00C240B7
Source: file.exeStatic PE information: section name: entropy: 7.801926370917028

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C1E6DD second address: C1E6E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA14C2 second address: DA14C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA14C6 second address: DA14CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA14CA second address: DA14E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F5DA4DA8DB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007F5DA4DA8DB6h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA14E0 second address: DA14E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D81FEB second address: D82004 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5DA4DA8DC5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0610 second address: DA062E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5DA4DF3062h 0x00000009 jnp 00007F5DA4DF305Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0A1F second address: DA0A32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5DA4DA8DBCh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0A32 second address: DA0A49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jbe 00007F5DA4DF305Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0A49 second address: DA0A4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0BAE second address: DA0BC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5DA4DF305Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0BC0 second address: DA0BC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0BC4 second address: DA0BCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0BCC second address: DA0BDF instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5DA4DA8DBEh 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0D27 second address: DA0D2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0D2B second address: DA0D4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DA4DA8DBAh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F5DA4DA8DC4h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0D4F second address: DA0D82 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F5DA4DF3068h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop esi 0x0000000b push edi 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop edi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jnl 00007F5DA4DF3056h 0x0000001a jnl 00007F5DA4DF3056h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA271F second address: DA2747 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F5DA4DA8DBDh 0x00000012 jmp 00007F5DA4DA8DBDh 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA2747 second address: DA2770 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F5DA4DF3068h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA2938 second address: DA29C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F5DA4DA8DB8h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000014h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 push edi 0x00000026 je 00007F5DA4DA8DBCh 0x0000002c sbb edi, 7CB35931h 0x00000032 pop esi 0x00000033 push 3226AA82h 0x00000038 jmp 00007F5DA4DA8DC7h 0x0000003d xor dword ptr [esp], 3226AA02h 0x00000044 mov esi, dword ptr [ebp+122D3D49h] 0x0000004a push 00000003h 0x0000004c push 00000000h 0x0000004e mov ecx, 3D1724C7h 0x00000053 push 00000003h 0x00000055 stc 0x00000056 call 00007F5DA4DA8DB9h 0x0000005b jp 00007F5DA4DA8DD4h 0x00000061 push eax 0x00000062 push edx 0x00000063 jmp 00007F5DA4DA8DC6h 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA29C9 second address: DA29D5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA29D5 second address: DA2A2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DA4DA8DC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F5DA4DA8DC9h 0x0000000e popad 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jmp 00007F5DA4DA8DC8h 0x00000018 mov eax, dword ptr [eax] 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA2A2C second address: DA2A30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA2AEF second address: DA2AFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5DA4DA8DBCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA2AFF second address: DA2B03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA2B03 second address: DA2B47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b sub dword ptr [ebp+122D32C6h], ebx 0x00000011 push 00000000h 0x00000013 jno 00007F5DA4DA8DB9h 0x00000019 push 1F544F31h 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 jmp 00007F5DA4DA8DC1h 0x00000026 jmp 00007F5DA4DA8DBEh 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA2B47 second address: DA2B60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5DA4DF3065h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA2B60 second address: DA2BB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DA4DA8DC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor dword ptr [esp], 1F544FB1h 0x00000012 mov dword ptr [ebp+122D32F5h], esi 0x00000018 push 00000003h 0x0000001a movsx ecx, bx 0x0000001d push 00000000h 0x0000001f jmp 00007F5DA4DA8DC1h 0x00000024 push 00000003h 0x00000026 mov dl, E7h 0x00000028 push 7C1152B0h 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F5DA4DA8DBBh 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA2BB5 second address: DA2BBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA2BBB second address: DA2BEC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 43EEAD50h 0x0000000f mov edx, dword ptr [ebp+122D1DF0h] 0x00000015 lea ebx, dword ptr [ebp+1245864Ch] 0x0000001b add di, 779Ah 0x00000020 xchg eax, ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F5DA4DA8DBCh 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA2BEC second address: DA2C00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DA4DF3060h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC16A4 second address: DC16B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC1CDE second address: DC1CE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC1CE4 second address: DC1CE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC1CE9 second address: DC1CEE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC1CEE second address: DC1CF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC216A second address: DC2183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5DA4DF3065h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC2183 second address: DC218F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC218F second address: DC21C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DA4DF305Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jmp 00007F5DA4DF3067h 0x0000000f jmp 00007F5DA4DF305Ah 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC2313 second address: DC2323 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F5DA4DA8DB6h 0x0000000a jg 00007F5DA4DA8DB6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC2323 second address: DC2363 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DA4DF3061h 0x00000007 jmp 00007F5DA4DF3061h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F5DA4DF3065h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC2363 second address: DC2367 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC2A64 second address: DC2A68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC343C second address: DC3447 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F5DA4DA8DB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC6021 second address: DC6025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC6025 second address: DC603B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DA4DA8DC2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC7FC5 second address: DC7FC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC8739 second address: DC8747 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5DA4DA8DB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC8747 second address: DC874B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8F81A second address: D8F829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F5DA4DA8DB6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8F829 second address: D8F82D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCFA37 second address: DCFA51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5DA4DA8DBDh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F5DA4DA8DB6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCEF3F second address: DCEF45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCEF45 second address: DCEF66 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F5DA4DA8DB8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 jmp 00007F5DA4DA8DBDh 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD303C second address: DD3041 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD3041 second address: DD3047 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD3047 second address: DD3056 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD3056 second address: DD305C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD305C second address: DD3062 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD418C second address: DD4196 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5DA4DA8DBCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D962D8 second address: D962DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D962DE second address: D962E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD5CC6 second address: DD5CE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jmp 00007F5DA4DF3067h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD66EC second address: DD66FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F5DA4DA8DB6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD66FB second address: DD6715 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DA4DF305Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c js 00007F5DA4DF305Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD65B5 second address: DD65DE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jne 00007F5DA4DA8DB6h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jno 00007F5DA4DA8DC6h 0x00000014 pushad 0x00000015 push edi 0x00000016 pop edi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD6715 second address: DD678D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5DA4DF3063h 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007F5DA4DF3058h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 mov esi, 7ABE3FEAh 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push ebp 0x0000002f call 00007F5DA4DF3058h 0x00000034 pop ebp 0x00000035 mov dword ptr [esp+04h], ebp 0x00000039 add dword ptr [esp+04h], 00000019h 0x00000041 inc ebp 0x00000042 push ebp 0x00000043 ret 0x00000044 pop ebp 0x00000045 ret 0x00000046 or dword ptr [ebp+122D1D08h], edi 0x0000004c adc esi, 4F6299B9h 0x00000052 push 00000000h 0x00000054 or dword ptr [ebp+12453A0Bh], ebx 0x0000005a push eax 0x0000005b push esi 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD678D second address: DD6791 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD7830 second address: DD7835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD7835 second address: DD78BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DA4DA8DC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F5DA4DA8DB8h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 mov di, 9446h 0x0000002a mov edi, dword ptr [ebp+122D2D70h] 0x00000030 jl 00007F5DA4DA8DD0h 0x00000036 call 00007F5DA4DA8DBCh 0x0000003b call 00007F5DA4DA8DBCh 0x00000040 pop edi 0x00000041 pop edi 0x00000042 push 00000000h 0x00000044 mov edi, 05F155BBh 0x00000049 xchg eax, ebx 0x0000004a jne 00007F5DA4DA8DC6h 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD78BF second address: DD78C9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5DA4DF3056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD8BFF second address: DD8C03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD9970 second address: DD9975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDC9B1 second address: DDC9B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDC9B8 second address: DDC9BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE01B second address: DDE09B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov edi, 77035974h 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F5DA4DA8DB8h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 0000001Dh 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c mov bl, F1h 0x0000002e or dword ptr [ebp+122D1E50h], edi 0x00000034 cmc 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push esi 0x0000003a call 00007F5DA4DA8DB8h 0x0000003f pop esi 0x00000040 mov dword ptr [esp+04h], esi 0x00000044 add dword ptr [esp+04h], 00000016h 0x0000004c inc esi 0x0000004d push esi 0x0000004e ret 0x0000004f pop esi 0x00000050 ret 0x00000051 call 00007F5DA4DA8DC8h 0x00000056 pop ebx 0x00000057 xchg eax, esi 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE09B second address: DDE09F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE09F second address: DDE0A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE0A3 second address: DDE0A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE0A9 second address: DDE0B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE0B8 second address: DDE0C2 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5DA4DF3056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE0C2 second address: DDE0C7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDEF10 second address: DDEF14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDEF14 second address: DDEF1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE214 second address: DDE219 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE219 second address: DDE21F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDEF1A second address: DDEFA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DA4DF3061h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F5DA4DF3062h 0x0000000f nop 0x00000010 mov edi, dword ptr [ebp+122D2D84h] 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push eax 0x0000001b call 00007F5DA4DF3058h 0x00000020 pop eax 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 add dword ptr [esp+04h], 0000001Dh 0x0000002d inc eax 0x0000002e push eax 0x0000002f ret 0x00000030 pop eax 0x00000031 ret 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ebp 0x00000037 call 00007F5DA4DF3058h 0x0000003c pop ebp 0x0000003d mov dword ptr [esp+04h], ebp 0x00000041 add dword ptr [esp+04h], 00000019h 0x00000049 inc ebp 0x0000004a push ebp 0x0000004b ret 0x0000004c pop ebp 0x0000004d ret 0x0000004e mov dword ptr [ebp+122D34F6h], ebx 0x00000054 xchg eax, esi 0x00000055 push eax 0x00000056 push edx 0x00000057 jno 00007F5DA4DF305Ch 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE21F second address: DDE234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F5DA4DA8DBBh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDEFA8 second address: DDEFB2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5DA4DF305Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE001F second address: DE0023 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDF26F second address: DDF279 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F5DA4DF3056h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE0023 second address: DE003A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5DA4DA8DBFh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE003A second address: DE0050 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5DA4DF3056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F5DA4DF3058h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9486D second address: D9487D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007F5DA4DA8DCEh 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE02C6 second address: DE02CF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9487D second address: D94883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D94883 second address: D94887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D94887 second address: D9488B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE36A3 second address: DE36B5 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5DA4DF3058h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE36B5 second address: DE36BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE36BA second address: DE36BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE36BF second address: DE3711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov bx, 50E7h 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007F5DA4DA8DB8h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 0000001Ch 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a push 00000000h 0x0000002c cmc 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 jbe 00007F5DA4DA8DC8h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE3711 second address: DE371B instructions: 0x00000000 rdtsc 0x00000002 je 00007F5DA4DF305Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE5817 second address: DE581D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE66C2 second address: DE66C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE66C6 second address: DE66CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE66CB second address: DE66D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE66D1 second address: DE66E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b js 00007F5DA4DA8DB6h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE778C second address: DE7791 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE7791 second address: DE781A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5DA4DA8DC2h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F5DA4DA8DC2h 0x00000012 nop 0x00000013 pushad 0x00000014 movzx eax, ax 0x00000017 mov edx, dword ptr [ebp+122D35DDh] 0x0000001d popad 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push ecx 0x00000023 call 00007F5DA4DA8DB8h 0x00000028 pop ecx 0x00000029 mov dword ptr [esp+04h], ecx 0x0000002d add dword ptr [esp+04h], 00000017h 0x00000035 inc ecx 0x00000036 push ecx 0x00000037 ret 0x00000038 pop ecx 0x00000039 ret 0x0000003a mov dword ptr [ebp+1246BFA3h], eax 0x00000040 push edi 0x00000041 mov dword ptr [ebp+122D311Ah], ebx 0x00000047 pop ebx 0x00000048 push 00000000h 0x0000004a jne 00007F5DA4DA8DC6h 0x00000050 xchg eax, esi 0x00000051 jc 00007F5DA4DA8DBEh 