Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1560052
MD5:8d6be2ae7d7980c17bfcc04baff0197b
SHA1:c6276d5eb88d2e3c262d56a8b2d34c120eb7f635
SHA256:3ac34007735480d39372d9f6134c2068c716fe5514d608a351ca9a6d7bc56fe2
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SIDT)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • file.exe (PID: 5812 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 8D6BE2AE7D7980C17BFCC04BAFF0197B)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: file.exeJoe Sandbox ML: detected
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.2148246393.0000000004F00000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2282244718.0000000000B12000.00000040.00000001.01000000.00000003.sdmp

System Summary

barindex
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B257B70_2_00B257B7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6FEEB0_2_00D6FEEB
Source: file.exe, 00000000.00000002.2283178689.00000000010CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000000.2141283694.0000000000B16000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 2763264 > 1048576
Source: file.exeStatic PE information: Raw size of amvqvmpn is bigger than: 0x100000 < 0x29ca00
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.2148246393.0000000004F00000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2282244718.0000000000B12000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation

barindex
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.b10000.0.unpack :EW;.rsrc:W;.idata :W;amvqvmpn:EW;turhvfhb:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x2a9c9f should be: 0x2a3c69
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name: amvqvmpn
Source: file.exeStatic PE information: section name: turhvfhb
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C9C933 push 3748EB9Fh; mov dword ptr [esp], eax0_2_00C9C979
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C9C933 push eax; mov dword ptr [esp], esp0_2_00C9C97D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C90AD4 push 26F2D84Fh; mov dword ptr [esp], edx0_2_00C90B70
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C910C9 push 5084CE8Eh; mov dword ptr [esp], edx0_2_00C910EE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C910C9 push edx; mov dword ptr [esp], 5B7E9204h0_2_00C9113E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C910C9 push ebp; mov dword ptr [esp], 78FE40DAh0_2_00C91177
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C910C9 push edx; mov dword ptr [esp], edi0_2_00C9121B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C960CC push edi; mov dword ptr [esp], 089DA294h0_2_00C96120
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C960CC push ecx; mov dword ptr [esp], eax0_2_00C96205
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C970C2 push ebp; mov dword ptr [esp], 29D762E6h0_2_00C9765B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B230A3 push 71FFC40Bh; mov dword ptr [esp], ebx0_2_00B230B9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B230A3 push 10EA50E7h; mov dword ptr [esp], esi0_2_00B252EB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C970DB push 6EF76600h; mov dword ptr [esp], edi0_2_00C97595
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C910D0 push edx; mov dword ptr [esp], 5B7E9204h0_2_00C9113E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C910D0 push ebp; mov dword ptr [esp], 78FE40DAh0_2_00C91177
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C910D0 push edx; mov dword ptr [esp], edi0_2_00C9121B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C940E4 push eax; ret 0_2_00C940F3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C960E4 push edi; mov dword ptr [esp], 089DA294h0_2_00C96120
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C960E4 push ecx; mov dword ptr [esp], eax0_2_00C96205
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C95084 push eax; mov dword ptr [esp], esp0_2_00C950CF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C95084 push ebx; mov dword ptr [esp], ecx0_2_00C95209
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C95099 push ebp; mov dword ptr [esp], eax0_2_00C95170
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C940A6 push esi; ret 0_2_00C940B5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B210C5 push edi; mov dword ptr [esp], eax0_2_00B214A2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1D0CB push 7E6F368Fh; mov dword ptr [esp], edx0_2_00B1D0F9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D00050 push ebp; mov dword ptr [esp], esp0_2_00D00083
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C9705B push 4874342Fh; mov dword ptr [esp], esp0_2_00C97063
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C9705B push 1A958800h; mov dword ptr [esp], edx0_2_00C97070
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C93051 push eax; mov dword ptr [esp], edi0_2_00C9306A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CA5068 push 426E74DFh; mov dword ptr [esp], esi0_2_00CA509D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CA5068 push edx; mov dword ptr [esp], eax0_2_00CA52A2
Source: file.exeStatic PE information: section name: entropy: 7.803941688593309