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE781A second address: DE7836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F5DA4DF3064h 0x0000000e jmp 00007F5DA4DF305Eh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE7836 second address: DE783B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEA920 second address: DEA93D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DA4DF3069h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEA93D second address: DEA9B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DA4DA8DBCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F5DA4DA8DB8h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 sbb ebx, 12526DABh 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ebp 0x00000031 call 00007F5DA4DA8DB8h 0x00000036 pop ebp 0x00000037 mov dword ptr [esp+04h], ebp 0x0000003b add dword ptr [esp+04h], 00000017h 0x00000043 inc ebp 0x00000044 push ebp 0x00000045 ret 0x00000046 pop ebp 0x00000047 ret 0x00000048 sub ebx, dword ptr [ebp+122D328Ch] 0x0000004e mov edi, dword ptr [ebp+122D32A0h] 0x00000054 push 00000000h 0x00000056 mov dword ptr [ebp+122D1E14h], eax 0x0000005c xchg eax, esi 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 jo 00007F5DA4DA8DB6h 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEA9B9 second address: DEA9BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEC917 second address: DEC92B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F5DA4DA8DB6h 0x0000000a popad 0x0000000b pushad 0x0000000c jnp 00007F5DA4DA8DB6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEC92B second address: DEC98D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push esi 0x00000008 ja 00007F5DA4DF3058h 0x0000000e pop esi 0x0000000f nop 0x00000010 jmp 00007F5DA4DF305Fh 0x00000015 push 00000000h 0x00000017 stc 0x00000018 push 00000000h 0x0000001a pushad 0x0000001b cld 0x0000001c jmp 00007F5DA4DF3061h 0x00000021 popad 0x00000022 xchg eax, esi 0x00000023 pushad 0x00000024 jo 00007F5DA4DF3060h 0x0000002a jmp 00007F5DA4DF305Ah 0x0000002f jns 00007F5DA4DF305Ch 0x00000035 popad 0x00000036 push eax 0x00000037 pushad 0x00000038 push ebx 0x00000039 push edx 0x0000003a pop edx 0x0000003b pop ebx 0x0000003c push esi 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE88FC second address: DE8900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE9A65 second address: DE9A69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEAB4C second address: DEAB52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE8900 second address: DE8904 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEBB08 second address: DEBBB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 popad 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F5DA4DA8DB8h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 00000017h 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 mov bx, 151Eh 0x00000027 push dword ptr fs:[00000000h] 0x0000002e or dword ptr [ebp+1246BF97h], edi 0x00000034 jmp 00007F5DA4DA8DC6h 0x00000039 mov dword ptr fs:[00000000h], esp 0x00000040 push 00000000h 0x00000042 push edx 0x00000043 call 00007F5DA4DA8DB8h 0x00000048 pop edx 0x00000049 mov dword ptr [esp+04h], edx 0x0000004d add dword ptr [esp+04h], 00000016h 0x00000055 inc edx 0x00000056 push edx 0x00000057 ret 0x00000058 pop edx 0x00000059 ret 0x0000005a call 00007F5DA4DA8DC1h 0x0000005f mov edi, dword ptr [ebp+124588CBh] 0x00000065 pop edi 0x00000066 add di, 249Eh 0x0000006b mov eax, dword ptr [ebp+122D1311h] 0x00000071 xor bx, 333Bh 0x00000076 push FFFFFFFFh 0x00000078 mov bh, al 0x0000007a push eax 0x0000007b push eax 0x0000007c push edx 0x0000007d jmp 00007F5DA4DA8DBAh 0x00000082 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEAB52 second address: DEAB56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEE9F8 second address: DEEA05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F5DA4DA8DB6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF4B80 second address: DF4BA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F5DA4DF3069h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF4BA0 second address: DF4BC1 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5DA4DA8DB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F5DA4DA8DBFh 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007F5DA4DA8DB6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D854B0 second address: D854B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D854B6 second address: D854BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D854BB second address: D854C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D854C1 second address: D854C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF7C2B second address: DF7C2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF7C2F second address: DF7C3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF7DC4 second address: DF7DCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF7F4C second address: DF7F50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF7F50 second address: DF7F7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5DA4DF3067h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ebx 0x0000000d push esi 0x0000000e pop esi 0x0000000f pushad 0x00000010 popad 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 jp 00007F5DA4DF3056h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E07299 second address: E072C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b jmp 00007F5DA4DA8DC4h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F5DA4DA8DBCh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E072C6 second address: E072CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E072CA second address: E072F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 jnl 00007F5DA4DA8DC4h 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push edi 0x00000018 pop edi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E072F1 second address: E0730D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DA4DF3068h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0752A second address: E07534 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F5DA4DA8DB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0D181 second address: E0D18E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0D18E second address: E0D19B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F5DA4DA8DB6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0D19B second address: E0D1A0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0BFD2 second address: E0BFD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0BFD6 second address: E0BFF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c jmp 00007F5DA4DF305Fh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0BFF1 second address: E0BFF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0C587 second address: E0C58B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0C58B second address: E0C591 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0C85D second address: E0C86C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edi 0x00000006 jo 00007F5DA4DF306Eh 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0C86C second address: E0C87B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007F5DA4DA8DB6h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0CC37 second address: E0CC3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0CC3B second address: E0CC56 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jnp 00007F5DA4DA8DB6h 0x0000000d pop eax 0x0000000e jmp 00007F5DA4DA8DBAh 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0CC56 second address: E0CC62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F5DA4DF3056h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0CEF5 second address: E0CEF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E145DF second address: E145E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E145E3 second address: E145FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b jno 00007F5DA4DA8DB6h 0x00000011 popad 0x00000012 push ebx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E14746 second address: E1474E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E148C9 second address: E148CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E14A3F second address: E14A61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5DA4DF3069h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E14A61 second address: E14A67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E14A67 second address: E14A78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DA4DF305Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E151C9 second address: E151CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E151CF second address: E15206 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5DA4DF3056h 0x00000008 jmp 00007F5DA4DF305Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F5DA4DF3068h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E15206 second address: E1521A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5DA4DA8DBEh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1521A second address: E15225 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E15368 second address: E15373 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F5DA4DA8DB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E15373 second address: E15380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBB685 second address: DBB68B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBB68B second address: DBB69A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007F5DA4DF3056h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E158C7 second address: E158CC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E19306 second address: E19326 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5DA4DF3056h 0x00000008 jmp 00007F5DA4DF3063h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E19326 second address: E19335 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007F5DA4DA8DB6h 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD1844 second address: DD18B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DA4DF3067h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a je 00007F5DA4DF305Ah 0x00000010 push ecx 0x00000011 push edx 0x00000012 pop edx 0x00000013 pop ecx 0x00000014 nop 0x00000015 jmp 00007F5DA4DF3062h 0x0000001a lea eax, dword ptr [ebp+12487594h] 0x00000020 push 00000000h 0x00000022 push esi 0x00000023 call 00007F5DA4DF3058h 0x00000028 pop esi 0x00000029 mov dword ptr [esp+04h], esi 0x0000002d add dword ptr [esp+04h], 0000001Ch 0x00000035 inc esi 0x00000036 push esi 0x00000037 ret 0x00000038 pop esi 0x00000039 ret 0x0000003a push eax 0x0000003b push eax 0x0000003c push edx 0x0000003d jc 00007F5DA4DF3058h 0x00000043 pushad 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD1921 second address: DD1926 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD1926 second address: DD1949 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DA4DF3064h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d js 00007F5DA4DF3056h 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD1949 second address: DD1953 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F5DA4DA8DB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD1D2F second address: DD1D35 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD1DB6 second address: DD1DF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F5DA4DA8DC0h 0x0000000c pop edx 0x0000000d popad 0x0000000e push eax 0x0000000f push ebx 0x00000010 pushad 0x00000011 jmp 00007F5DA4DA8DC1h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 pop ebx 0x0000001a mov eax, dword ptr [esp+04h] 0x0000001e je 00007F5DA4DA8DC0h 0x00000024 pushad 0x00000025 push esi 0x00000026 pop esi 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD1DF6 second address: DD1E1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 jmp 00007F5DA4DF3068h 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push ebx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD1E1D second address: DD1E72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F5DA4DA8DB6h 0x0000000a popad 0x0000000b pop ebx 0x0000000c pop eax 0x0000000d mov di, si 0x00000010 call 00007F5DA4DA8DB9h 0x00000015 push ecx 0x00000016 jmp 00007F5DA4DA8DC3h 0x0000001b pop ecx 0x0000001c push eax 0x0000001d jmp 00007F5DA4DA8DC2h 0x00000022 mov eax, dword ptr [esp+04h] 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 jg 00007F5DA4DA8DB6h 0x0000002f ja 00007F5DA4DA8DB6h 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD1F8A second address: DD1FA9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DA4DF3068h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD20F4 second address: DD210A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5DA4DA8DB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007F5DA4DA8DB8h 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD210A second address: DD210F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD210F second address: DD213F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007F5DA4DA8DC9h 0x00000010 mov eax, dword ptr [eax] 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 jnl 00007F5DA4DA8DB6h 0x0000001b pop edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD213F second address: DD2144 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD2144 second address: DD214A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD214A second address: DD2163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007F5DA4DF305Ah 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD2A86 second address: DD2A8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD2A8A second address: DD2B23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F5DA4DF305Ch 0x0000000c popad 0x0000000d push eax 0x0000000e push ebx 0x0000000f push ebx 0x00000010 jmp 00007F5DA4DF3066h 0x00000015 pop ebx 0x00000016 pop ebx 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push esi 0x0000001b call 00007F5DA4DF3058h 0x00000020 pop esi 0x00000021 mov dword ptr [esp+04h], esi 0x00000025 add dword ptr [esp+04h], 0000001Ch 0x0000002d inc esi 0x0000002e push esi 0x0000002f ret 0x00000030 pop esi 0x00000031 ret 0x00000032 jmp 00007F5DA4DF3063h 0x00000037 lea eax, dword ptr [ebp+124875D8h] 0x0000003d push 00000000h 0x0000003f push ebp 0x00000040 call 00007F5DA4DF3058h 0x00000045 pop ebp 0x00000046 mov dword ptr [esp+04h], ebp 0x0000004a add dword ptr [esp+04h], 00000017h 0x00000052 inc ebp 0x00000053 push ebp 0x00000054 ret 0x00000055 pop ebp 0x00000056 ret 0x00000057 mov ch, ah 0x00000059 nop 0x0000005a jo 00007F5DA4DF3060h 0x00000060 pushad 0x00000061 pushad 0x00000062 popad 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD2B23 second address: DD2B2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD2B2D second address: DD2B7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 nop 0x00000007 mov dword ptr [ebp+122D32EBh], edi 0x0000000d lea eax, dword ptr [ebp+12487594h] 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007F5DA4DF3058h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F5DA4DF3065h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD2B7B second address: DBB685 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F5DA4DA8DC7h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F5DA4DA8DB8h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 00000017h 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 mov edi, 3A8A75DCh 0x0000002d jmp 00007F5DA4DA8DBDh 0x00000032 call dword ptr [ebp+124539F6h] 0x00000038 pushad 0x00000039 ja 00007F5DA4DA8DBAh 0x0000003f push ebx 0x00000040 jnc 00007F5DA4DA8DB6h 0x00000046 pop ebx 0x00000047 pushad 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E19767 second address: E1976B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E19B1B second address: E19B50 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5DA4DA8DB6h 0x00000008 jmp 00007F5DA4DA8DC3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 pop eax 0x00000012 jmp 00007F5DA4DA8DC1h 0x00000017 push edi 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1B8D8 second address: E1B8E8 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5DA4DF3056h 0x00000008 jnc 00007F5DA4DF3056h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1B8E8 second address: E1B8F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F5DA4DA8DB6h 0x00000009 jnc 00007F5DA4DA8DB6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2369F second address: E236A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E23FAD second address: E23FB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E23FB3 second address: E23FC3 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5DA4DF3056h 0x00000008 jl 00007F5DA4DF3056h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E23FC3 second address: E23FC8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E23FC8 second address: E23FD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E23FD3 second address: E23FD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2741B second address: E27420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E27420 second address: E27432 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5DA4DA8DBEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E27570 second address: E2757F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007F5DA4DF3056h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2757F second address: E27585 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2B5BD second address: E2B5C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2B5C1 second address: E2B5C7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2B5C7 second address: E2B5CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2B5CC second address: E2B5EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F5DA4DA8DBBh 0x0000000b popad 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jnl 00007F5DA4DA8DB6h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push edi 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2B5EF second address: E2B5F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2B748 second address: E2B74E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2B74E second address: E2B759 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2B896 second address: E2B8A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F5DA4DA8DB6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2B8A1 second address: E2B8A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2B8A7 second address: E2B8ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F5DA4DA8DBFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jo 00007F5DA4DA8DDDh 0x00000015 jmp 00007F5DA4DA8DC5h 0x0000001a jmp 00007F5DA4DA8DC2h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E30DFC second address: E30E05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3107E second address: E31082 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E31082 second address: E31086 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E314AF second address: E314C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DA4DA8DC0h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD24FE second address: DD2510 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5DA4DF305Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD2510 second address: DD25B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DA4DA8DC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov dword ptr [ebp+1245306Ch], eax 0x00000012 mov ebx, dword ptr [ebp+124875D3h] 0x00000018 push 00000000h 0x0000001a push ecx 0x0000001b call 00007F5DA4DA8DB8h 0x00000020 pop ecx 0x00000021 mov dword ptr [esp+04h], ecx 0x00000025 add dword ptr [esp+04h], 0000001Ch 0x0000002d inc ecx 0x0000002e push ecx 0x0000002f ret 0x00000030 pop ecx 0x00000031 ret 0x00000032 add eax, ebx 0x00000034 mov edi, dword ptr [ebp+122D2CE0h] 0x0000003a push eax 0x0000003b pushad 0x0000003c jnp 00007F5DA4DA8DB8h 0x00000042 push edx 0x00000043 pop edx 0x00000044 jmp 00007F5DA4DA8DC5h 0x00000049 popad 0x0000004a mov dword ptr [esp], eax 0x0000004d jmp 00007F5DA4DA8DC9h 0x00000052 push 00000004h 0x00000054 sub dword ptr [ebp+1245D30Bh], edx 0x0000005a push eax 0x0000005b jnp 00007F5DA4DA8DBEh 0x00000061 push esi 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E31745 second address: E31766 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DA4DF3065h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F5DA4DF3058h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E35FCF second address: E35FE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5DA4DA8DBBh 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E35FE2 second address: E36018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 pushad 0x0000000a jne 00007F5DA4DF3056h 0x00000010 je 00007F5DA4DF3056h 0x00000016 popad 0x00000017 popad 0x00000018 push ecx 0x00000019 pushad 0x0000001a ja 00007F5DA4DF3056h 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F5DA4DF305Fh 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E36018 second address: E3601C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E35918 second address: E3592B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 jng 00007F5DA4DF3056h 0x0000000b pop esi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3592B second address: E35931 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E35931 second address: E35945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5DA4DF305Fh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E39167 second address: E391A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5DA4DA8DBEh 0x00000009 jmp 00007F5DA4DA8DC0h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 js 00007F5DA4DA8DB6h 0x00000017 jmp 00007F5DA4DA8DC5h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E39321 second address: E39325 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E39325 second address: E39344 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5DA4DA8DC9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E39344 second address: E3934C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3934C second address: E39350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E39350 second address: E3936D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DA4DF3065h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3936D second address: E39371 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E395F7 second address: E3960E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007F5DA4DF3056h 0x00000011 jl 00007F5DA4DF3056h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3960E second address: E39618 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E39618 second address: E3961E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3961E second address: E39632 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5DA4DA8DB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F5DA4DA8DB6h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E39632 second address: E39636 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E40351 second address: E40357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E40357 second address: E40376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 jmp 00007F5DA4DF3061h 0x0000000e pop ebx 0x0000000f push edi 0x00000010 push edi 0x00000011 pop edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E40376 second address: E4037C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E411BB second address: E411C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F5DA4DF3056h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E41786 second address: E4178A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E453C7 second address: E453E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DA4DF3068h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E453E3 second address: E453EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jbe 00007F5DA4DA8DB6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4581A second address: E4581E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4581E second address: E45822 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E45822 second address: E45849 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5DA4DF3065h 0x0000000b popad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jc 00007F5DA4DF3056h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E45849 second address: E4584D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E45ACB second address: E45AD1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E45AD1 second address: E45B0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5DA4DA8DC6h 0x00000008 jns 00007F5DA4DA8DB6h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F5DA4DA8DC5h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E50150 second address: E50154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E50154 second address: E50158 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E50158 second address: E50164 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F5DA4DF3056h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E50164 second address: E5017F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5DA4DA8DC5h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5017F second address: E50183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E502BD second address: E502C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E50595 second address: E5059F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5DA4DF3056h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5059F second address: E505A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E505A9 second address: E505BE instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5DA4DF3056h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jno 00007F5DA4DF3056h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E505BE second address: E505C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E505C2 second address: E505C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E505C8 second address: E505CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E505CE second address: E505D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E505D4 second address: E505D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E505D8 second address: E505DE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E50849 second address: E5084F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5084F second address: E50857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E50857 second address: E5085D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5085D second address: E5086A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007F5DA4DF3056h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5086A second address: E50890 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jc 00007F5DA4DA8DB6h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 pop eax 0x00000011 jmp 00007F5DA4DA8DC3h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E50A22 second address: E50A28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E50A28 second address: E50A3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F5DA4DA8DB8h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E50A3A second address: E50A44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F5DA4DF3056h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E50CCB second address: E50CF2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F5DA4DA8DC0h 0x0000000a pop ebx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F5DA4DA8DBDh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E51044 second address: E51048 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E515A2 second address: E515BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F5DA4DA8DB6h 0x0000000a jmp 00007F5DA4DA8DBEh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E515BA second address: E515C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DA4DF305Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E59056 second address: E5905E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5905E second address: E59091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5DA4DF3063h 0x0000000a jmp 00007F5DA4DF3064h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E59091 second address: E590B4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5DA4DA8DB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F5DA4DA8DC9h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E590B4 second address: E590BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F5DA4DF3056h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E590BE second address: E590C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E58AA8 second address: E58AAD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E58DA9 second address: E58DAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E58DAD second address: E58DCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F5DA4DF305Ah 0x0000000c jmp 00007F5DA4DF3060h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E58DCF second address: E58DD9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5DA4DA8DBCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6617A second address: E66180 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E68762 second address: E68771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E707F0 second address: E7081F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jbe 00007F5DA4DF3056h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007F5DA4DF3069h 0x00000012 jl 00007F5DA4DF305Eh 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6F45F second address: E6F463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6F463 second address: E6F48D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F5DA4DF3062h 0x0000000f jmp 00007F5DA4DF305Eh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6F48D second address: E6F492 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E78646 second address: E7864A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7864A second address: E78680 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DA4DA8DBEh 0x00000007 jmp 00007F5DA4DA8DC9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F5DA4DA8DBBh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E784F8 second address: E7850A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push edi 0x00000008 jng 00007F5DA4DF305Eh 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E81C8B second address: E81C8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E806E6 second address: E806F0 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5DA4DF305Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E806F0 second address: E806FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E806FA second address: E806FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E80F42 second address: E80F50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F5DA4DA8DB8h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E80F50 second address: E80F7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5DA4DF3061h 0x00000009 jmp 00007F5DA4DF3068h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E80F7D second address: E80F81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E80F81 second address: E80F87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E819E9 second address: E819ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E819ED second address: E81A02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5DA4DF305Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E81A02 second address: E81A10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E87AF4 second address: E87AFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F5DA4DF3056h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E87AFE second address: E87B04 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E87B04 second address: E87B27 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5DA4DF3065h 0x00000008 jmp 00007F5DA4DF305Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pushad 0x00000015 popad 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E87632 second address: E87652 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DA4DA8DC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F5DA4DA8DB8h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E87652 second address: E87682 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a js 00007F5DA4DF3056h 0x00000010 jmp 00007F5DA4DF3068h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pushad 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E87800 second address: E87817 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5DA4DA8DBCh 0x00000008 je 00007F5DA4DA8DB6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E92306 second address: E92321 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5DA4DF3067h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E92140 second address: E92146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E92146 second address: E92177 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DA4DF3065h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pushad 0x0000000b push eax 0x0000000c jmp 00007F5DA4DF305Ch 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jne 00007F5DA4DF3056h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E9E47A second address: E9E47E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA569D second address: EA56B6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5DA4DF305Fh 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA56B6 second address: EA5707 instructions: 0x00000000 rdtsc 0x00000002 je 00007F5DA4DA8DB6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jg 00007F5DA4DA8DD1h 0x00000012 popad 0x00000013 pushad 0x00000014 jmp 00007F5DA4DA8DC2h 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F5DA4DA8DBEh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA59F9 second address: EA59FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA59FD second address: EA5A0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F5DA4DA8DBAh 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA5E94 second address: EA5EB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5DA4DF3067h 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EA5FEB second address: EA5FEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAA6F7 second address: EAA72E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5DA4DF3066h 0x00000010 jmp 00007F5DA4DF3066h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAA72E second address: EAA75A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DA4DA8DC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnl 00007F5DA4DA8DC7h 0x0000000f jmp 00007F5DA4DA8DC1h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAFD72 second address: EAFD8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5DA4DF3068h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAFD8F second address: EAFDB2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jng 00007F5DA4DA8DB6h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push edx 0x0000000e jl 00007F5DA4DA8DB6h 0x00000014 jns 00007F5DA4DA8DB6h 0x0000001a pop edx 0x0000001b jnp 00007F5DA4DA8DD4h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB44A7 second address: EB44BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5DA4DF305Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB44BA second address: EB44DE instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5DA4DA8DB6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5DA4DA8DC6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB40A3 second address: EB40B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F5DA4DF305Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB40B6 second address: EB40CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DA4DA8DC5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAAA1B second address: EAAA2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jc 00007F5DA4DF305Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAAB7D second address: EAAB81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: DD19AF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E5DDE6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 5420000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 56A0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 5420000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA2A8D rdtsc 0_2_00DA2A8D
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 8128Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exeBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exeBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA2CFC Start: 00DA2D3D End: 00DA2D160_2_00DA2CFC
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA2A8D rdtsc 0_2_00DA2A8D
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, 00000000.00000002.1474106445.0000000000DEF000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: sProgram Manager