Boot Survival

barindex
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C90969 second address: C9096F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9096F second address: C909A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 jmp 00007F2B15224EA8h 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop esi 0x0000000d jnl 00007F2B15224E98h 0x00000013 pushad 0x00000014 popad 0x00000015 push edi 0x00000016 ja 00007F2B15224E96h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C90C2C second address: C90C46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B14BED9D2h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C90C46 second address: C90C4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C90C4A second address: C90C4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9126D second address: C9128A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F2B15224E96h 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F2B15224EA0h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9128A second address: C91295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9412B second address: C94135 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F2B15224E96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C941DC second address: C941E2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C941E2 second address: C941E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C941E8 second address: C941EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C941EC second address: C94205 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e pop edi 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push edi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C94205 second address: C9420A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9420A second address: C94214 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F2B15224E96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C943B4 second address: C9441E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F2B14BED9C8h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 xor dword ptr [ebp+122D1D08h], edx 0x00000029 push 00000000h 0x0000002b call 00007F2B14BED9C9h 0x00000030 jmp 00007F2B14BED9D9h 0x00000035 push eax 0x00000036 jbe 00007F2B14BED9CEh 0x0000003c push esi 0x0000003d jbe 00007F2B14BED9C6h 0x00000043 pop esi 0x00000044 mov eax, dword ptr [esp+04h] 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9441E second address: C94424 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C94424 second address: C94440 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jbe 00007F2B14BED9C6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e jc 00007F2B14BED9D8h 0x00000014 push eax 0x00000015 push edx 0x00000016 jo 00007F2B14BED9C6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C94440 second address: C94458 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F2B15224E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 ja 00007F2B15224E96h 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C94458 second address: C944D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jns 00007F2B14BED9C6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop eax 0x0000000f call 00007F2B14BED9D3h 0x00000014 jmp 00007F2B14BED9CCh 0x00000019 pop ecx 0x0000001a clc 0x0000001b push 00000003h 0x0000001d mov edi, ecx 0x0000001f push 00000000h 0x00000021 call 00007F2B14BED9D5h 0x00000026 sbb di, CC8Ah 0x0000002b pop ecx 0x0000002c push 00000003h 0x0000002e or edx, dword ptr [ebp+122D385Ah] 0x00000034 mov esi, 0A509520h 0x00000039 call 00007F2B14BED9C9h 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F2B14BED9D4h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C944D5 second address: C944DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C944DB second address: C94552 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2B14BED9C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jmp 00007F2B14BED9D0h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 jl 00007F2B14BED9DDh 0x0000001d jmp 00007F2B14BED9D7h 0x00000022 popad 0x00000023 mov eax, dword ptr [esp+04h] 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F2B14BED9CFh 0x0000002e pop edx 0x0000002f pop eax 0x00000030 mov eax, dword ptr [eax] 0x00000032 jmp 00007F2B14BED9D5h 0x00000037 mov dword ptr [esp+04h], eax 0x0000003b pushad 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C94552 second address: C94556 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C94556 second address: C9455A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C89E76 second address: C89E85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B15224E9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB160E second address: CB163F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jnc 00007F2B14BED9C6h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e jmp 00007F2B14BED9D5h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F2B14BED9CAh 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB163F second address: CB1643 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB1643 second address: CB1664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c jmp 00007F2B14BED9D4h 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB18FC second address: CB190A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B15224E9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB190A second address: CB1926 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2B14BED9D2h 0x00000009 jne 00007F2B14BED9C6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB1A9D second address: CB1AD2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B15224EA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d ja 00007F2B15224E96h 0x00000013 jp 00007F2B15224E96h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push ebx 0x0000001d pop ebx 0x0000001e jns 00007F2B15224E96h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB1AD2 second address: CB1AD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB2492 second address: CB2497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA8C14 second address: CA8C18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA8C18 second address: CA8C26 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F2B15224E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C831E9 second address: C831F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jbe 00007F2B14BED9C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C831F4 second address: C83201 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jc 00007F2B15224E9Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C83201 second address: C83211 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007F2B14BED9C6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C83211 second address: C83219 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C83219 second address: C8321E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8321E second address: C8323A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B15224EA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8323A second address: C83253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F2B14BED9CEh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB25DD second address: CB25E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB25E3 second address: CB25EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB2CA3 second address: CB2CAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB2DF6 second address: CB2DFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB2DFA second address: CB2E00 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB2E00 second address: CB2E0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F2B14BED9CCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB31F7 second address: CB3209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F2B15224E96h 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F2B15224E96h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB8297 second address: CB82A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F2B14BED9C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB82A1 second address: CB82A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB896E second address: CB8973 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB8973 second address: CB8978 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB7924 second address: CB7933 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007F2B14BED9C6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB8A6B second address: CB8A6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB8A6F second address: CB8A95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F2B14BED9CFh 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F2B14BED9CDh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB8A95 second address: CB8ABE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B15224EA7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e pushad 0x0000000f jnl 00007F2B15224E96h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB8ABE second address: CB8ADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F2B14BED9CBh 0x0000000d popad 0x0000000e popad 0x0000000f mov eax, dword ptr [eax] 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB8ADA second address: CB8AF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e jmp 00007F2B15224E9Ch 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB8C35 second address: CB8C39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB8C39 second address: CB8C53 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F2B15224E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007F2B15224E9Ch 0x00000014 ja 00007F2B15224E96h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB8C53 second address: CB8C6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2B14BED9D7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBEBA9 second address: CBEBAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBDF52 second address: CBDF6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F2B14BED9D6h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBDF6F second address: CBDF7B instructions: 0x00000000 rdtsc 0x00000002 jc 00007F2B15224E9Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBE6D2 second address: CBE6D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBE6D8 second address: CBE6DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBE6DE second address: CBE6EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007F2B14BED9C6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBE84F second address: CBE85D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F2B15224E9Ah 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBE85D second address: CBE867 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F2B14BED9C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBFF63 second address: CBFF68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBFF68 second address: CBFF6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC0235 second address: CC023A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC023A second address: CC0240 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC049F second address: CC04A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC04A3 second address: CC04AD instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2B14BED9C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC0557 second address: CC0568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007F2B15224E98h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC0AF3 second address: CC0AFD instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F2B14BED9CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC0AFD second address: CC0B59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], ebx 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007F2B15224E98h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 jmp 00007F2B15224EA4h 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b jnc 00007F2B15224EAAh 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC0B59 second address: CC0B68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2B14BED9CBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC0D6B second address: CC0D6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC0F38 second address: CC0F43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F2B14BED9C6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC0F43 second address: CC0F5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F2B15224E9Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC1620 second address: CC1637 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B14BED9D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC2027 second address: CC202B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC1E1F second address: CC1E3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2B14BED9D7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC202B second address: CC2039 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F2B15224E9Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC1E3A second address: CC1E3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC4179 second address: CC4182 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC4182 second address: CC418D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F2B14BED9C6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC4804 second address: CC4863 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jbe 00007F2B15224E96h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d or dword ptr [ebp+122D26DEh], ecx 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ebp 0x00000018 call 00007F2B15224E98h 0x0000001d pop ebp 0x0000001e mov dword ptr [esp+04h], ebp 0x00000022 add dword ptr [esp+04h], 0000001Ch 0x0000002a inc ebp 0x0000002b push ebp 0x0000002c ret 0x0000002d pop ebp 0x0000002e ret 0x0000002f jns 00007F2B15224E9Ch 0x00000035 push 00000000h 0x00000037 or edi, dword ptr [ebp+122D1F79h] 0x0000003d jc 00007F2B15224E9Ch 0x00000043 sub dword ptr [ebp+122D35FBh], edi 0x00000049 push eax 0x0000004a push ebx 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC4863 second address: CC4867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC2983 second address: CC298D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F2B15224E96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC298D second address: CC29C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B14BED9D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F2B14BED9CFh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC526A second address: CC526E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC526E second address: CC5277 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC5D1F second address: CC5D23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC674D second address: CC6776 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B14BED9D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a je 00007F2B14BED9D2h 0x00000010 jo 00007F2B14BED9CCh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC873E second address: CC8748 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F2B15224E96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC8748 second address: CC8772 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B14BED9D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F2B14BED9CFh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCC946 second address: CCC966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F2B15224E96h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jl 00007F2B15224EA3h 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007F2B15224E9Bh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCC966 second address: CCC96B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCDFA7 second address: CCDFAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCDFAB second address: CCDFB5 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F2B14BED9C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCDFB5 second address: CCDFC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F2B15224E96h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC6F41 second address: CC6F47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC6F47 second address: CC6F4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD45BD second address: CD45CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2B14BED9CBh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC99CC second address: CC99E7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F2B15224E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e pop eax 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jp 00007F2B15224E96h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCE1AF second address: CCE1C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B14BED9D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCE1C9 second address: CCE1D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F2B15224E96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCF10A second address: CCF11E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F2B14BED9CCh 0x0000000e jns 00007F2B14BED9C6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD0109 second address: CD01A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop ecx 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007F2B15224E98h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 mov edi, dword ptr [ebp+122D3054h] 0x00000029 push dword ptr fs:[00000000h] 0x00000030 call 00007F2B15224EA7h 0x00000035 mov di, cx 0x00000038 pop edi 0x00000039 mov dword ptr fs:[00000000h], esp 0x00000040 mov ebx, dword ptr [ebp+122D398Eh] 0x00000046 mov eax, dword ptr [ebp+122D15F1h] 0x0000004c mov ebx, dword ptr [ebp+122D36F6h] 0x00000052 push FFFFFFFFh 0x00000054 jmp 00007F2B15224EA4h 0x00000059 nop 0x0000005a jnc 00007F2B15224EA2h 0x00000060 push eax 0x00000061 je 00007F2B15224EA4h 0x00000067 push eax 0x00000068 push edx 0x00000069 jp 00007F2B15224E96h 0x0000006f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD6475 second address: CD6502 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B14BED9D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F2B14BED9C8h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 xor dword ptr [ebp+122D1F63h], esi 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push edx 0x00000031 call 00007F2B14BED9C8h 0x00000036 pop edx 0x00000037 mov dword ptr [esp+04h], edx 0x0000003b add dword ptr [esp+04h], 00000015h 0x00000043 inc edx 0x00000044 push edx 0x00000045 ret 0x00000046 pop edx 0x00000047 ret 0x00000048 or ebx, dword ptr [ebp+122D388Ah] 0x0000004e push 00000000h 0x00000050 mov edi, dword ptr [ebp+122D39CAh] 0x00000056 xchg eax, esi 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a ja 00007F2B14BED9C6h 0x00000060 jmp 00007F2B14BED9D4h 0x00000065 popad 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD364A second address: CD364E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD948E second address: CD94BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B14BED9D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnc 00007F2B14BED9CCh 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD94BD second address: CD94E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B15224EA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F2B15224EA0h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDA5C2 second address: CDA5EA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F2B14BED9D3h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F2B14BED9CCh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDB6AA second address: CDB6C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B15224EA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDB6C7 second address: CDB6CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDC876 second address: CDC87C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDC87C second address: CDC881 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDC881 second address: CDC8CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c or edi, dword ptr [ebp+122D37BEh] 0x00000012 push 00000000h 0x00000014 call 00007F2B15224E9Dh 0x00000019 jns 00007F2B15224E9Ch 0x0000001f pop edi 0x00000020 push edx 0x00000021 jmp 00007F2B15224EA7h 0x00000026 pop edi 0x00000027 push eax 0x00000028 push ecx 0x00000029 push eax 0x0000002a push edx 0x0000002b push ecx 0x0000002c pop ecx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD863B second address: CD8640 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDE801 second address: CDE806 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDE806 second address: CDE80D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDE80D second address: CDE8A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D32AEh], ecx 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007F2B15224E98h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 0000001Dh 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push edx 0x00000031 call 00007F2B15224E98h 0x00000036 pop edx 0x00000037 mov dword ptr [esp+04h], edx 0x0000003b add dword ptr [esp+04h], 00000018h 0x00000043 inc edx 0x00000044 push edx 0x00000045 ret 0x00000046 pop edx 0x00000047 ret 0x00000048 call 00007F2B15224EA5h 0x0000004d mov edi, 27968358h 0x00000052 pop ebx 0x00000053 xchg eax, esi 0x00000054 push edi 0x00000055 pushad 0x00000056 push edi 0x00000057 pop edi 0x00000058 jmp 00007F2B15224EA7h 0x0000005d popad 0x0000005e pop edi 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDE8A5 second address: CDE8BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B14BED9D5h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDDA78 second address: CDDB05 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F2B15224E98h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d pushad 0x0000000e cmc 0x0000000f jmp 00007F2B15224EA0h 0x00000014 popad 0x00000015 push dword ptr fs:[00000000h] 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 mov bx, 7E76h 0x00000027 mov eax, dword ptr [ebp+122D0939h] 0x0000002d push 00000000h 0x0000002f push ebx 0x00000030 call 00007F2B15224E98h 0x00000035 pop ebx 0x00000036 mov dword ptr [esp+04h], ebx 0x0000003a add dword ptr [esp+04h], 0000001Bh 0x00000042 inc ebx 0x00000043 push ebx 0x00000044 ret 0x00000045 pop ebx 0x00000046 ret 0x00000047 mov dword ptr [ebp+122D32B6h], ecx 0x0000004d push FFFFFFFFh 0x0000004f push 00000000h 0x00000051 push edx 0x00000052 call 00007F2B15224E98h 0x00000057 pop edx 0x00000058 mov dword ptr [esp+04h], edx 0x0000005c add dword ptr [esp+04h], 00000015h 0x00000064 inc edx 0x00000065 push edx 0x00000066 ret 0x00000067 pop edx 0x00000068 ret 0x00000069 mov dword ptr [ebp+122D1D03h], ecx 0x0000006f nop 0x00000070 push eax 0x00000071 push edx 0x00000072 push esi 0x00000073 push ebx 0x00000074 pop ebx 0x00000075 pop esi 0x00000076 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDDB05 second address: CDDB2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2B14BED9D2h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jo 00007F2B14BED9C8h 0x00000016 push eax 0x00000017 pop eax 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE580B second address: CE582A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F2B15224EA3h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE582A second address: CE582E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE69EE second address: CE69F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE69F6 second address: CE6A10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jnc 00007F2B14BED9C6h 0x0000000c pop edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pushad 0x00000012 popad 0x00000013 jbe 00007F2B14BED9C6h 0x00000019 pop eax 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEAED1 second address: CEAEEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B15224EA5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEAAEA second address: CEAAEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEAAEE second address: CEAAF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFA7D4 second address: CFA7EB instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F2B14BED9C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jne 00007F2B14BED9C6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFA7EB second address: CFA7F1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFA7F1 second address: CFA7F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFA7F6 second address: CFA821 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jo 00007F2B15224EC8h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F2B15224EA6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFA895 second address: CFA8CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F2B14BED9C6h 0x0000000a popad 0x0000000b pop edx 0x0000000c push eax 0x0000000d jl 00007F2B14BED9DBh 0x00000013 push ebx 0x00000014 jmp 00007F2B14BED9D3h 0x00000019 pop ebx 0x0000001a mov eax, dword ptr [esp+04h] 0x0000001e push ebx 0x0000001f push edi 0x00000020 push ecx 0x00000021 pop ecx 0x00000022 pop edi 0x00000023 pop ebx 0x00000024 mov eax, dword ptr [eax] 0x00000026 push eax 0x00000027 push edx 0x00000028 push ebx 0x00000029 pushad 0x0000002a popad 0x0000002b pop ebx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFA9BD second address: B1DB0E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F2B15224E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 00BD647Fh 0x00000011 pushad 0x00000012 mov ax, DD7Ch 0x00000016 popad 0x00000017 push dword ptr [ebp+122D040Dh] 0x0000001d stc 0x0000001e call dword ptr [ebp+122D20FAh] 0x00000024 pushad 0x00000025 jng 00007F2B15224EA2h 0x0000002b xor eax, eax 0x0000002d or dword ptr [ebp+122D288Fh], edx 0x00000033 mov edx, dword ptr [esp+28h] 0x00000037 mov dword ptr [ebp+122D288Fh], esi 0x0000003d mov dword ptr [ebp+122D36FEh], eax 0x00000043 jmp 00007F2B15224EA2h 0x00000048 mov esi, 0000003Ch 0x0000004d sub dword ptr [ebp+122D288Fh], esi 0x00000053 add esi, dword ptr [esp+24h] 0x00000057 mov dword ptr [ebp+122D288Fh], ebx 0x0000005d lodsw 0x0000005f jne 00007F2B15224E9Ch 0x00000065 add eax, dword ptr [esp+24h] 0x00000069 pushad 0x0000006a xor dword ptr [ebp+122D288Fh], eax 0x00000070 jmp 00007F2B15224EA7h 0x00000075 popad 0x00000076 mov ebx, dword ptr [esp+24h] 0x0000007a clc 0x0000007b push eax 0x0000007c push eax 0x0000007d push edx 0x0000007e pushad 0x0000007f pushad 0x00000080 popad 0x00000081 pushad 0x00000082 popad 0x00000083 popad 0x00000084 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D003A8 second address: D003CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ebx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pop ebx 0x00000009 pushad 0x0000000a jmp 00007F2B14BED9D5h 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D003CB second address: D003E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b pushad 0x0000000c jmp 00007F2B15224E9Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFF16B second address: CFF171 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFF171 second address: CFF179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D000D5 second address: D000DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D000DB second address: D000F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F2B15224E96h 0x0000000a jg 00007F2B15224E96h 0x00000010 popad 0x00000011 push ecx 0x00000012 jmp 00007F2B15224E9Ah 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D02E3E second address: D02E48 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F2B14BED9C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D02E48 second address: D02E99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007F2B15224EA8h 0x0000000a pushad 0x0000000b popad 0x0000000c jc 00007F2B15224E96h 0x00000012 popad 0x00000013 jp 00007F2B15224E9Ah 0x00000019 push edi 0x0000001a pop edi 0x0000001b push eax 0x0000001c pop eax 0x0000001d pop edx 0x0000001e pop eax 0x0000001f pushad 0x00000020 push edi 0x00000021 pushad 0x00000022 popad 0x00000023 pop edi 0x00000024 push ebx 