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping641
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		41
Disable or Modify Tools		LSASS Memory2
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Bypass User Account Control		261
Virtualization/Sandbox Evasion		Security Account Manager261
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS22
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
Software Packing		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
Bypass User Account Control		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0017.t-0009.t-msedge.net
13.107.246.45
truefalse
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1546673
    Start date and time:2024-11-01 12:32:15 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 2m 17s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:3
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:file.exe
    Detection:MAL
    Classification:mal100.evad.winEXE@1/1@0/0
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:Failed
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Stop behavior analysis, all processes terminated

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
    • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net
    • Report size getting too big, too many NtProtectVirtualMemory calls found.
    • VT rate limit hit for: file.exe

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    s-part-0017.t-0009.t-msedge.nethttps://www.cognitoforms.com/f/wAh1CzXrnEmEifrmJ4OEgg/1Get hashmaliciousHTMLPhisher, Mamba2FABrowse
    • 13.107.246.45
    file.exeGet hashmaliciousLummaCBrowse
    • 13.107.246.45
    https://www.attemplate.com/eur/f93d2770-ba65-484a-a0ba-ef8bddcf2ed4/3cd045c9-e63b-453b-b9a3-b5e29e9ef20e/9253d536-e8da-44d0-b681-445519f254ea/login?id=M29uR0UzZG8zVmNGSk5ZaFZXMjhZajJpczk4c0o3VGlNTW9rTk56elpFQzBLcWlLdEhEaCtPQWtlb1FXZTQxMDdIK21wNzNBNHlUWGtpQzhmaTRXdGVYcWlPaUF6VGpQUW1pTUh3VHVDWUI1RWUzVjcyWVdjZ0s5M3FOc2hGenRka0xZTGdmdjRJcVltMytlMTdMSEpzT3RTRjVKb2tibVB3M01RZnppUUwwYkkxOXh0VFBER01OeTRIZldNL0ZzOFg3NWJQMWlBMWY1aU9keUVBclJsS0F1WlBXY0JVQmNIdmlub1FOaGxYRHhXL3RaTFZzWE5JS2JxaVdVYklXWUh2SXk0aGJnK1Q2R3FvbTIwQmdWWHBnUU9PSmdjdlRxYmh6bTRRZ0V4TEN2d2JpWWU0Y1drVkZXd1VqK2MvQTdtZ21Hbk5hcGgrdFo3cC9RcDlma1RZRm1EUmJ3Y2tnaEc4R1FRRmsxSHNBY1RjWURCYU81cXhQSW5FQklQbTVha1RLSFBtNjlmOTlEMnIrdTYzbFJncVZMZWM1ZWVoZFZ6eFo4KzBpQW5MWT0Get hashmaliciousHTMLPhisher, Microsoft PhishingBrowse
    • 13.107.246.45
    https://url.avanan.click/v2/r01/___https://h2o.ci.akron.oh.us/iwr/user/login.seam___.YXAzOmluZmluaXRlc29sdXRpb25zbGxjLXByZXN0aWdlYWRtaW5zZXJ2aWNlczphOm86NzUyOWFlMTE5NjU3Njc3NTJlNTQyYWQxM2Y1ZTcwZDY6NzpjNWQyOjZkZDczZDkyM2VjNmVjZTM5NDA0OGU4ZGYyYzUzMTAzMTJhMGFiYzg3NmE2NGIwMWVmMjk1MzI0NGExMWQyNjQ6cDpUOk4Get hashmaliciousUnknownBrowse
    • 13.107.246.45
    https://my-homepagero.sa.com/exml/Get hashmaliciousHTMLPhisherBrowse
    • 13.107.246.45
    https://pdfhost.io/v/maTYQa.jg_mqfilserawxgxdgxhhgsx_1Get hashmaliciousUnknownBrowse
    • 13.107.246.45
    1nnlXctdko.dllGet hashmaliciousAmadeyBrowse
    • 13.107.246.45
    https://hotmail.pizza4you.com.br/Get hashmaliciousMamba2FABrowse
    • 13.107.246.45
    https://bafybeiddvo3il63heagouckt2pt3cr4xxiogr3tuansgqgmot65ahjsfma.ipfs.dweb.link/#sean@virtualintelligencebriefing.comGet hashmaliciousHTMLPhisherBrowse
    • 13.107.246.45
    19972041693118971.jsGet hashmaliciousStrela DownloaderBrowse
    • 13.107.246.45

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

    Download File
    Process:C:\Users\user\Desktop\file.exe
    File Type:CSV text
    Category:dropped
    Size (bytes):226
    Entropy (8bit):5.360398796477698
    Encrypted:false
    SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
    MD5:3A8957C6382192B71471BD14359D0B12
    SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
    SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
    SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
    Malicious:true
    Reputation:high, very likely benign file
    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):6.472675766370845
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.96%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:file.exe
    File size:2'797'568 bytes
    MD5:a2a68d9fbc4eaf04d07b8dd2e41837b2
    SHA1:84daf5828fbb9e6b99af9ad410a009efe2f7b653
    SHA256:d493dbe8080a99bc5717fb457532de55d6aa7faec496380b518a951d71cb39f0
    SHA512:04454ce6a449be2511ed161eeb53d022b6df9e75ad467e25ee980707d9695442841425175946e90e81dc50def2fda101113dfe1f825d1f7ee729c8ab187376c9
    SSDEEP:24576:SaNWjcn0Hfkl3VVt2KK2rAR+Un6T5jMT1NxftHhYeg0bJrqM5IjgZACUpaA5Tb1z:SsnhVVGwFNjY1IQAMA5lXWgnDFe5
    TLSH:A6D52A96F54571CFD48E2678D42BED82A96D43B90B214CC3E82CA4BEBE77CC115B6C24
    File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$........... +.. ...`....@.. .......................`+.....K.+...`................................

    File Icon

    Icon Hash:90cececece8e8eb0

    Static PE Info

    General

    Entrypoint:0x6b2000
    Entrypoint Section:.taggant
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
    Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:2eabe9054cad5152567f0699947a2c5b

    Entrypoint Preview

    Instruction
    jmp 00007F5DA4D4B4EAh
    jng 00007F5DA4D4B510h
    add byte ptr [eax], al
    jmp 00007F5DA4D4D4E5h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    0x20000x40000x120069001bbeb7128ac187173566235f6e14False0.9333767361111112data7.801926370917028IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    ziejvuqc0xa0000x2a60000x2a50008477cf9868549eba908f6e2163f2b7abunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    vpkhfhix0x2b00000x20000x400ce92ca2889315761d541e92343871f77False0.7421875data5.832772411030577IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .taggant0x2b20000x40000x2200e31cc9071b9e142cb59ebb38c8e168f9False0.006433823529411764DOS executable (COM)0.019571456231530684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

    Resources

    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_VERSION0x60900x30cdata0.42948717948717946
    RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

    Imports

    DLLImport
    kernel32.dlllstrcpy

    Network Behavior

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Nov 1, 2024 12:33:12.635245085 CET1.1.1.1192.168.2.100xeed0No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
    Nov 1, 2024 12:33:12.635245085 CET1.1.1.1192.168.2.100xeed0No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    System Behavior

    General

    Target ID:0
    Start time:07:33:14
    Start date:01/11/2024
    Path:C:\Users\user\Desktop\file.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\file.exe"
    Imagebase:0xc10000
    File size:2'797'568 bytes
    MD5 hash:A2A68D9FBC4EAF04D07B8DD2E41837B2
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true

    Disassembly

    Reset < >

      Execution Graph

      Execution Coverage:3.1%
      Dynamic/Decrypted Code Coverage:39.1%
      Signature Coverage:0%
      Total number of Nodes:23
      Total number of Limit Nodes:1
      execution_graph 5718 da078a LoadLibraryA 5719 da07a0 5718->5719 5720 54c1308 5721 54c1349 ImpersonateLoggedOnUser 5720->5721 5722 54c1376 5721->5722 5723 54c0d48 5724 54c0d93 OpenSCManagerW 5723->5724 5726 54c0ddc 5724->5726 5727 c1ea74 5728 c1eb57 VirtualAlloc 5727->5728 5729 c1eb69 5728->5729 5730 da2a9c 5731 da2ab2 CreateFileA 5730->5731 5732 da2ab0 5730->5732 5733 da2abf 5731->5733 5732->5731 5734 da2c1a CreateFileA 5733->5734 5735 da2c42 5733->5735 5734->5735 5736 54c1510 5737 54c1558 ControlService 5736->5737 5738 54c158f 5737->5738 5739 da28e6 5740 da28eb CreateFileA 5739->5740 5741 da28fd 5740->5741