0x00000025 pushad 0x00000026 popad 0x00000027 pushad 0x00000028 popad 0x00000029 pop ebx 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F2B15224EA2h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D02E99 second address: D02E9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D07FD6 second address: D07FF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B15224EA3h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F2B15224E96h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D07FF6 second address: D08000 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F2B14BED9C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0817D second address: D08181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D08707 second address: D0870D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0870D second address: D08711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D08711 second address: D08717 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D08717 second address: D0871D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0871D second address: D08732 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2B14BED9CBh 0x00000009 js 00007F2B14BED9C6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D08CE6 second address: D08CF6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007F2B15224EA2h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D08CF6 second address: D08CFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D08CFC second address: D08D04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D08D04 second address: D08D0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D08D0A second address: D08D0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA97DC second address: CA982A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B14BED9D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnl 00007F2B14BED9C6h 0x00000010 jmp 00007F2B14BED9D3h 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F2B14BED9D8h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA982A second address: CA9843 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B15224EA5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7E168 second address: C7E177 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jnp 00007F2B14BED9C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7E177 second address: C7E18E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F2B15224E9Dh 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D09113 second address: D09117 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D09117 second address: D09147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B15224E9Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F2B15224EA9h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D07A45 second address: D07A4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D07A4C second address: D07A6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F2B15224E96h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007F2B15224EA4h 0x00000014 jmp 00007F2B15224E9Eh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D07A6E second address: D07A94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B14BED9CDh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F2B14BED9D3h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0C771 second address: D0C77F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edx 0x00000006 jl 00007F2B15224E96h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCA313 second address: CCA31D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2B14BED9CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCA31D second address: CCA35E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 and dh, 00000021h 0x0000000c lea eax, dword ptr [ebp+12480090h] 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007F2B15224E98h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c mov edx, 1F58EB10h 0x00000031 nop 0x00000032 pushad 0x00000033 pushad 0x00000034 ja 00007F2B15224E96h 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCA35E second address: CCA37A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F2B14BED9CCh 0x0000000b jnc 00007F2B14BED9C6h 0x00000011 popad 0x00000012 push eax 0x00000013 jo 00007F2B14BED9CEh 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCA37A second address: CA8C14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push esi 0x00000009 call 00007F2B15224E98h 0x0000000e pop esi 0x0000000f mov dword ptr [esp+04h], esi 0x00000013 add dword ptr [esp+04h], 0000001Ch 0x0000001b inc esi 0x0000001c push esi 0x0000001d ret 0x0000001e pop esi 0x0000001f ret 0x00000020 call 00007F2B15224EA2h 0x00000025 mov edx, 3ED0ACD9h 0x0000002a pop ecx 0x0000002b mov dx, di 0x0000002e call dword ptr [ebp+122D2551h] 0x00000034 pushad 0x00000035 push eax 0x00000036 push edx 0x00000037 ja 00007F2B15224E96h 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCA9E8 second address: CCA9FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2B14BED9CDh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCAB39 second address: CCAB3F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCAB3F second address: CCAB52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2B14BED9CFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCAB52 second address: CCAB8F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F2B15224E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], esi 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007F2B15224E98h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000015h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 mov edx, dword ptr [ebp+122D1F4Ch] 0x0000002f push eax 0x00000030 jng 00007F2B15224EA0h 0x00000036 push eax 0x00000037 push edx 0x00000038 push ebx 0x00000039 pop ebx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCB24D second address: CCB257 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F2B14BED9C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0CA26 second address: D0CA30 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2B15224E9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0CB74 second address: D0CB7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0CB7A second address: D0CB9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F2B15224E9Dh 0x0000000c jmp 00007F2B15224E9Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0CCDB second address: D0CCDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0CE50 second address: D0CE63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F2B15224E96h 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0CE63 second address: D0CE7B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F2B14BED9D3h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0CFA0 second address: D0CFAB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnc 00007F2B15224E96h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0CFAB second address: D0CFBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jl 00007F2B14BED9D2h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0D0EA second address: D0D0F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0D0F0 second address: D0D0F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0D367 second address: D0D36B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0D36B second address: D0D38F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B14BED9D8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0D38F second address: D0D397 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0D397 second address: D0D3AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F2B14BED9CAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0D3AF second address: D0D3B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0D3B5 second address: D0D3B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0D3B9 second address: D0D3CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jne 00007F2B15224E96h 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1651F second address: D1653B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 pushad 0x00000007 push edx 0x00000008 jmp 00007F2B14BED9D2h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1653B second address: D16544 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D16544 second address: D1655F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B14BED9D7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D16952 second address: D16956 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D15F3B second address: D15F3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D15F3F second address: D15F43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D16C35 second address: D16C39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D16C39 second address: D16C53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B15224EA2h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D16EE3 second address: D16EE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D16EE8 second address: D16F0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F2B15224E96h 0x0000000a jmp 00007F2B15224EA9h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D16F0B second address: D16F1C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F2B14BED9C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D16F1C second address: D16F27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F2B15224E96h 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1CF7B second address: D1CF98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B14BED9D0h 0x00000009 push eax 0x0000000a pop eax 0x0000000b ja 00007F2B14BED9C6h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1C990 second address: D1C9E1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F2B15224E9Eh 0x00000008 jne 00007F2B15224E96h 0x0000000e pop ecx 0x0000000f push ebx 0x00000010 jng 00007F2B15224E96h 0x00000016 pop ebx 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c jmp 00007F2B15224E9Eh 0x00000021 jnl 00007F2B15224E96h 0x00000027 jmp 00007F2B15224EA1h 0x0000002c jp 00007F2B15224E96h 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D20E87 second address: D20EB8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F2B14BED9D6h 0x00000008 pop edx 0x00000009 jng 00007F2B14BED9DBh 0x0000000f jmp 00007F2B14BED9CFh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D20FEB second address: D20FEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D20FEF second address: D20FF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D21167 second address: D2116B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2116B second address: D211AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B14BED9D5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F2B14BED9CCh 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 jmp 00007F2B14BED9D5h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D211AB second address: D211B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F2B15224E96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D211B5 second address: D211CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B14BED9D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D215EE second address: D215FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jne 00007F2B15224E96h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D215FE second address: D2160A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F2B14BED9C6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2677C second address: D26787 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F2B15224E96h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26787 second address: D2678F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26903 second address: D26922 instructions: 0x00000000 rdtsc 0x00000002 js 00007F2B15224E96h 0x00000008 jmp 00007F2B15224EA1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26AB6 second address: D26ABA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26ABA second address: D26ACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 jg 00007F2B15224E96h 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D27AA5 second address: D27AEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007F2B14BED9E2h 0x0000000b popad 0x0000000c push edx 0x0000000d js 00007F2B14BED9D6h 0x00000013 jmp 00007F2B14BED9CEh 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jno 00007F2B14BED9C6h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D27AEE second address: D27AF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2A335 second address: D2A339 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2A8C7 second address: D2A8CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D31BD0 second address: D31BEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B14BED9D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2FC68 second address: D2FC7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B15224E9Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2FC7B second address: D2FC84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2FC84 second address: D2FC97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B15224E9Eh 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2FC97 second address: D2FCA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F2B14BED9C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2FCA1 second address: D2FD09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B15224EA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F2B15224EA7h 0x0000000f jg 00007F2B15224E96h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 push ecx 0x0000001a jmp 00007F2B15224E9Eh 0x0000001f pop ecx 0x00000020 jne 00007F2B15224EA2h 0x00000026 jmp 00007F2B15224E9Ch 0x0000002b jne 00007F2B15224E98h 0x00000031 push esi 0x00000032 pop esi 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2FE21 second address: D2FE5C instructions: 0x00000000 rdtsc 0x00000002 jng 00007F2B14BED9C6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F2B14BED9D9h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F2B14BED9CFh 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2FE5C second address: D2FE6D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B15224E9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2FE6D second address: D2FE73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2FE73 second address: D2FE8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B15224EA2h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2FE8A second address: D2FE90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2FE90 second address: D2FE94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2FE94 second address: D2FEA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D30A65 second address: D30A75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F2B15224E9Ah 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3129A second address: D3129E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3129E second address: D312AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F2B15224E96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3158B second address: D315A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B14BED9D3h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D315A4 second address: D315AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D315AA second address: D315AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3190B second address: D3190F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D36CC7 second address: D36CCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D36CCB second address: D36CDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B15224E9Bh 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D39ADF second address: D39AEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F2B14BED9C6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D39AEE second address: D39B02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B15224EA0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D39B02 second address: D39B0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D39B0A second address: D39B14 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2B15224E9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D39C63 second address: D39C67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3A20E second address: D3A234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jbe 00007F2B15224EAAh 0x0000000d jmp 00007F2B15224E9Eh 0x00000012 jnl 00007F2B15224E96h 0x00000018 push eax 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3A234 second address: D3A262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jng 00007F2B14BED9C6h 0x0000000f jne 00007F2B14BED9C6h 0x00000015 jmp 00007F2B14BED9D8h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3A63D second address: D3A642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3A642 second address: D3A665 instructions: 0x00000000 rdtsc 0x00000002 js 00007F2B14BED9CCh 0x00000008 jg 00007F2B14BED9C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F2B14BED9CBh 0x00000017 push esi 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b pop eax 0x0000001c pop esi 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3A665 second address: D3A66B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D44EB6 second address: D44EBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D44EBC second address: D44EC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D44EC1 second address: D44ED1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F2B14BED9CAh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D43075 second address: D4307B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D431C6 second address: D431CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D431CC second address: D431D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D431D0 second address: D4320E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F2B14BED9D9h 0x0000000c push edi 0x0000000d pop edi 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 jo 00007F2B14BED9C8h 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c jnl 00007F2B14BED9CEh 0x00000022 push ecx 0x00000023 pop ecx 0x00000024 jo 00007F2B14BED9C6h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D434E7 second address: D434EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D434EB second address: D434EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D43EB1 second address: D43EB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D43EB7 second address: D43EC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007F2B14BED9C6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D44CF2 second address: D44D04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B15224E9Dh 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D42CB3 second address: D42CB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4909C second address: D490A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D490A2 second address: D490B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F2B14BED9CDh 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4C007 second address: D4C02E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c jnl 00007F2B15224E96h 0x00000012 popad 0x00000013 popad 0x00000014 push edx 0x00000015 pushad 0x00000016 push edx 0x00000017 pop edx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a jg 00007F2B15224E96h 0x00000020 push eax 0x00000021 pop eax 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4C02E second address: D4C034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4C034 second address: D4C038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4BA07 second address: D4BA0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4BB64 second address: D4BB68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4BB68 second address: D4BB74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F2B14BED9C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4BB74 second address: D4BB7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F2B15224E96h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4BCEF second address: D4BD2E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F2B14BED9D9h 0x0000000b jbe 00007F2B14BED9D8h 0x00000011 jl 00007F2B14BED9D9h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58E19 second address: D58E29 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F2B15224E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5BBA5 second address: D5BBE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b jmp 00007F2B14BED9D4h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F2B14BED9D9h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5BBE0 second address: D5BBE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5BBE5 second address: D5BBF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F2B14BED9C6h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5BA38 second address: D5BA42 instructions: 0x00000000 rdtsc 0x00000002 je 00007F2B15224E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5BA42 second address: D5BA66 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F2B14BED9DFh 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D61B86 second address: D61BB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007F2B15224EAAh 0x00000012 jl 00007F2B15224E9Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D61BB4 second address: D61BB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D64D5C second address: D64D9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F2B15224EA9h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F2B15224EA9h 0x00000013 ja 00007F2B15224E96h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D64D9D second address: D64DA3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D64DA3 second address: D64DB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2B15224E9Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D64DB2 second address: D64DB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D64F28 second address: D64F2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D68F11 second address: D68F16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D68F16 second address: D68F49 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 push eax 0x00000007 jmp 00007F2B15224EA0h 0x0000000c pushad 0x0000000d popad 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push esi 0x00000012 jp 00007F2B15224E98h 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F2B15224E9Ch 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6FBDE second address: D6FBEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2B14BED9CCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6FA44 second address: D6FA6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F2B15224EADh 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F2B15224E96h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6FA6F second address: D6FA73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D757F4 second address: D7580E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2B15224EA2h 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7580E second address: D75814 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D75814 second address: D75818 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D75EAC second address: D75EB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D75EB2 second address: D75EB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D75EB6 second address: D75EBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D75EBA second address: D75EC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7B3B7 second address: D7B3BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7AF67 second address: D7AF6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7AF6C second address: D7AF78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007F2B14BED9C6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7AF78 second address: D7AF9B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B15224EA2h 0x00000007 jmp 00007F2B15224E9Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D850FB second address: D85101 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7C5E6 second address: C7C5ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8911A second address: D89141 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F2B14BED9D1h 0x00000008 jmp 00007F2B14BED9CBh 0x0000000d pushad 0x0000000e jmp 00007F2B14BED9CBh 0x00000013 jbe 00007F2B14BED9C6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D94F6D second address: D94F7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 jng 00007F2B15224E96h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D94F7C second address: D94F82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D978CF second address: D978D9 instructions: 0x00000000 rdtsc 0x00000002 js 00007F2B15224E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D97A3A second address: D97A3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9C14E second address: D9C155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9C155 second address: D9C176 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B14BED9D1h 0x00000007 jc 00007F2B14BED9D2h 0x0000000d jc 00007F2B14BED9C6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9FD81 second address: D9FD86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9FD86 second address: D9FDA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2B14BED9D5h 0x00000009 jbe 00007F2B14BED9C6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9FDA5 second address: D9FDBA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F2B15224E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d jbe 00007F2B15224E96h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9FED8 second address: D9FEEC instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2B14BED9C6h 0x00000008 js 00007F2B14BED9C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0708 second address: DA0712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0712 second address: DA071D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA071D second address: DA0721 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0721 second address: DA0725 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA76CC second address: DA76D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA76D0 second address: DA76E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B14BED9D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA4B36 second address: DA4B3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA4B3A second address: DA4B4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F2B14BED9C6h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA49A2 second address: DA49BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2B15224E9Eh 0x00000007 je 00007F2B15224E96h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC3019 second address: CC3023 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B1DB71 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: CB6F19 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: CE587E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B1DAA8 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 50E0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 5310000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 50E0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C941BD rdtsc 0_2_00C941BD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CA4B0D sidt fword ptr [esp-02h]0_2_00CA4B0D
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1172Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF6F36 GetSystemInfo,VirtualAlloc,0_2_00CF6F36
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.2282442406.0000000000C9B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2282442406.0000000000C9B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C941BD rdtsc 0_2_00C941BD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CA5BD1 LdrInitializeThunk,0_2_00CA5BD1
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, 00000000.00000002.2282641724.0000000000CE0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VProgram Manager