      Executed Functions

      Function 00DA2A8D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 258fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 0 da2a8d-da2aaa 2 da2ab2-da2ac0 CreateFileA 0->2 3 da2ab0-da2ab1 0->3 5 da2ac6 2->5 6 da2c74-da2c85 call da2c88 2->6 3->2 8 da2acf-da2ad9 5->8 9 da2acc 5->9 13 da2e1b-da2e2f 6->13 11 da2aef-da2b16 8->11 12 da2adf 8->12 9->8 18 da2b1f-da2c02 11->18 19 da2b1c 11->19 12->11 16 da2e3a-da2e4e 13->16 17 da2e31-da2e38 13->17 20 da2e4f-da3752 16->20 17->16 17->20 35 da2c0a-da2c3c CreateFileA 18->35 36 da2c08-da2c09 18->36 19->18 57 da3758 20->57 35->6 39 da2c42 35->39 36->35 40 da2c48 39->40 41 da2c51-da2c5b 39->41 40->41 43 da2c4e 40->43 41->13 43->41 57->57
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1473332317.0000000000D9D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
      • Associated: 00000000.00000002.1470604423.0000000000C10000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470624828.0000000000C12000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470927053.0000000000C16000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471160114.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471234071.0000000000C26000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473179118.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473198632.0000000000D82000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473332317.0000000000DAB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473462880.0000000000DAD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473503880.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473656437.0000000000DBE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473688910.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473727403.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473886783.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473968021.0000000000DDB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474017662.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474073466.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474106445.0000000000DEF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474156795.0000000000E11000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474176337.0000000000E16000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474192047.0000000000E17000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474209581.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474263999.0000000000E1B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474285860.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474310930.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474357320.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474842547.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474864869.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474897178.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474920732.0000000000E4B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475045532.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475135090.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EB2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475310980.0000000000EC0000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_c10000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID: R
      • API String ID: 823142352-1466425173
      • Opcode ID: b321da49f7f13e38f31f9ca39447a6ed435f84f007181465908c3ba42d4af6d8
      • Instruction ID: ece9fb67641cb9204028dcbf83b5ad42e64667ea0b362a65a3a9911d5bf07d69
      • Opcode Fuzzy Hash: b321da49f7f13e38f31f9ca39447a6ed435f84f007181465908c3ba42d4af6d8
      • Instruction Fuzzy Hash: 0381A5B550810EAFDB01DF19C944AFF77AAEB56320F30042AFC82C7A41E7718D659A79
      Function 00DA2A9C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 258fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 58 da2a9c-da2aaa 59 da2ab2-da2ac0 CreateFileA 58->59 60 da2ab0-da2ab1 58->60 62 da2ac6 59->62 63 da2c74-da2c85 call da2c88 59->63 60->59 65 da2acf-da2ad9 62->65 66 da2acc 62->66 70 da2e1b-da2e2f 63->70 68 da2aef-da2b16 65->68 69 da2adf 65->69 66->65 75 da2b1f-da2c02 68->75 76 da2b1c 68->76 69->68 73 da2e3a-da2e4e 70->73 74 da2e31-da2e38 70->74 77 da2e4f-da3752 73->77 74->73 74->77 92 da2c0a-da2c3c CreateFileA 75->92 93 da2c08-da2c09 75->93 76->75 114 da3758 77->114 92->63 96 da2c42 92->96 93->92 97 da2c48 96->97 98 da2c51-da2c5b 96->98 97->98 100 da2c4e 97->100 98->70 100->98 114->114
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1473332317.0000000000D9D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
      • Associated: 00000000.00000002.1470604423.0000000000C10000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470624828.0000000000C12000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470927053.0000000000C16000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471160114.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471234071.0000000000C26000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473179118.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473198632.0000000000D82000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473332317.0000000000DAB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473462880.0000000000DAD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473503880.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473656437.0000000000DBE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473688910.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473727403.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473886783.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473968021.0000000000DDB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474017662.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474073466.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474106445.0000000000DEF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474156795.0000000000E11000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474176337.0000000000E16000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474192047.0000000000E17000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474209581.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474263999.0000000000E1B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474285860.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474310930.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474357320.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474842547.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474864869.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474897178.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474920732.0000000000E4B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475045532.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475135090.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EB2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475310980.0000000000EC0000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_c10000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID: R
      • API String ID: 823142352-1466425173
      • Opcode ID: 76165fa4ca483d323fdad224c1d3897de6cb55c345a0312cafc45ff317fd8a79
      • Instruction ID: 301fa50f099d6ce4bfe711762279bfa993f3787f7057e5e83e60ef849564dd51
      • Opcode Fuzzy Hash: 76165fa4ca483d323fdad224c1d3897de6cb55c345a0312cafc45ff317fd8a79
      • Instruction Fuzzy Hash: AE81B6B550810EAFDB01DF19C944AFF77AAEB56320F30002AFC82C7A41E7718D659A79
      Function 00DA2A52 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 265COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 115 da2a52-da2a59 116 da2a5b-da2a76 call da2a79 115->116 117 da2abf-da2ac0 115->117 119 da2ac6 117->119 120 da2c74-da2c85 call da2c88 117->120 123 da2acf-da2ad9 119->123 124 da2acc 119->124 129 da2e1b-da2e2f 120->129 127 da2aef-da2b16 123->127 128 da2adf 123->128 124->123 134 da2b1f-da2c02 127->134 135 da2b1c 127->135 128->127 132 da2e3a-da2e4e 129->132 133 da2e31-da2e38 129->133 136 da2e4f-da3752 132->136 133->132 133->136 151 da2c0a-da2c3c CreateFileA 134->151 152 da2c08-da2c09 134->152 135->134 173 da3758 136->173 151->120 155 da2c42 151->155 152->151 156 da2c48 155->156 157 da2c51-da2c5b 155->157 156->157 159 da2c4e 156->159 157->129 159->157 173->173
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1473332317.0000000000D9D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
      • Associated: 00000000.00000002.1470604423.0000000000C10000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470624828.0000000000C12000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470927053.0000000000C16000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471160114.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471234071.0000000000C26000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473179118.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473198632.0000000000D82000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473332317.0000000000DAB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473462880.0000000000DAD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473503880.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473656437.0000000000DBE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473688910.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473727403.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473886783.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473968021.0000000000DDB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474017662.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474073466.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474106445.0000000000DEF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474156795.0000000000E11000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474176337.0000000000E16000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474192047.0000000000E17000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474209581.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474263999.0000000000E1B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474285860.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474310930.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474357320.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474842547.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474864869.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474897178.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474920732.0000000000E4B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475045532.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475135090.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EB2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475310980.0000000000EC0000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_c10000_file.jbxd
      Similarity
      • API ID:
      • String ID: R
      • API String ID: 0-1466425173
      • Opcode ID: 5eb1ac1499a39d78903b3022d59568ecad28975199d9985b097d731ba68b1407
      • Instruction ID: f72567c4948f46462760a11c8dcfc2afbf72ba397bc073c9826dd68d3fc0ddc2
      • Opcode Fuzzy Hash: 5eb1ac1499a39d78903b3022d59568ecad28975199d9985b097d731ba68b1407
      • Instruction Fuzzy Hash: 8591B5B550825EAFEB01DF19C844AFF77A5EB56720F20002AFC82C7A41E3718D659B79
      Function 00DA2AE4 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 235fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 174 da2ae4-da2b16 177 da2b1f-da2c02 174->177 178 da2b1c 174->178 187 da2c0a-da2c3c CreateFileA 177->187 188 da2c08-da2c09 177->188 178->177 190 da2c42 187->190 191 da2c74-da2c85 call da2c88 187->191 188->187 192 da2c48 190->192 193 da2c51-da2c5b 190->193 197 da2e1b-da2e2f 191->197 192->193 195 da2c4e 192->195 193->197 195->193 198 da2e3a-da2e4e 197->198 199 da2e31-da2e38 197->199 200 da2e4f-da3752 198->200 199->198 199->200 222 da3758 200->222 222->222
      APIs
      • CreateFileA.KERNELBASE(?,000000E7,?,7C1152B0,00000003,00000000,00000003,1F544F31,00000000), ref: 00DA2C2E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1473332317.0000000000D9D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
      • Associated: 00000000.00000002.1470604423.0000000000C10000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470624828.0000000000C12000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470927053.0000000000C16000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471160114.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471234071.0000000000C26000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473179118.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473198632.0000000000D82000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473332317.0000000000DAB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473462880.0000000000DAD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473503880.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473656437.0000000000DBE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473688910.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473727403.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473886783.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473968021.0000000000DDB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474017662.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474073466.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474106445.0000000000DEF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474156795.0000000000E11000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474176337.0000000000E16000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474192047.0000000000E17000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474209581.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474263999.0000000000E1B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474285860.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474310930.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474357320.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474842547.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474864869.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474897178.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474920732.0000000000E4B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475045532.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475135090.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EB2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475310980.0000000000EC0000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_c10000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID: R
      • API String ID: 823142352-1466425173
      • Opcode ID: 70a973370bdbfcd06ddf42829fc1bd9b67532d7da2638f6280202b9c2402610a
      • Instruction ID: 49afde52d9260e1be6a814610cc04d03f1315f35f77b0c5222ead425c5d66639
      • Opcode Fuzzy Hash: 70a973370bdbfcd06ddf42829fc1bd9b67532d7da2638f6280202b9c2402610a
      • Instruction Fuzzy Hash: F58194B560814EEFDB01DF19C844AFF77A6EB56321F20042AFC82C7A40D7718D649A69
      Function 00DA2A93 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 230fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 223 da2a93-da2b16 225 da2b1f-da2c02 223->225 226 da2b1c 223->226 235 da2c0a-da2c3c CreateFileA 225->235 236 da2c08-da2c09 225->236 226->225 238 da2c42 235->238 239 da2c74-da2c85 call da2c88 235->239 236->235 240 da2c48 238->240 241 da2c51-da2c5b 238->241 245 da2e1b-da2e2f 239->245 240->241 243 da2c4e 240->243 241->245 243->241 246 da2e3a-da2e4e 245->246 247 da2e31-da2e38 245->247 248 da2e4f-da3752 246->248 247->246 247->248 270 da3758 248->270 270->270
      APIs
      • CreateFileA.KERNELBASE(?,000000E7,?,7C1152B0,00000003,00000000,00000003,1F544F31,00000000), ref: 00DA2C2E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1473332317.0000000000D9D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
      • Associated: 00000000.00000002.1470604423.0000000000C10000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470624828.0000000000C12000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470927053.0000000000C16000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471160114.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471234071.0000000000C26000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473179118.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473198632.0000000000D82000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473332317.0000000000DAB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473462880.0000000000DAD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473503880.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473656437.0000000000DBE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473688910.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473727403.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473886783.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473968021.0000000000DDB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474017662.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474073466.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474106445.0000000000DEF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474156795.0000000000E11000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474176337.0000000000E16000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474192047.0000000000E17000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474209581.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474263999.0000000000E1B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474285860.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474310930.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474357320.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474842547.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474864869.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474897178.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474920732.0000000000E4B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475045532.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475135090.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EB2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475310980.0000000000EC0000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_c10000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID: R
      • API String ID: 823142352-1466425173
      • Opcode ID: 223c681576fb0f75ca0dec863a8373f948bf4dcf0a21b7312d4ef5b3e489b55e
      • Instruction ID: 248f7b2f9fbec9d1847438e6936783e92e8fdda7e3e7726a90297de212fc47d2
      • Opcode Fuzzy Hash: 223c681576fb0f75ca0dec863a8373f948bf4dcf0a21b7312d4ef5b3e489b55e
      • Instruction Fuzzy Hash: 8B7194B560814EEFDB01DF19C844AFF77A6EB56321F20042AFC82C7A40D7718D649BA9
      Function 00DA2AFD Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 228fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 271 da2afd-da2b16 274 da2b1f-da2c02 271->274 275 da2b1c 271->275 284 da2c0a-da2c3c CreateFileA 274->284 285 da2c08-da2c09 274->285 275->274 287 da2c42 284->287 288 da2c74-da2c85 call da2c88 284->288 285->284 289 da2c48 287->289 290 da2c51-da2c5b 287->290 294 da2e1b-da2e2f 288->294 289->290 292 da2c4e 289->292 290->294 292->290 295 da2e3a-da2e4e 294->295 296 da2e31-da2e38 294->296 297 da2e4f-da3752 295->297 296->295 296->297 319 da3758 297->319 319->319
      APIs
      • CreateFileA.KERNELBASE(?,000000E7,?,7C1152B0,00000003,00000000,00000003,1F544F31,00000000), ref: 00DA2C2E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1473332317.0000000000D9D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