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
DLL Side-Loading
1
Process Injection
1
Masquerading
OS Credential Dumping641
Security Software Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
41
Disable or Modify Tools
LSASS Memory2
Process Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Bypass User Account Control
271
Virtualization/Sandbox Evasion
Security Account Manager271
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection
NTDS23
System Information Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information
LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
Software Packing
Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading
DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
Bypass User Account Control
Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
file.exe100%Joe Sandbox ML
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
No contacted IP infos
Joe Sandbox version:41.0.0 Charoite
Analysis ID:1560052
Start date and time:2024-11-21 11:02:04 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 33s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.evad.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
  • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, otelrules.azureedge.net, ctldl.windowsupdate.com
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • VT rate limit hit for: file.exe
No simulations
No context
No context
No context
No context
No context
Process:C:\Users\user\Desktop\file.exe
File Type:CSV text
Category:dropped
Size (bytes):226
Entropy (8bit):5.360398796477698
Encrypted:false
SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:3A8957C6382192B71471BD14359D0B12
SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:true
Reputation:high, very likely benign file
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..
File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.563093013016299
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:2'763'264 bytes
MD5:8d6be2ae7d7980c17bfcc04baff0197b
SHA1:c6276d5eb88d2e3c262d56a8b2d34c120eb7f635
SHA256:3ac34007735480d39372d9f6134c2068c716fe5514d608a351ca9a6d7bc56fe2
SHA512:7c911345ac61f3cb11f790982a7c7856577a5eaf8c42ac904084dee167a6f4464adb62436780777efae41aa98cd3ed09c77b579862d3e0f5f139aa84fcce118f
SSDEEP:49152:9NCDDt6uqGQ2XxCzynx+Px/hK/Lm9y1VGM0y/z:XCDDtDqGzXxxxE/Ia9kVEM
TLSH:D7D56C52B545B2CFE48E1778696BCF829A6D43B90B2108C3AD2D60B97DA3DC117FDC24
File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............*.. ...`....@.. ........................*.......*...`................................
Icon Hash:00928e8e8686b000
Entrypoint:0x6aa000
Entrypoint Section:.taggant
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:2eabe9054cad5152567f0699947a2c5b
Instruction
jmp 00007F2B14F04CAAh
invd
sub al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007F2B14F06CA5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [0400000Ah], al
or al, byte ptr [eax]
add byte ptr [edx], al
or al, byte ptr [eax]
add byte ptr [ebx], cl
or al, byte ptr [eax]
add byte ptr [ecx], al
or al, byte ptr [eax]
add byte ptr [esi], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [0000000Ah], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], cl
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add eax, 0000000Ah
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
inc dword ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x20000x40000x120035e3b799fd6bd7ac122d8873c6d5298aFalse0.9327256944444444data7.803941688593309IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
amvqvmpn0xa0000x29e0000x29ca00afbf15e504dffd17e16ef69e30cddd69unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
turhvfhb0x2a80000x20000x40068416082cce9adc5642ded306ee8e35dFalse0.7412109375data5.9240367903659665IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant0x2aa0000x40000x22006bff4a1381158e81e1da1dc8341e6313False0.09099264705882353DOS executable (COM)0.9683084274839555IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x60900x30cdata0.42948717948717946
RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
DLLImport
kernel32.dlllstrcpy
No network behavior found