      • Associated: 00000000.00000002.1470604423.0000000000C10000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470624828.0000000000C12000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470927053.0000000000C16000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471160114.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471234071.0000000000C26000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473179118.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473198632.0000000000D82000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473332317.0000000000DAB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473462880.0000000000DAD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473503880.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473656437.0000000000DBE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473688910.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473727403.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473886783.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473968021.0000000000DDB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474017662.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474073466.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474106445.0000000000DEF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474156795.0000000000E11000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474176337.0000000000E16000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474192047.0000000000E17000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474209581.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474263999.0000000000E1B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474285860.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474310930.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474357320.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474842547.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474864869.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474897178.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474920732.0000000000E4B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475045532.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475135090.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EB2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475310980.0000000000EC0000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_c10000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID: R
      • API String ID: 823142352-1466425173
      • Opcode ID: 9dd27dacae1e6eedd5946bbf428900423b1498063f0b83ecae871fbe7a730824
      • Instruction ID: 439224c1c9a8574986862ac7a2e2ca581f4e081260c4e86e9f6a52e085f1d962
      • Opcode Fuzzy Hash: 9dd27dacae1e6eedd5946bbf428900423b1498063f0b83ecae871fbe7a730824
      • Instruction Fuzzy Hash: 2071A4B560810EEFDB01DF19C844AFF77A6EB56321F20002AFC82C7A40D7718D649AB9
      Function 00DA2B4F Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 209fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 320 da2b4f-da2c02 327 da2c0a-da2c3c CreateFileA 320->327 328 da2c08-da2c09 320->328 330 da2c42 327->330 331 da2c74-da2c85 call da2c88 327->331 328->327 332 da2c48 330->332 333 da2c51-da2c5b 330->333 337 da2e1b-da2e2f 331->337 332->333 335 da2c4e 332->335 333->337 335->333 338 da2e3a-da2e4e 337->338 339 da2e31-da2e38 337->339 340 da2e4f-da3752 338->340 339->338 339->340 362 da3758 340->362 362->362
      APIs
      • CreateFileA.KERNELBASE(?,000000E7,?,7C1152B0,00000003,00000000,00000003,1F544F31,00000000), ref: 00DA2C2E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1473332317.0000000000D9D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
      • Associated: 00000000.00000002.1470604423.0000000000C10000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470624828.0000000000C12000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470927053.0000000000C16000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471160114.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471234071.0000000000C26000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473179118.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473198632.0000000000D82000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473332317.0000000000DAB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473462880.0000000000DAD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473503880.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473656437.0000000000DBE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473688910.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473727403.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473886783.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473968021.0000000000DDB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474017662.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474073466.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474106445.0000000000DEF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474156795.0000000000E11000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474176337.0000000000E16000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474192047.0000000000E17000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474209581.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474263999.0000000000E1B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474285860.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474310930.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474357320.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474842547.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474864869.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474897178.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474920732.0000000000E4B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475045532.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475135090.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EB2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475310980.0000000000EC0000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_c10000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID: R
      • API String ID: 823142352-1466425173
      • Opcode ID: 5619813efc40ce29ad0e5aa67c9cef15500390a7f115755c2ee7d9c4431fa34d
      • Instruction ID: f46060ccce9a27a173fcee1a6b618094c17983504a1c110e32c873ada0757732
      • Opcode Fuzzy Hash: 5619813efc40ce29ad0e5aa67c9cef15500390a7f115755c2ee7d9c4431fa34d
      • Instruction Fuzzy Hash: E87184B550814EEFDB01DF19C844AFF77A6EB56321F20002AFC8287A41D7728D659FA9
      Function 00DA2B67 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 204fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 363 da2b67-da2c02 368 da2c0a-da2c3c CreateFileA 363->368 369 da2c08-da2c09 363->369 371 da2c42 368->371 372 da2c74-da2c85 call da2c88 368->372 369->368 373 da2c48 371->373 374 da2c51-da2c5b 371->374 378 da2e1b-da2e2f 372->378 373->374 376 da2c4e 373->376 374->378 376->374 379 da2e3a-da2e4e 378->379 380 da2e31-da2e38 378->380 381 da2e4f-da3752 379->381 380->379 380->381 403 da3758 381->403 403->403
      APIs
      • CreateFileA.KERNELBASE(?,000000E7,?,7C1152B0,00000003,00000000,00000003,1F544F31,00000000), ref: 00DA2C2E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1473332317.0000000000D9D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
      • Associated: 00000000.00000002.1470604423.0000000000C10000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470624828.0000000000C12000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470927053.0000000000C16000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471160114.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471234071.0000000000C26000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473179118.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473198632.0000000000D82000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473332317.0000000000DAB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473462880.0000000000DAD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473503880.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473656437.0000000000DBE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473688910.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473727403.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473886783.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473968021.0000000000DDB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474017662.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474073466.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474106445.0000000000DEF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474156795.0000000000E11000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474176337.0000000000E16000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474192047.0000000000E17000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474209581.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474263999.0000000000E1B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474285860.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474310930.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474357320.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474842547.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474864869.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474897178.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474920732.0000000000E4B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475045532.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475135090.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EB2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475310980.0000000000EC0000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_c10000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID: R
      • API String ID: 823142352-1466425173
      • Opcode ID: 7643b5063fac475a524b4de2bf9ea4aef5863e8e942ddd035030f4a1c57648b4
      • Instruction ID: 474bb29d5f16a52fdda0b54324b4c5418904828cb8331fc4a5e43e9d2c0c3754
      • Opcode Fuzzy Hash: 7643b5063fac475a524b4de2bf9ea4aef5863e8e942ddd035030f4a1c57648b4
      • Instruction Fuzzy Hash: 0E71A5B550814EDFDB01DF19C844AFF77A6EB56321F20002AFC8287A40D7728D659FA9
      Function 00DA2B93 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 202fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 404 da2b93-da2b94 405 da2b2c-da2b44 404->405 406 da2b96-da2c02 404->406 405->404 412 da2c0a-da2c3c CreateFileA 406->412 413 da2c08-da2c09 406->413 415 da2c42 412->415 416 da2c74-da2c85 call da2c88 412->416 413->412 417 da2c48 415->417 418 da2c51-da2c5b 415->418 422 da2e1b-da2e2f 416->422 417->418 420 da2c4e 417->420 418->422 420->418 423 da2e3a-da2e4e 422->423 424 da2e31-da2e38 422->424 425 da2e4f-da3752 423->425 424->423 424->425 447 da3758 425->447 447->447
      APIs
      • CreateFileA.KERNELBASE(?,000000E7,?,7C1152B0,00000003,00000000,00000003,1F544F31,00000000), ref: 00DA2C2E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1473332317.0000000000D9D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
      • Associated: 00000000.00000002.1470604423.0000000000C10000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470624828.0000000000C12000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470927053.0000000000C16000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471160114.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471234071.0000000000C26000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473179118.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473198632.0000000000D82000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473332317.0000000000DAB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473462880.0000000000DAD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473503880.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473656437.0000000000DBE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473688910.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473727403.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473886783.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473968021.0000000000DDB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474017662.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474073466.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474106445.0000000000DEF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474156795.0000000000E11000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474176337.0000000000E16000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474192047.0000000000E17000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474209581.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474263999.0000000000E1B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474285860.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474310930.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474357320.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474842547.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474864869.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474897178.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474920732.0000000000E4B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475045532.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475135090.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EB2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475310980.0000000000EC0000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_c10000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID: R
      • API String ID: 823142352-1466425173
      • Opcode ID: 5293a16f1a3f4de12740746cab49c00ab29fb6f6aedd04481c61d4a2c96a49f4
      • Instruction ID: 903928590fd2ed2f142a48c460bb54416fa209beb8749df933a5415b89254dd2
      • Opcode Fuzzy Hash: 5293a16f1a3f4de12740746cab49c00ab29fb6f6aedd04481c61d4a2c96a49f4
      • Instruction Fuzzy Hash: E371B57560824EEFDB01DF18C8446FF77A6EB56311F24012AFC8287A41E7728D649FA9
      Function 00DA2BAF Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 183fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 448 da2baf-da2c02 451 da2c0a-da2c3c CreateFileA 448->451 452 da2c08-da2c09 448->452 454 da2c42 451->454 455 da2c74-da2c85 call da2c88 451->455 452->451 456 da2c48 454->456 457 da2c51-da2c5b 454->457 461 da2e1b-da2e2f 455->461 456->457 459 da2c4e 456->459 457->461 459->457 462 da2e3a-da2e4e 461->462 463 da2e31-da2e38 461->463 464 da2e4f-da3752 462->464 463->462 463->464 486 da3758 464->486 486->486
      APIs
      • CreateFileA.KERNELBASE(?,000000E7,?,7C1152B0,00000003,00000000,00000003,1F544F31,00000000), ref: 00DA2C2E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1473332317.0000000000D9D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
      • Associated: 00000000.00000002.1470604423.0000000000C10000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470624828.0000000000C12000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470927053.0000000000C16000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471160114.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471234071.0000000000C26000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473179118.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473198632.0000000000D82000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473332317.0000000000DAB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473462880.0000000000DAD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473503880.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473656437.0000000000DBE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473688910.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473727403.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473886783.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473968021.0000000000DDB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474017662.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474073466.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474106445.0000000000DEF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474156795.0000000000E11000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474176337.0000000000E16000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474192047.0000000000E17000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474209581.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474263999.0000000000E1B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474285860.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474310930.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474357320.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474842547.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474864869.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474897178.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474920732.0000000000E4B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475045532.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475135090.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EB2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475310980.0000000000EC0000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_c10000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID: R
      • API String ID: 823142352-1466425173
      • Opcode ID: 8171cc5a5c9b0d764cc995491d51493114c79309cb56ec1408138cef79c03ee5
      • Instruction ID: 2751588d3cd5ed4c071f1d2df8b0a16096aa6a468f39a6d82623ace4cdface51
      • Opcode Fuzzy Hash: 8171cc5a5c9b0d764cc995491d51493114c79309cb56ec1408138cef79c03ee5
      • Instruction Fuzzy Hash: 0D61A3B560814EDFDB01DF19C8445EF77A6EB56321F20002AFC82C7A41E7728D659FA9
      Function 00DA2BE6 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 167fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 487 da2be6-da2c3c CreateFileA 490 da2c42 487->490 491 da2c74-da2c85 call da2c88 487->491 492 da2c48 490->492 493 da2c51-da2c5b 490->493 497 da2e1b-da2e2f 491->497 492->493 495 da2c4e 492->495 493->497 495->493 498 da2e3a-da2e4e 497->498 499 da2e31-da2e38 497->499 500 da2e4f-da3752 498->500 499->498 499->500 522 da3758 500->522 522->522
      APIs
      • CreateFileA.KERNELBASE(?,000000E7,?,7C1152B0,00000003,00000000,00000003,1F544F31,00000000), ref: 00DA2C2E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1473332317.0000000000D9D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
      • Associated: 00000000.00000002.1470604423.0000000000C10000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470624828.0000000000C12000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470927053.0000000000C16000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471160114.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471234071.0000000000C26000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473179118.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473198632.0000000000D82000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473332317.0000000000DAB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473462880.0000000000DAD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473503880.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473656437.0000000000DBE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473688910.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473727403.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473886783.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473968021.0000000000DDB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474017662.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474073466.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474106445.0000000000DEF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474156795.0000000000E11000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474176337.0000000000E16000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474192047.0000000000E17000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474209581.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474263999.0000000000E1B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474285860.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474310930.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474357320.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474842547.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474864869.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474897178.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474920732.0000000000E4B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475045532.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475135090.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EB2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475310980.0000000000EC0000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_c10000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID: R