Click to jump to process

Click to jump to process

Click to dive into process behavior distribution

Target ID:0
Start time:05:03:04
Start date:21/11/2024
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\file.exe"
Imagebase:0xb10000
File size:2'763'264 bytes
MD5 hash:8D6BE2AE7D7980C17BFCC04BAFF0197B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Reset < >

    Execution Graph

    Execution Coverage:4.2%
    Dynamic/Decrypted Code Coverage:11.4%
    Signature Coverage:17.7%
    Total number of Nodes:79
    Total number of Limit Nodes:7
    execution_graph 6101 c9458d 6102 c9459b 6101->6102 6103 c945a3 CreateFileA 6101->6103 6102->6103 6104 c945ba 6103->6104 6107 5181510 6108 5181558 ControlService 6107->6108 6109 518158f 6108->6109 6110 cf7f86 6112 cf7f92 6110->6112 6113 cf7fa4 6112->6113 6114 cf7fcc 6113->6114 6116 cf7af7 6113->6116 6117 cf7b08 6116->6117 6119 cf7b8b 6116->6119 6117->6119 6120 cf7962 VirtualProtect 6117->6120 6121 cf77a1 6117->6121 6119->6114 6120->6117 6124 cf77a8 6121->6124 6123 cf77f2 6123->6117 6124->6123 6126 cf76af 6124->6126 6130 cf7962 6124->6130 6129 cf76c4 6126->6129 6127 cf7784 6127->6124 6128 cf774e GetModuleFileNameA 6128->6129 6129->6127 6129->6128 6133 cf7976 6130->6133 6131 cf798e 6131->6124 6132 cf7ab1 VirtualProtect 6132->6133 6133->6131 6133->6132 6134 5181308 6135 5181349 ImpersonateLoggedOnUser 6134->6135 6136 5181376 6135->6136 6137 5180d48 6138 5180d93 OpenSCManagerW 6137->6138 6140 5180ddc 6138->6140 6141 cf7f3a 6143 cf7f46 6141->6143 6144 cf7f58 6143->6144 6145 cf7f80 6144->6145 6146 cf7af7 2 API calls 6144->6146 6146->6145 6147 c9423f CreateFileA 6148 c94257 6147->6148 6149 b1e349 6150 b1ec94 VirtualAlloc 6149->6150 6151 b1ecae 6150->6151 6152 cf6f36 GetSystemInfo 6153 cf6f56 6152->6153 6154 cf6f94 VirtualAlloc 6152->6154 6153->6154 6167 cf7282 6154->6167 6156 cf6fdb 6157 cf7282 VirtualAlloc GetModuleFileNameA VirtualProtect 6156->6157 6166 cf70b0 6156->6166 6159 cf7005 6157->6159 6158 cf70cc GetModuleFileNameA VirtualProtect 6164 cf7074 6158->6164 6160 cf7282 VirtualAlloc GetModuleFileNameA VirtualProtect 6159->6160 6159->6166 6161 cf702f 6160->6161 6162 cf7282 VirtualAlloc GetModuleFileNameA VirtualProtect 6161->6162 6161->6166 6163 cf7059 6162->6163 6163->6164 6165 cf7282 VirtualAlloc GetModuleFileNameA VirtualProtect 6163->6165 6163->6166 6165->6166 6166->6158 6166->6164 6169 cf728a 6167->6169 6170 cf729e 6169->6170 6171 cf72b6 6169->6171 6177 cf714e 6170->6177 6173 cf714e 2 API calls 6171->6173 6174 cf72c7 6173->6174 6179 cf72d9 6174->6179 6182 cf7156 6177->6182 6180 cf72ea VirtualAlloc 6179->6180 6181 cf72d5 6179->6181 6180->6181 6183 cf7169 6182->6183 6184 cf77a1 2 API calls 6183->6184 6185 cf71ac 6183->6185 6184->6185 6186 c9c933 6187 c9c96b LoadLibraryA 6186->6187 6188 c90ad4 LoadLibraryA 6189 c90adc 6188->6189 6190 cf7ed0 6192 cf7edc 6190->6192 6193 cf7eee 6192->6193 6194 cf7af7 2 API calls 6193->6194 6195 cf7f00 6194->6195

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 34 cf6f36-cf6f50 GetSystemInfo 35 cf6f56-cf6f8e 34->35 36 cf6f94-cf6fdd VirtualAlloc call cf7282 34->36 35->36 40 cf70c3 call cf70cc 36->40 41 cf6fe3-cf7007 call cf7282 36->41 46 cf70c8 40->46 41->40 47 cf700d-cf7031 call cf7282 41->47 48 cf70ca-cf70cb 46->48 47->40 51 cf7037-cf705b call cf7282 47->51 51->40 54 cf7061-cf706e 51->54 55 cf7094-cf70ab call cf7282 54->55 56 cf7074-cf708f 54->56 58 cf70b0-cf70b2 55->58 60 cf70be 56->60 58->40 61 cf70b8 58->61 60->48 61->60
    APIs
    • GetSystemInfo.KERNELBASE(?,-117B5FEC), ref: 00CF6F42
    • VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 00CF6FA3
    Memory Dump Source
    • Source File: 00000000.00000002.2282680513.0000000000CF6000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true
    • Associated: 00000000.00000002.2282226888.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282244718.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282261626.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282279259.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282297600.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282399417.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282418198.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282442406.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282442406.0000000000C9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282479587.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282497302.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282515564.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282532533.0000000000CAF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282550294.0000000000CB1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282565580.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282588560.0000000000CCC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282605368.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282620708.0000000000CCE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282641724.0000000000CE0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282663742.0000000000CF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282700239.0000000000D03000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282716759.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282734661.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282753740.0000000000D11000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282770383.0000000000D13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282787011.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282808571.0000000000D29000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282824250.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282840543.0000000000D2C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282857419.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282875596.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282895570.0000000000D3B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282917000.0000000000D45000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282934242.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282971901.0000000000DA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282986934.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283040631.0000000000DB8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283058007.0000000000DBA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b10000_file.jbxd
    Similarity
    • API ID: AllocInfoSystemVirtual
    • String ID:
    • API String ID: 3440192736-0
    • Opcode ID: 23138d17b5557d7239ed5bf69b59bc448d09d96d5b667968debae9381bf8a718
    • Instruction ID: cf447cfec5fae44ee669870bed2176f3d07af30b7bd04f975b78ebab26b67973
    • Opcode Fuzzy Hash: 23138d17b5557d7239ed5bf69b59bc448d09d96d5b667968debae9381bf8a718
    • Instruction Fuzzy Hash: 074153B1E4420AEAD3A5DF60C805FA6B7ECFF48341F100566B203DE881EB7195D48BE9

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 200 c941bd-c94257 CreateFileA call c9425a
    APIs
    • CreateFileA.KERNELBASE(?,00C941B9,00000003), ref: 00C9424D
    Memory Dump Source
    • Source File: 00000000.00000002.2282442406.0000000000C8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true
    • Associated: 00000000.00000002.2282226888.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282244718.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282261626.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282279259.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282297600.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282399417.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282418198.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282442406.0000000000C9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282479587.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282497302.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282515564.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282532533.0000000000CAF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282550294.0000000000CB1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282565580.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282588560.0000000000CCC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282605368.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282620708.0000000000CCE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282641724.0000000000CE0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282663742.0000000000CF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282680513.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282700239.0000000000D03000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282716759.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282734661.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282753740.0000000000D11000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282770383.0000000000D13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282787011.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282808571.0000000000D29000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282824250.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282840543.0000000000D2C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282857419.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282875596.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282895570.0000000000D3B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282917000.0000000000D45000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282934242.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282971901.0000000000DA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282986934.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283040631.0000000000DB8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283058007.0000000000DBA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b10000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 5d1b628a4025fdcd42185291b3b9668ee10bb38914cb1f9fbf9ed848a3975ee2
    • Instruction ID: 13b59465c40fb57777478c49c34eeb76aff375fd6af0cf9a736635a7b0eb8f5b
    • Opcode Fuzzy Hash: 5d1b628a4025fdcd42185291b3b9668ee10bb38914cb1f9fbf9ed848a3975ee2
    • Instruction Fuzzy Hash: 0C0100FB2481507DB614CA96BE58EFFA7ACE6C5B30730882BF905C2501D2504E4E9635

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 c944bf-c944fd 4 c9451a-c9457e 0->4 5 c94503 0->5 10 c94594-c94595 4->10 11 c94584 4->11 5->4 12 c9459b 10->12 13 c945a3-c945b4 CreateFileA 10->13 11->10 12->13 16 c945a1-c945a2 12->16 14 c945ba-c9472e call c94734 13->14 15 c945d1-c9462e call c94631 13->15 16->13
    APIs
    • CreateFileA.KERNELBASE(95317178,00C944BB,00000003,00000000,00000003,00C943E8), ref: 00C945AB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2282442406.0000000000C8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true
    • Associated: 00000000.00000002.2282226888.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282244718.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282261626.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282279259.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282297600.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282399417.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282418198.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282442406.0000000000C9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282479587.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282497302.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282515564.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282532533.0000000000CAF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282550294.0000000000CB1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282565580.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282588560.0000000000CCC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282605368.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282620708.0000000000CCE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282641724.0000000000CE0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282663742.0000000000CF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282680513.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282700239.0000000000D03000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282716759.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282734661.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282753740.0000000000D11000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282770383.0000000000D13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282787011.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282808571.0000000000D29000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282824250.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282840543.0000000000D2C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282857419.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282875596.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282895570.0000000000D3B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282917000.0000000000D45000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282934242.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282971901.0000000000DA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282986934.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283040631.0000000000DB8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283058007.0000000000DBA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b10000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID: C
    • API String ID: 823142352-1037565863
    • Opcode ID: 142d996a9dea7048fcad793bda91d34134f26d805497d5b22fe282b73517963f
    • Instruction ID: f8de3122f4798e2548122be3f2cbc7beeb223e665cfbe8523674ca830f0ef559
    • Opcode Fuzzy Hash: 142d996a9dea7048fcad793bda91d34134f26d805497d5b22fe282b73517963f
    • Instruction Fuzzy Hash: 8A21F8B614C109AFEF05CE96AA18DFF37ADE785330B318426F802D7501D2615E0B6B35

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 24 c9434e-c94388 CreateFileA 25 c9438e-c943c5 call c943c8 24->25 26 c945d1-c9462e call c94631 24->26
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2282442406.0000000000C8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true
    • Associated: 00000000.00000002.2282226888.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282244718.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282261626.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282279259.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282297600.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282399417.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282418198.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282442406.0000000000C9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282479587.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282497302.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282515564.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282532533.0000000000CAF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282550294.0000000000CB1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282565580.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282588560.0000000000CCC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282605368.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282620708.0000000000CCE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282641724.0000000000CE0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282663742.0000000000CF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282680513.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282700239.0000000000D03000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282716759.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282734661.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282753740.0000000000D11000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282770383.0000000000D13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282787011.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282808571.0000000000D29000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282824250.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282840543.0000000000D2C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282857419.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282875596.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282895570.0000000000D3B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282917000.0000000000D45000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282934242.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282971901.0000000000DA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282986934.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283040631.0000000000DB8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283058007.0000000000DBA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b10000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID: C
    • API String ID: 823142352-1037565863
    • Opcode ID: e739072e01dd8cf6e7c7b8253e5e2afd418ab5f72df7fad438d180c10dac6791
    • Instruction ID: 534a04408acf95606772612d8d5688ea2d82779d8427c36c8487352f0d44435b
    • Opcode Fuzzy Hash: e739072e01dd8cf6e7c7b8253e5e2afd418ab5f72df7fad438d180c10dac6791
    • Instruction Fuzzy Hash: 76118CB244820D9FDB04DF62DC59FEE3BA4EF92320F20511EE842E3542C6241D168726

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 78 c943ec-c94406 80 c9440c-c94413 78->80 81 c94414-c94432 78->81 80->81 84 c94438-c94449 81->84 85 c9444a-c94485 call c9447a 81->85 84->85 93 c944e0-c944fd 85->93 94 c94487-c944a2 call c944a3 85->94 97 c9451a-c9457e 93->97 98 c94503 93->98 104 c94594-c94595 97->104 105 c94584 97->105 98->97 106 c9459b 104->106 107 c945a3-c945b4 CreateFileA 104->107 105->104 106->107 110 c945a1-c945a2 106->110 108 c945ba-c9472e call c94734 107->108 109 c945d1-c9462e call c94631 107->109 110->107
    Memory Dump Source
    • Source File: 00000000.00000002.2282442406.0000000000C8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true
    • Associated: 00000000.00000002.2282226888.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282244718.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282261626.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282279259.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282297600.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282399417.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282418198.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282442406.0000000000C9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282479587.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282497302.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282515564.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282532533.0000000000CAF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282550294.0000000000CB1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282565580.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282588560.0000000000CCC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282605368.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282620708.0000000000CCE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282641724.0000000000CE0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282663742.0000000000CF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282680513.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282700239.0000000000D03000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282716759.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282734661.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282753740.0000000000D11000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282770383.0000000000D13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282787011.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282808571.0000000000D29000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282824250.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282840543.0000000000D2C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282857419.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282875596.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282895570.0000000000D3B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282917000.0000000000D45000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282934242.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282971901.0000000000DA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282986934.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283040631.0000000000DB8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283058007.0000000000DBA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b10000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 4aa12cffaeee6d6491d74ca228bf478aca637c9513c40f6026abaf378a47c89d
    • Instruction ID: 11e38f0b9cd26860c360709ad9a48f081f992416bc3f1f23c5430595f7960ea9
    • Opcode Fuzzy Hash: 4aa12cffaeee6d6491d74ca228bf478aca637c9513c40f6026abaf378a47c89d
    • Instruction Fuzzy Hash: 0E3126BB14C150AFBE0ADA916A18EFA77ADE7C63307318427F406DB502E2904E4B6771

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 125 cf7962-cf7970 126 cf7976-cf7988 125->126 127 cf7993-cf799d call cf77f7 125->127 126->127 131 cf798e 126->131 132 cf79a8-cf79b1 127->132 133 cf79a3 127->133 134 cf7af2-cf7af4 131->134 135 cf79c9-cf79d0 132->135 136 cf79b7-cf79be 132->136 133->134 138 cf79db-cf79eb 135->138 139 cf79d6 135->139 136->135 137 cf79c4 136->137 137->134 138->134 140 cf79f1-cf79fd call cf78cc 138->140 139->134 143 cf7a00-cf7a04 140->143 143->134 144 cf7a0a-cf7a14 143->144 145 cf7a3b-cf7a3e 144->145 146 cf7a1a-cf7a2d 144->146 147 cf7a41-cf7a44 145->147 146->145 151 cf7a33-cf7a35 146->151 149 cf7aea-cf7aed 147->149 150 cf7a4a-cf7a51 147->150 149->143 152 cf7a7f-cf7a98 150->152 153 cf7a57-cf7a5d 150->153 151->145 151->149 159 cf7a9e-cf7aac 152->159 160 cf7ab1-cf7ab9 VirtualProtect 152->160 154 cf7a7a 153->154 155 cf7a63-cf7a68 153->155 157 cf7ae2-cf7ae5 154->157 155->154 156 cf7a6e-cf7a74 155->156 156->152 156->154 157->147 161 cf7abf-cf7ac2 159->161 160->161 161->157 163 cf7ac8-cf7ae1 161->163 163->157
    Memory Dump Source
    • Source File: 00000000.00000002.2282680513.0000000000CF6000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true
    • Associated: 00000000.00000002.2282226888.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282244718.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282261626.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282279259.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282297600.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282399417.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282418198.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282442406.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282442406.0000000000C9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282479587.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282497302.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282515564.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282532533.0000000000CAF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282550294.0000000000CB1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282565580.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282588560.0000000000CCC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282605368.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282620708.0000000000CCE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282641724.0000000000CE0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282663742.0000000000CF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282700239.0000000000D03000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282716759.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282734661.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282753740.0000000000D11000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282770383.0000000000D13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282787011.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282808571.0000000000D29000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282824250.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282840543.0000000000D2C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282857419.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282875596.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282895570.0000000000D3B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282917000.0000000000D45000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282934242.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282971901.0000000000DA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282986934.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283040631.0000000000DB8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283058007.0000000000DBA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b10000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d9f3504009b5e77553eff783461b854050c0cb22d61f7a239f2eec31f0b6c1dd
    • Instruction ID: 896ea82fe71221531d26be62a71fb1df6756cddbc6fa3f0f1cfc51763e0b1d9d
    • Opcode Fuzzy Hash: d9f3504009b5e77553eff783461b854050c0cb22d61f7a239f2eec31f0b6c1dd
    • Instruction Fuzzy Hash: 5141D37190820DEFDBA5CF14C944BBE7BB1FF00310F25A655EA12AA581D371AF90EB52

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 118 c90ad4-c90ad6 LoadLibraryA 119 c90af8-c90c1c 118->119 120 c90adc-c90af7 118->120 124 c90c1d 119->124 120->119 124->124
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2282442406.0000000000C8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true
    • Associated: 00000000.00000002.2282226888.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282244718.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282261626.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282279259.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282297600.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282399417.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282418198.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282442406.0000000000C9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282479587.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282497302.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282515564.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282532533.0000000000CAF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282550294.0000000000CB1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282565580.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282588560.0000000000CCC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282605368.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282620708.0000000000CCE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282641724.0000000000CE0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282663742.0000000000CF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282680513.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282700239.0000000000D03000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282716759.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282734661.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282753740.0000000000D11000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282770383.0000000000D13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282787011.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282808571.0000000000D29000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282824250.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282840543.0000000000D2C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282857419.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282875596.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282895570.0000000000D3B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282917000.0000000000D45000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282934242.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282971901.0000000000DA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282986934.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283040631.0000000000DB8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283058007.0000000000DBA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b10000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 54e7db08d07a6cd106c6f50e128bc264d73faafe0294a4484de9aa169a95ce9a
    • Instruction ID: c1962bdaf054b3ab5e1b8a004cc2f4b5acdfbdffa52b7590264612d71d1d17ad
    • Opcode Fuzzy Hash: 54e7db08d07a6cd106c6f50e128bc264d73faafe0294a4484de9aa169a95ce9a
    • Instruction Fuzzy Hash: 713172B210C704AFE301BF59ECC1A7AFBE9FF94320F12892DE6D483640DA3559419A97

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 165 c941c9-c941cd 166 c941cf-c941d0 165->166 167 c94187-c94190 165->167 168 c9422a-c94257 CreateFileA call c9425a 166->168 169 c941d2-c94227 166->169 169->168
    APIs
    • CreateFileA.KERNELBASE(?,00C941B9,00000003), ref: 00C9424D
    Memory Dump Source
    • Source File: 00000000.00000002.2282442406.0000000000C8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true
    • Associated: 00000000.00000002.2282226888.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282244718.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282261626.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282279259.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282297600.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282399417.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282418198.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282442406.0000000000C9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282479587.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282497302.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282515564.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282532533.0000000000CAF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282550294.0000000000CB1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282565580.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282588560.0000000000CCC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282605368.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282620708.0000000000CCE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282641724.0000000000CE0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282663742.0000000000CF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282680513.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282700239.0000000000D03000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282716759.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282734661.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282753740.0000000000D11000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282770383.0000000000D13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282787011.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282808571.0000000000D29000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282824250.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282840543.0000000000D2C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282857419.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282875596.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282895570.0000000000D3B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282917000.0000000000D45000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282934242.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282971901.0000000000DA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282986934.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283040631.0000000000DB8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283058007.0000000000DBA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b10000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: c3990b9ceabc06b1731b2d5df346937c851e62e041af7d329a63cd5880daa44d
    • Instruction ID: bcc223d0f11b0731d8d2d69a4741657ef66b9f7ed42550e463168b95153cc826
    • Opcode Fuzzy Hash: c3990b9ceabc06b1731b2d5df346937c851e62e041af7d329a63cd5880daa44d
    • Instruction Fuzzy Hash: A011A0BB2485507DF600CA8A7E64EFFB7ACE7D6731B30882AF841C7501D2500E0E5631

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 175 c944c9-c944cd 176 c944ec-c944f0 175->176 177 c944cf-c944ea 175->177 179 c944fa-c944fd 176->179 177->179 180 c9451a-c9457e 179->180 181 c94503 179->181 186 c94594-c94595 180->186 187 c94584 180->187 181->180 188 c9459b 186->188 189 c945a3-c945b4 CreateFileA 186->189 187->186 188->189 192 c945a1-c945a2 188->192 190 c945ba-c9472e call c94734 189->190 191 c945d1-c9462e call c94631 189->191 192->189
    APIs
    • CreateFileA.KERNELBASE(95317178,00C944BB,00000003,00000000,00000003,00C943E8), ref: 00C945AB
    Memory Dump Source
    • Source File: 00000000.00000002.2282442406.0000000000C8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true
    • Associated: 00000000.00000002.2282226888.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282244718.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282261626.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282279259.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282297600.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282399417.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282418198.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282442406.0000000000C9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282479587.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282497302.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282515564.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282532533.0000000000CAF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282550294.0000000000CB1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282565580.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282588560.0000000000CCC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282605368.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282620708.0000000000CCE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282641724.0000000000CE0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282663742.0000000000CF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282680513.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282700239.0000000000D03000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282716759.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282734661.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282753740.0000000000D11000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282770383.0000000000D13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282787011.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282808571.0000000000D29000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282824250.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282840543.0000000000D2C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282857419.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282875596.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282895570.0000000000D3B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282917000.0000000000D45000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282934242.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282971901.0000000000DA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282986934.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283040631.0000000000DB8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283058007.0000000000DBA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b10000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: dec9ffce5f7e278464b803d81387a06bae237caae31dfde5e1df216cfc8b7dab
    • Instruction ID: 843b3124bf054ffe2f5ba2458982ebfb5114b995d3a6f6377c20faf355768e43
    • Opcode Fuzzy Hash: dec9ffce5f7e278464b803d81387a06bae237caae31dfde5e1df216cfc8b7dab
    • Instruction Fuzzy Hash: 3811E7BB14C154AFAF19CE96A618DFA37ADE7C6330B328426F442D7801D2608E4B6731