      • API String ID: 823142352-1466425173
      • Opcode ID: 20674b75b2ea0a58467926724ad24491daf158aef5b1c7550767c5de952071ce
      • Instruction ID: 7ab2b430e0689d7fde5fbd0d2943c84999c71d9bd0605191f353c71515688238
      • Opcode Fuzzy Hash: 20674b75b2ea0a58467926724ad24491daf158aef5b1c7550767c5de952071ce
      • Instruction Fuzzy Hash: F8618F7560824EDFDB01DF18C8446AE7BA6EF16311F24042AEC8287B41E7728D65DFA9
      Function 00DA2C13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 147fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 523 da2c13-da2c3c CreateFileA 525 da2c42 523->525 526 da2c74-da2c85 call da2c88 523->526 527 da2c48 525->527 528 da2c51-da2c5b 525->528 532 da2e1b-da2e2f 526->532 527->528 530 da2c4e 527->530 528->532 530->528 533 da2e3a-da2e4e 532->533 534 da2e31-da2e38 532->534 535 da2e4f-da3752 533->535 534->533 534->535 557 da3758 535->557 557->557
      APIs
      • CreateFileA.KERNELBASE(?,000000E7,?,7C1152B0,00000003,00000000,00000003,1F544F31,00000000), ref: 00DA2C2E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1473332317.0000000000D9D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
      • Associated: 00000000.00000002.1470604423.0000000000C10000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470624828.0000000000C12000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470927053.0000000000C16000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471160114.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471234071.0000000000C26000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473179118.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473198632.0000000000D82000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473332317.0000000000DAB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473462880.0000000000DAD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473503880.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473656437.0000000000DBE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473688910.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473727403.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473886783.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473968021.0000000000DDB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474017662.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474073466.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474106445.0000000000DEF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474156795.0000000000E11000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474176337.0000000000E16000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474192047.0000000000E17000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474209581.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474263999.0000000000E1B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474285860.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474310930.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474357320.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474842547.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474864869.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474897178.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474920732.0000000000E4B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475045532.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475135090.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EB2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475310980.0000000000EC0000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_c10000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID: R
      • API String ID: 823142352-1466425173
      • Opcode ID: 60cf265b811c70f6e2de7d785eb14db70cf52c9ffaa1f983f24641906dd0cc20
      • Instruction ID: 4f418d1cd4e047e4ed2113fb9e63c6611b2683991f9b0bff95a96554a6cc5cfb
      • Opcode Fuzzy Hash: 60cf265b811c70f6e2de7d785eb14db70cf52c9ffaa1f983f24641906dd0cc20
      • Instruction Fuzzy Hash: 3251717560824EDFDB01DF18C8446EF7BA6EB16311F24042AFC8287B40E7728D649FA9
      Function 00DA078A Relevance: 1.6, APIs: 1, Instructions: 100libraryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 558 da078a-da078d LoadLibraryA 559 da07a0-da08c1 558->559 561 da08c2 559->561 561->561
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1473332317.0000000000D9D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
      • Associated: 00000000.00000002.1470604423.0000000000C10000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470624828.0000000000C12000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470927053.0000000000C16000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471160114.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471234071.0000000000C26000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473179118.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473198632.0000000000D82000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473332317.0000000000DAB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473462880.0000000000DAD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473503880.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473656437.0000000000DBE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473688910.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473727403.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473886783.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473968021.0000000000DDB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474017662.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474073466.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474106445.0000000000DEF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474156795.0000000000E11000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474176337.0000000000E16000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474192047.0000000000E17000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474209581.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474263999.0000000000E1B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474285860.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474310930.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474357320.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474842547.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474864869.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474897178.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474920732.0000000000E4B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475045532.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475135090.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EB2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475310980.0000000000EC0000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_c10000_file.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID:
      • API String ID: 1029625771-0
      • Opcode ID: 5d918e251c8277a564931c67891052260894a4a96842c9fcb17ce2e3ae8ea9a9
      • Instruction ID: 08c7d2e84062ac848353de65043291894d433ca651e54509a787226b2fba0486
      • Opcode Fuzzy Hash: 5d918e251c8277a564931c67891052260894a4a96842c9fcb17ce2e3ae8ea9a9
      • Instruction Fuzzy Hash: 6531C4F2608700AFE315AE59D88176AFBE5EF98750F16482DE6D4C3650EA3494408B9B
      Function 054C0D43 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 562 54c0d43-54c0d97 565 54c0d9f-54c0da3 562->565 566 54c0d99-54c0d9c 562->566 567 54c0dab-54c0dda OpenSCManagerW 565->567 568 54c0da5-54c0da8 565->568 566->565 569 54c0ddc-54c0de2 567->569 570 54c0de3-54c0df7 567->570 568->567 569->570
      APIs
      • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 054C0DCD
      Memory Dump Source
      • Source File: 00000000.00000002.1477051630.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_54c0000_file.jbxd
      Similarity
      • API ID: ManagerOpen
      • String ID:
      • API String ID: 1889721586-0
      • Opcode ID: daa0c5d3169afd2aa21baa3537bf9d1ffb60dca1e13237f43463455ecdcfa8f1
      • Instruction ID: c9851a56175e13c4d6b2b10093118a1ac48c724a2e5be4912fc9e902cbfd409e
      • Opcode Fuzzy Hash: daa0c5d3169afd2aa21baa3537bf9d1ffb60dca1e13237f43463455ecdcfa8f1
      • Instruction Fuzzy Hash: 052134BAC00218DFCB50CF99D884BDEFBB4FB88310F14825AD809AB304D734A945CBA4
      Function 054C0D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 572 54c0d48-54c0d97 574 54c0d9f-54c0da3 572->574 575 54c0d99-54c0d9c 572->575 576 54c0dab-54c0dda OpenSCManagerW 574->576 577 54c0da5-54c0da8 574->577 575->574 578 54c0ddc-54c0de2 576->578 579 54c0de3-54c0df7 576->579 577->576 578->579
      APIs
      • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 054C0DCD
      Memory Dump Source
      • Source File: 00000000.00000002.1477051630.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_54c0000_file.jbxd
      Similarity
      • API ID: ManagerOpen
      • String ID:
      • API String ID: 1889721586-0
      • Opcode ID: c77b20b0212e201944c5acf93c4c6b20a0842b151f048727f8320f798fa1a09c
      • Instruction ID: cbd98200d411ddf8ecde7304e2a3a33a22fb3f4e9dbf4ed1c88341188fe96633
      • Opcode Fuzzy Hash: c77b20b0212e201944c5acf93c4c6b20a0842b151f048727f8320f798fa1a09c
      • Instruction Fuzzy Hash: 2C2132BAC00218DFCB50CF99D884ADEFBB4FB88310F14825AD809AB304D734A941CBA4
      Function 054C1510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
      Download Yara Rule
      APIs
      • ControlService.ADVAPI32(?,?,?), ref: 054C1580
      Memory Dump Source
      • Source File: 00000000.00000002.1477051630.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_54c0000_file.jbxd
      Similarity
      • API ID: ControlService
      • String ID:
      • API String ID: 253159669-0
      • Opcode ID: 3e87baadcd19fe63bc44e5c582199a6ca962215a6aa0867b0470dd541e8d37c2
      • Instruction ID: a7e11662176bb5c9603b28f4718c255ee449111549cbc543c0d4c8cc5ca0eb8e
      • Opcode Fuzzy Hash: 3e87baadcd19fe63bc44e5c582199a6ca962215a6aa0867b0470dd541e8d37c2
      • Instruction Fuzzy Hash: 5311E7B5D002499FDB10CF9AC584BDEFBF4FB48310F10842AE559A3251D378A945CFA5
      Function 054C1509 Relevance: 1.6, APIs: 1, Instructions: 53serviceCOMMON
      Download Yara Rule
      APIs
      • ControlService.ADVAPI32(?,?,?), ref: 054C1580
      Memory Dump Source
      • Source File: 00000000.00000002.1477051630.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_54c0000_file.jbxd
      Similarity
      • API ID: ControlService
      • String ID:
      • API String ID: 253159669-0
      • Opcode ID: 3aadec48e42bfea089e13d4541bdbef39fd805ba05ad3265f258585d820e4c74
      • Instruction ID: 8d760b288a29519f1bd40c389746a1b7f3575c66409ad117db11bc00313b89c9
      • Opcode Fuzzy Hash: 3aadec48e42bfea089e13d4541bdbef39fd805ba05ad3265f258585d820e4c74
      • Instruction Fuzzy Hash: C32106B5D002498FDB10CF9AC584BDEBBF4FB48310F10852AE459A3240D378A945CFA5
      Function 054C1301 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
      Download Yara Rule
      APIs
      • ImpersonateLoggedOnUser.KERNELBASE ref: 054C1367
      Memory Dump Source
      • Source File: 00000000.00000002.1477051630.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_54c0000_file.jbxd
      Similarity
      • API ID: ImpersonateLoggedUser
      • String ID:
      • API String ID: 2216092060-0
      • Opcode ID: c92d56a241e85c4412653066b4fdc8a87e76239235168dae07479762479fe905
      • Instruction ID: 9230c0a6ea70dcf2acfcc8435b19aae38b740efa30f59eb58a257524c472f7aa
      • Opcode Fuzzy Hash: c92d56a241e85c4412653066b4fdc8a87e76239235168dae07479762479fe905
      • Instruction Fuzzy Hash: 2F1155B1800249CFDB20CF9AC845BDEFBF4EF48324F20845AD418A3250C378A984CFA4
      Function 054C1308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
      Download Yara Rule
      APIs
      • ImpersonateLoggedOnUser.KERNELBASE ref: 054C1367
      Memory Dump Source
      • Source File: 00000000.00000002.1477051630.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_54c0000_file.jbxd
      Similarity
      • API ID: ImpersonateLoggedUser
      • String ID:
      • API String ID: 2216092060-0
      • Opcode ID: 51d1c75e1df022c5c9d2b6ff8891d7c62697d70be2a37d800fbe4a4d94656422
      • Instruction ID: 3ba650e5c71c79dec8d91d1419e948277d366a4ab4a0c1bf9c9fe5df9d703b07
      • Opcode Fuzzy Hash: 51d1c75e1df022c5c9d2b6ff8891d7c62697d70be2a37d800fbe4a4d94656422
      • Instruction Fuzzy Hash: E81133B1C00249CFDB20CF9AC545BDEFBF8EB48324F20846AD518A3650D778A984CFA5
      Function 00DA28E6 Relevance: 1.5, APIs: 1, Instructions: 17fileCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1473332317.0000000000D9D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
      • Associated: 00000000.00000002.1470604423.0000000000C10000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470624828.0000000000C12000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470927053.0000000000C16000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471160114.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471234071.0000000000C26000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473179118.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473198632.0000000000D82000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473332317.0000000000DAB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473462880.0000000000DAD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473503880.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473656437.0000000000DBE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473688910.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473727403.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473886783.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473968021.0000000000DDB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474017662.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474073466.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474106445.0000000000DEF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474156795.0000000000E11000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474176337.0000000000E16000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474192047.0000000000E17000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474209581.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474263999.0000000000E1B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474285860.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474310930.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474357320.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474842547.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474864869.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474897178.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474920732.0000000000E4B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475045532.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475135090.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EB2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475310980.0000000000EC0000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_c10000_file.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: b254d583a3a82407c5eff0437072231b5e0dbda196a90581e52436a886ccda54
      • Instruction ID: 5fd1cdf408bb784f7f578a919c6e2c3527dc5def98404b1327429cec90cd33a4
      • Opcode Fuzzy Hash: b254d583a3a82407c5eff0437072231b5e0dbda196a90581e52436a886ccda54
      • Instruction Fuzzy Hash: A0D0A7E040D3499BC71413254C2801B7B74BFC7330B251BCDA0F3990E2E639D915B221
      Function 00C1EA74 Relevance: 1.3, APIs: 1, Instructions: 22memoryCOMMON
      Download Yara Rule
      APIs
      • VirtualAlloc.KERNELBASE(00000000), ref: 00C1EB57
      Memory Dump Source
      • Source File: 00000000.00000002.1471160114.0000000000C1A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
      • Associated: 00000000.00000002.1470604423.0000000000C10000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470624828.0000000000C12000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470927053.0000000000C16000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471234071.0000000000C26000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473179118.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473198632.0000000000D82000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473332317.0000000000D9D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473332317.0000000000DAB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473462880.0000000000DAD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473503880.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473656437.0000000000DBE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473688910.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473727403.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473886783.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473968021.0000000000DDB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474017662.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474073466.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474106445.0000000000DEF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474156795.0000000000E11000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474176337.0000000000E16000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474192047.0000000000E17000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474209581.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474263999.0000000000E1B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474285860.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474310930.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474357320.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474842547.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474864869.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474897178.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474920732.0000000000E4B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475045532.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475135090.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EB2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475310980.0000000000EC0000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_c10000_file.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 9e0e2650a30cfbd27a203609096540bcab7529abac6808de4aaeafdff006acc0
      • Instruction ID: 5a97fa35dd005582b62449a7969dfb692712367514bdc4adb80cf5cc334d0452
      • Opcode Fuzzy Hash: 9e0e2650a30cfbd27a203609096540bcab7529abac6808de4aaeafdff006acc0
      • Instruction Fuzzy Hash: D2E0927010C24D8BD7109F268408AEE77B4EF83711F70411E786283680DB719C81B62A