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 208 c94508-c9450f 209 c94511-c94514 208->209 210 c94517 208->210 209->210 211 c9451f-c9457e 209->211 212 c94519-c9451b 210->212 213 c94504-c94506 210->213 218 c94594-c94595 211->218 219 c94584 211->219 212->211 213->208 220 c9459b 218->220 221 c945a3-c945b4 CreateFileA 218->221 219->218 220->221 224 c945a1-c945a2 220->224 222 c945ba-c9472e call c94734 221->222 223 c945d1-c9462e call c94631 221->223 224->221
    APIs
    • CreateFileA.KERNELBASE(95317178,00C944BB,00000003,00000000,00000003,00C943E8), ref: 00C945AB
    Memory Dump Source
    • Source File: 00000000.00000002.2282442406.0000000000C8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true
    • Associated: 00000000.00000002.2282226888.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282244718.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282261626.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282279259.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282297600.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282399417.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282418198.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282442406.0000000000C9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282479587.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282497302.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282515564.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282532533.0000000000CAF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282550294.0000000000CB1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282565580.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282588560.0000000000CCC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282605368.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282620708.0000000000CCE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282641724.0000000000CE0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282663742.0000000000CF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282680513.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282700239.0000000000D03000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282716759.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282734661.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282753740.0000000000D11000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282770383.0000000000D13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282787011.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282808571.0000000000D29000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282824250.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282840543.0000000000D2C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282857419.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282875596.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282895570.0000000000D3B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282917000.0000000000D45000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282934242.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282971901.0000000000DA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282986934.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283040631.0000000000DB8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283058007.0000000000DBA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b10000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: a540aed2fb1e2e705555048df164b40b91d25b1759f5a2c25464f1180cb8320f
    • Instruction ID: 94777f6f1c291e205d0eaa3ee2a901b16e96e69370a79b79749d16c1ccb3523e
    • Opcode Fuzzy Hash: a540aed2fb1e2e705555048df164b40b91d25b1759f5a2c25464f1180cb8320f
    • Instruction Fuzzy Hash: 5F11C47610C115AFAF09CF95AA58CFA73A9DBC6374B328466E842C7501E3219E07A770

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 232 c944f1-c944fd 234 c9451a-c9457e 232->234 235 c94503 232->235 240 c94594-c94595 234->240 241 c94584 234->241 235->234 242 c9459b 240->242 243 c945a3-c945b4 CreateFileA 240->243 241->240 242->243 246 c945a1-c945a2 242->246 244 c945ba-c9472e call c94734 243->244 245 c945d1-c9462e call c94631 243->245 246->243
    APIs
    • CreateFileA.KERNELBASE(95317178,00C944BB,00000003,00000000,00000003,00C943E8), ref: 00C945AB
    Memory Dump Source
    • Source File: 00000000.00000002.2282442406.0000000000C8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true
    • Associated: 00000000.00000002.2282226888.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282244718.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282261626.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282279259.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282297600.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282399417.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282418198.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282442406.0000000000C9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282479587.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282497302.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282515564.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282532533.0000000000CAF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282550294.0000000000CB1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282565580.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282588560.0000000000CCC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282605368.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282620708.0000000000CCE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282641724.0000000000CE0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282663742.0000000000CF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282680513.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282700239.0000000000D03000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282716759.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282734661.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282753740.0000000000D11000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282770383.0000000000D13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282787011.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282808571.0000000000D29000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282824250.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282840543.0000000000D2C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282857419.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282875596.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282895570.0000000000D3B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282917000.0000000000D45000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282934242.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282971901.0000000000DA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282986934.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283040631.0000000000DB8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283058007.0000000000DBA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b10000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 6f49a609d2f936aeec51ebce62d49fe342179e14c7b4c141c89606e8ebe294ad
    • Instruction ID: 4c487873264684a2acca4e2ac26408850e6e22896c40e6279986bbca95740def
    • Opcode Fuzzy Hash: 6f49a609d2f936aeec51ebce62d49fe342179e14c7b4c141c89606e8ebe294ad
    • Instruction Fuzzy Hash: 6701F9B610C115AF6F09CE96AA08CBA33ADD7C63307328426F806D7501D2619E0B6731

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 254 cf76af-cf76be 255 cf76ca-cf76de 254->255 256 cf76c4 254->256 258 cf779c-cf779e 255->258 259 cf76e4-cf76ee 255->259 256->255 260 cf778b-cf7797 259->260 261 cf76f4-cf76fe 259->261 260->255 261->260 262 cf7704-cf770e 261->262 262->260 263 cf7714-cf7723 262->263 265 cf772e-cf7733 263->265 266 cf7729 263->266 265->260 267 cf7739-cf7748 265->267 266->260 267->260 268 cf774e-cf7765 GetModuleFileNameA 267->268 268->260 269 cf776b-cf7779 call cf760b 268->269 272 cf777f 269->272 273 cf7784-cf7786 269->273 272->260 273->258
    APIs
    • GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,00000000), ref: 00CF775C
    Memory Dump Source
    • Source File: 00000000.00000002.2282680513.0000000000CF6000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true
    • Associated: 00000000.00000002.2282226888.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282244718.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282261626.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282279259.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282297600.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282399417.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282418198.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282442406.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282442406.0000000000C9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282479587.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282497302.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282515564.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282532533.0000000000CAF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282550294.0000000000CB1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282565580.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282588560.0000000000CCC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282605368.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282620708.0000000000CCE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282641724.0000000000CE0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282663742.0000000000CF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282700239.0000000000D03000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282716759.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282734661.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282753740.0000000000D11000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282770383.0000000000D13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282787011.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282808571.0000000000D29000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282824250.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282840543.0000000000D2C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282857419.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282875596.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282895570.0000000000D3B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282917000.0000000000D45000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282934242.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282971901.0000000000DA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282986934.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283040631.0000000000DB8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283058007.0000000000DBA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b10000_file.jbxd
    Similarity
    • API ID: FileModuleName
    • String ID:
    • API String ID: 514040917-0
    • Opcode ID: a5e8d34df5ad6706bc22688d307843dab5934b7fa3eef446b87c1446d12e2f33
    • Instruction ID: 9bfe6935de5c6df4f1cdcfc2282405f237d562c27ba095a710370390d0ee7856
    • Opcode Fuzzy Hash: a5e8d34df5ad6706bc22688d307843dab5934b7fa3eef446b87c1446d12e2f33
    • Instruction Fuzzy Hash: AE11E671A1962C9FEBB26B05CC48FFA777CEF04750F204296FA15A6041D7749E808AA2