      Non-executed Functions

      Function 00C1DF48 Relevance: 1.6, Strings: 1, Instructions: 318COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1471160114.0000000000C1A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
      • Associated: 00000000.00000002.1470604423.0000000000C10000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470624828.0000000000C12000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470927053.0000000000C16000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471234071.0000000000C26000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473179118.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473198632.0000000000D82000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473332317.0000000000D9D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473332317.0000000000DAB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473462880.0000000000DAD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473503880.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473656437.0000000000DBE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473688910.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473727403.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473886783.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473968021.0000000000DDB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474017662.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474073466.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474106445.0000000000DEF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474156795.0000000000E11000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474176337.0000000000E16000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474192047.0000000000E17000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474209581.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474263999.0000000000E1B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474285860.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474310930.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474357320.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474842547.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474864869.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474897178.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474920732.0000000000E4B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475045532.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475135090.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EB2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475310980.0000000000EC0000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_c10000_file.jbxd
      Similarity
      • API ID:
      • String ID: NTDL
      • API String ID: 0-3662016964
      • Opcode ID: af08921ced1ad0033a406983a4ae30aa0d972784546733a205b840b974237049
      • Instruction ID: cfbd997def4d603b79d9a609800962b01eb6dd62c07dabdbd326e1641a518d83
      • Opcode Fuzzy Hash: af08921ced1ad0033a406983a4ae30aa0d972784546733a205b840b974237049
      • Instruction Fuzzy Hash: 8EA1E17250821A9FDB05CE65C6405EE3BA5EF87330B74412AFC02C3A42D7B21E91FB59
      Function 00DA0F04 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1473332317.0000000000D9D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
      • Associated: 00000000.00000002.1470604423.0000000000C10000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470624828.0000000000C12000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470927053.0000000000C16000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471160114.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471234071.0000000000C26000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473179118.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473198632.0000000000D82000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473332317.0000000000DAB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473462880.0000000000DAD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473503880.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473656437.0000000000DBE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473688910.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473727403.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473886783.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473968021.0000000000DDB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474017662.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474073466.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474106445.0000000000DEF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474156795.0000000000E11000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474176337.0000000000E16000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474192047.0000000000E17000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474209581.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474263999.0000000000E1B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474285860.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474310930.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474357320.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474842547.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474864869.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474897178.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474920732.0000000000E4B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475045532.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475135090.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EB2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475310980.0000000000EC0000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_c10000_file.jbxd
      Similarity
      • API ID:
      • String ID: Mq/
      • API String ID: 0-3471337995
      • Opcode ID: 4224a49b83e39c6bce189910daceed05b59423e915e1407a84b4fdd4cd49378a
      • Instruction ID: 35c331659a5e6904b986844729e06520a0f206d812c01014dc8af811d08bc205
      • Opcode Fuzzy Hash: 4224a49b83e39c6bce189910daceed05b59423e915e1407a84b4fdd4cd49378a
      • Instruction Fuzzy Hash: 354168B250C610AFD705AF18D8426BEFBE8EF95760F22082EE6C5D3610D7358844CB97
      Function 00DA0EF4 Relevance: 1.4, Strings: 1, Instructions: 126COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1473332317.0000000000D9D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
      • Associated: 00000000.00000002.1470604423.0000000000C10000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470624828.0000000000C12000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470927053.0000000000C16000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471160114.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471234071.0000000000C26000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473179118.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473198632.0000000000D82000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473332317.0000000000DAB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473462880.0000000000DAD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473503880.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473656437.0000000000DBE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473688910.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473727403.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473886783.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473968021.0000000000DDB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474017662.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474073466.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474106445.0000000000DEF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474156795.0000000000E11000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474176337.0000000000E16000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474192047.0000000000E17000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474209581.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474263999.0000000000E1B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474285860.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474310930.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474357320.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474842547.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474864869.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474897178.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474920732.0000000000E4B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475045532.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475135090.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EB2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475310980.0000000000EC0000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_c10000_file.jbxd
      Similarity
      • API ID:
      • String ID: Mq/
      • API String ID: 0-3471337995
      • Opcode ID: 19a9fcb2c6159a654e0ff7deb3a6c3b44f3ec6213d31e88096e80f8424dce53d
      • Instruction ID: b9fdbb499a7dec29989059c9884bc83263e2f0f8e241305d7a1bbf1496fb47df
      • Opcode Fuzzy Hash: 19a9fcb2c6159a654e0ff7deb3a6c3b44f3ec6213d31e88096e80f8424dce53d
      • Instruction Fuzzy Hash: B24159B250C610AFD315AF18D8426BAFBF8FF99720F22482DE6C5D2650DA3588448B97
      Function 00DA0F24 Relevance: 1.4, Strings: 1, Instructions: 112COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1473332317.0000000000D9D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
      • Associated: 00000000.00000002.1470604423.0000000000C10000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470624828.0000000000C12000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470927053.0000000000C16000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471160114.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471234071.0000000000C26000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473179118.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473198632.0000000000D82000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473332317.0000000000DAB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473462880.0000000000DAD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473503880.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473656437.0000000000DBE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473688910.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473727403.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473886783.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473968021.0000000000DDB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474017662.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474073466.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474106445.0000000000DEF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474156795.0000000000E11000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474176337.0000000000E16000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474192047.0000000000E17000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474209581.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474263999.0000000000E1B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474285860.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474310930.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474357320.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474842547.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474864869.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474897178.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474920732.0000000000E4B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475045532.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475135090.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EB2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475310980.0000000000EC0000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_c10000_file.jbxd
      Similarity
      • API ID:
      • String ID: Mq/
      • API String ID: 0-3471337995
      • Opcode ID: b2cdbd76e9e7f44671d6d6d71ae63e47b9f1ef00b60504a54083f00370ccf175
      • Instruction ID: 768b94d91e2b33db3160789dcddbb0e706678c0e4f15732a081d2c9992d61725
      • Opcode Fuzzy Hash: b2cdbd76e9e7f44671d6d6d71ae63e47b9f1ef00b60504a54083f00370ccf175
      • Instruction Fuzzy Hash: 254124B250C610AFD305AF18D8426BAFBE9EF58721F26482EE6D5C2650DA3588408B97
      Function 00DA2CFC Relevance: .1, Instructions: 69COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1473332317.0000000000D9D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
      • Associated: 00000000.00000002.1470604423.0000000000C10000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470624828.0000000000C12000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1470927053.0000000000C16000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471160114.0000000000C1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1471234071.0000000000C26000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473179118.0000000000D80000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473198632.0000000000D82000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473332317.0000000000DAB000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473462880.0000000000DAD000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473503880.0000000000DB1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473656437.0000000000DBE000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473688910.0000000000DBF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473727403.0000000000DC1000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473886783.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1473968021.0000000000DDB000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474017662.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474073466.0000000000DE3000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474106445.0000000000DEF000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474156795.0000000000E11000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474176337.0000000000E16000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474192047.0000000000E17000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474209581.0000000000E1A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474263999.0000000000E1B000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474285860.0000000000E1C000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474310930.0000000000E23000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474357320.0000000000E25000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474842547.0000000000E2C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474864869.0000000000E2D000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474897178.0000000000E43000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474920732.0000000000E4B000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475045532.0000000000E4C000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475135090.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EA9000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475254325.0000000000EB2000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475310980.0000000000EC0000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_c10000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 4c72e4c6fa66b6271fb65df3acb86380a09d3b463acd3ac517d7984dcb4bae5b
      • Instruction ID: b159dbe7fb72a2d1199ddf7bd7f92c4c352aebe0f7855710e1ec1ab9e97df3fb
      • Opcode Fuzzy Hash: 4c72e4c6fa66b6271fb65df3acb86380a09d3b463acd3ac517d7984dcb4bae5b
      • Instruction Fuzzy Hash: B211087600C109BEEB01CF5F9A50AFE3779EAC7730730481AF486D2853C3648D466279