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 274 5180d41-5180d97 276 5180d99-5180d9c 274->276 277 5180d9f-5180da3 274->277 276->277 278 5180dab-5180dda OpenSCManagerW 277->278 279 5180da5-5180da8 277->279 280 5180ddc-5180de2 278->280 281 5180de3-5180df7 278->281 279->278 280->281
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 05180DCD
    Memory Dump Source
    • Source File: 00000000.00000002.2284853655.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5180000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 8e418ebbf7806b74243f2651a928292f1fe948dbb1597887434e984397628263
    • Instruction ID: 06be69d5931a2140e2b299f332c062fc66aa5c7f2bf5f97aa37cddc555092eb4
    • Opcode Fuzzy Hash: 8e418ebbf7806b74243f2651a928292f1fe948dbb1597887434e984397628263
    • Instruction Fuzzy Hash: B1214CB6C012099FCB50DF99D484ADEFBF1FF88710F14821AD808AB204D7346545CFA4
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 05180DCD
    Memory Dump Source
    • Source File: 00000000.00000002.2284853655.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5180000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 8ee55da9b2dc44698b3f6f8153b6e36e8a9e7f05568b1e25b715489967975af3
    • Instruction ID: b4734c9f7515010b4567ad4d496eeb203294ae4a30674ae59ae3ac36d3b867f4
    • Opcode Fuzzy Hash: 8ee55da9b2dc44698b3f6f8153b6e36e8a9e7f05568b1e25b715489967975af3
    • Instruction Fuzzy Hash: 2C2127BAC012189FCB50DF99D884ADEFBF5FF88710F14821AD909AB204D734A544CFA4
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 05181580
    Memory Dump Source
    • Source File: 00000000.00000002.2284853655.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5180000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 659c773a5ce32cfff9d2d71fa428bd7ae6294c20765ed7c6cf298ad7aa3b3e8a
    • Instruction ID: 790be3d0f10b5170eae2413fe7db09215cd44588c02a3554c078ec75319e202e
    • Opcode Fuzzy Hash: 659c773a5ce32cfff9d2d71fa428bd7ae6294c20765ed7c6cf298ad7aa3b3e8a
    • Instruction Fuzzy Hash: B62117B1D042499FDB10DF9AD584BDEFBF4FB49320F10802AE919A7240D778A645CFA5
    APIs
    • CreateFileA.KERNELBASE(95317178,00C944BB,00000003,00000000,00000003,00C943E8), ref: 00C945AB
    Memory Dump Source
    • Source File: 00000000.00000002.2282442406.0000000000C8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true
    • Associated: 00000000.00000002.2282226888.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282244718.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282261626.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282279259.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282297600.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282399417.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282418198.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282442406.0000000000C9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282479587.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282497302.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282515564.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282532533.0000000000CAF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282550294.0000000000CB1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282565580.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282588560.0000000000CCC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282605368.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282620708.0000000000CCE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282641724.0000000000CE0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282663742.0000000000CF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282680513.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282700239.0000000000D03000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282716759.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282734661.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282753740.0000000000D11000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282770383.0000000000D13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282787011.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282808571.0000000000D29000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282824250.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282840543.0000000000D2C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282857419.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282875596.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282895570.0000000000D3B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282917000.0000000000D45000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282934242.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282971901.0000000000DA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282986934.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283040631.0000000000DB8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283058007.0000000000DBA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b10000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 3680b6d67e56fb35e65c154c882f384fc888a07bdb7b7189074746a8c1c82413
    • Instruction ID: 8c50a5fc259bdf616cb51562b21deefa9356fc21e0e49e49fbaab0698aa748af
    • Opcode Fuzzy Hash: 3680b6d67e56fb35e65c154c882f384fc888a07bdb7b7189074746a8c1c82413
    • Instruction Fuzzy Hash: BA01F97610C1199FAF04CF96AA54DFE33E9DBC63307228426E441D7901D3219E4B9731
    APIs
    • CreateFileA.KERNELBASE(95317178,00C944BB,00000003,00000000,00000003,00C943E8), ref: 00C945AB
    Memory Dump Source
    • Source File: 00000000.00000002.2282442406.0000000000C8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true
    • Associated: 00000000.00000002.2282226888.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282244718.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282261626.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282279259.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282297600.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282399417.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282418198.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282442406.0000000000C9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282479587.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282497302.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282515564.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282532533.0000000000CAF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282550294.0000000000CB1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282565580.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282588560.0000000000CCC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282605368.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282620708.0000000000CCE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282641724.0000000000CE0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282663742.0000000000CF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282680513.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282700239.0000000000D03000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282716759.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282734661.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282753740.0000000000D11000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282770383.0000000000D13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282787011.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282808571.0000000000D29000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282824250.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282840543.0000000000D2C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282857419.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282875596.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282895570.0000000000D3B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282917000.0000000000D45000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282934242.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282971901.0000000000DA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282986934.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283040631.0000000000DB8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283058007.0000000000DBA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b10000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 99731bbbf5d9dc4e05ac878a4ac7b4d5b9e8e1112154a8dcb4b84264527f5ca4
    • Instruction ID: 96d297c8fec0e34c271577de1145109ae05f1ff00b2fb4973fd5d3630191c6c1
    • Opcode Fuzzy Hash: 99731bbbf5d9dc4e05ac878a4ac7b4d5b9e8e1112154a8dcb4b84264527f5ca4
    • Instruction Fuzzy Hash: 7D01497600C1059FAF08CE92AA48CFF33ADDBC1320B228426E841C7901E3209D0B5731
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 05181580
    Memory Dump Source
    • Source File: 00000000.00000002.2284853655.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5180000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 10cc0c55f3f24e1c73a07701f2625e64347ebed9c30e4f1ea92e358f2400d559
    • Instruction ID: ddfc1065722d48736865aece84a7464584551e987d8ad576bed12c07eef84881
    • Opcode Fuzzy Hash: 10cc0c55f3f24e1c73a07701f2625e64347ebed9c30e4f1ea92e358f2400d559
    • Instruction Fuzzy Hash: C311E4B19002499FDB10DF9AD584BEEFBF4FB49320F10802AE959A3250D378A645CFA5
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 05181367
    Memory Dump Source
    • Source File: 00000000.00000002.2284853655.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5180000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 4ad587a7be48917a4135baf1ef7473ceae2aa663f05d891ea323c2874122c138
    • Instruction ID: de8c0c72939505d89d1c0901c8fc66462d7eadfae53370c1e87dc932151236c8
    • Opcode Fuzzy Hash: 4ad587a7be48917a4135baf1ef7473ceae2aa663f05d891ea323c2874122c138
    • Instruction Fuzzy Hash: D71125B1804249CFDB10DF9AD584BEEFBF4EF48324F24842AD518A3640D778A545CFA1
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 05181367
    Memory Dump Source
    • Source File: 00000000.00000002.2284853655.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5180000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 8498502eb9bf22ea7b0b9b10dbfb7f36d69a57d1e6879f0919b61b0caf34da90
    • Instruction ID: fa53ead8e74c0d371e6574d888e7b0e8475328ad42d4404fdf329f316c3eba95
    • Opcode Fuzzy Hash: 8498502eb9bf22ea7b0b9b10dbfb7f36d69a57d1e6879f0919b61b0caf34da90
    • Instruction Fuzzy Hash: 3B1118B1800249CFDB10DF9AD545BEEFBF8EF48320F14846AD518A3650D778A545CFA5
    APIs
    • CreateFileA.KERNELBASE(95317178,00C944BB,00000003,00000000,00000003,00C943E8), ref: 00C945AB
    Memory Dump Source
    • Source File: 00000000.00000002.2282442406.0000000000C8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true
    • Associated: 00000000.00000002.2282226888.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282244718.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282261626.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282279259.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282297600.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282399417.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282418198.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282442406.0000000000C9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282479587.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282497302.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282515564.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282532533.0000000000CAF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282550294.0000000000CB1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282565580.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282588560.0000000000CCC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282605368.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282620708.0000000000CCE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282641724.0000000000CE0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282663742.0000000000CF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282680513.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282700239.0000000000D03000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282716759.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282734661.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282753740.0000000000D11000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282770383.0000000000D13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282787011.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282808571.0000000000D29000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282824250.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282840543.0000000000D2C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282857419.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282875596.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282895570.0000000000D3B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282917000.0000000000D45000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282934242.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282971901.0000000000DA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282986934.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283040631.0000000000DB8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283058007.0000000000DBA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b10000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 21cff0caca4ed23ff990998ba2f6600716b1c4845f8a9a977c2bb9510f090835
    • Instruction ID: 485f4d13ed6c6bb55452a6c8419638e74497f69fb964838b52fee74591034ed6
    • Opcode Fuzzy Hash: 21cff0caca4ed23ff990998ba2f6600716b1c4845f8a9a977c2bb9510f090835
    • Instruction Fuzzy Hash: 3EF0277514C15A8F8F18DFA1E8888FE37E3DF8A364B4A0025C884D7E01C231DD578B50
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2282442406.0000000000C9B000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true
    • Associated: 00000000.00000002.2282226888.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282244718.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282261626.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282279259.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282297600.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282399417.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282418198.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282442406.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282479587.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282497302.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282515564.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282532533.0000000000CAF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282550294.0000000000CB1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282565580.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282588560.0000000000CCC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282605368.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282620708.0000000000CCE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282641724.0000000000CE0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282663742.0000000000CF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282680513.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282700239.0000000000D03000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282716759.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282734661.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282753740.0000000000D11000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282770383.0000000000D13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282787011.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282808571.0000000000D29000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282824250.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282840543.0000000000D2C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282857419.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282875596.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282895570.0000000000D3B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282917000.0000000000D45000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282934242.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282971901.0000000000DA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282986934.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283040631.0000000000DB8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283058007.0000000000DBA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b10000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 3af8cf2889b8a66702ccd7e879b47e96ba489d7de0505abe92d82c5043a8a91c
    • Instruction ID: acec7baf02658de484b1e3101dae0feb1349bd8c6bdb7f9cea1071df782ae759
    • Opcode Fuzzy Hash: 3af8cf2889b8a66702ccd7e879b47e96ba489d7de0505abe92d82c5043a8a91c
    • Instruction Fuzzy Hash: 28E065F250C6249FD7416F5598456FE7BD8EB04261F170D2DE9C6D2240E23504809B93
    APIs
    • CreateFileA.KERNELBASE(95317178,00C944BB,00000003,00000000,00000003,00C943E8), ref: 00C945AB
    Memory Dump Source
    • Source File: 00000000.00000002.2282442406.0000000000C8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true
    • Associated: 00000000.00000002.2282226888.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282244718.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282261626.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282279259.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282297600.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282399417.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282418198.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282442406.0000000000C9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282479587.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282497302.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282515564.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282532533.0000000000CAF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282550294.0000000000CB1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282565580.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282588560.0000000000CCC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282605368.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282620708.0000000000CCE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282641724.0000000000CE0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282663742.0000000000CF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282680513.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282700239.0000000000D03000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282716759.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282734661.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282753740.0000000000D11000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282770383.0000000000D13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282787011.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282808571.0000000000D29000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282824250.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282840543.0000000000D2C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282857419.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282875596.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282895570.0000000000D3B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282917000.0000000000D45000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282934242.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282971901.0000000000DA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282986934.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283040631.0000000000DB8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283058007.0000000000DBA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b10000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: c4c12ffef48ce6a615253bc692c69372467709ba0c728b21413b4ff57f9d2b17
    • Instruction ID: cd5c99c30bb80ca0df8105e2d6f78e99d9abc8d99e52ab6be7107a3744e78b1a
    • Opcode Fuzzy Hash: c4c12ffef48ce6a615253bc692c69372467709ba0c728b21413b4ff57f9d2b17
    • Instruction Fuzzy Hash: 2CE026361491088F8F08DFA4A4988AE33D1DF92360B5A5469C490DBA02D731CD07C790
    APIs
    • CreateFileA.KERNELBASE(?,00C941B9,00000003), ref: 00C9424D
    Memory Dump Source
    • Source File: 00000000.00000002.2282442406.0000000000C8E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true
    • Associated: 00000000.00000002.2282226888.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282244718.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282261626.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282279259.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282297600.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282399417.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282418198.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282442406.0000000000C9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282479587.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282497302.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282515564.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282532533.0000000000CAF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282550294.0000000000CB1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282565580.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282588560.0000000000CCC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282605368.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282620708.0000000000CCE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282641724.0000000000CE0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282663742.0000000000CF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282680513.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282700239.0000000000D03000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282716759.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282734661.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282753740.0000000000D11000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282770383.0000000000D13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282787011.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282808571.0000000000D29000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282824250.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282840543.0000000000D2C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282857419.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282875596.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282895570.0000000000D3B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282917000.0000000000D45000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282934242.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282971901.0000000000DA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282986934.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283040631.0000000000DB8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283058007.0000000000DBA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b10000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 4b23ad4ff514d8cf7ba246b5bbad27c97dd3496e193f4bfc76d4d63f951c56f7
    • Instruction ID: ee8a5fc5a5a955d4bf833993d1d5b49cd43f031a615ec992a8bad051c7f9e802
    • Opcode Fuzzy Hash: 4b23ad4ff514d8cf7ba246b5bbad27c97dd3496e193f4bfc76d4d63f951c56f7
    • Instruction Fuzzy Hash: 2AC08C20B8422422D31A9B2C0C5571CA1C80FA1200F400668A004DB1C2CC40AC020185
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,?,00CF72D5,?,?,00CF6FDB,?,?,00CF6FDB,?,?,00CF6FDB), ref: 00CF72F9
    Memory Dump Source
    • Source File: 00000000.00000002.2282680513.0000000000CF6000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true
    • Associated: 00000000.00000002.2282226888.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282244718.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282261626.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282279259.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282297600.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282399417.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282418198.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282442406.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282442406.0000000000C9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282479587.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282497302.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282515564.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282532533.0000000000CAF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282550294.0000000000CB1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282565580.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282588560.0000000000CCC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282605368.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282620708.0000000000CCE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282641724.0000000000CE0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282663742.0000000000CF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282700239.0000000000D03000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282716759.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282734661.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282753740.0000000000D11000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282770383.0000000000D13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282787011.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282808571.0000000000D29000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282824250.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282840543.0000000000D2C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282857419.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282875596.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282895570.0000000000D3B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282917000.0000000000D45000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282934242.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282971901.0000000000DA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282986934.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283040631.0000000000DB8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283058007.0000000000DBA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b10000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: d9fa502d6d8f67ab13048187c2d94d0cf58e8f2cbc0d46174b1d2547f0ab85d8
    • Instruction ID: a9cde5f790ea2ceb1f4a70b397356483c0fd3afc972c3000a2b0e570359a3639
    • Opcode Fuzzy Hash: d9fa502d6d8f67ab13048187c2d94d0cf58e8f2cbc0d46174b1d2547f0ab85d8
    • Instruction Fuzzy Hash: 3BF0D1B1A0420AEFD7A48F05C904BA8BFE0FF44352F108169F94AAF5A1D3B198C09B94
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 00B1EC9C
    Memory Dump Source
    • Source File: 00000000.00000002.2282279259.0000000000B1A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true
    • Associated: 00000000.00000002.2282226888.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282244718.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282261626.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282297600.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282399417.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282418198.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282442406.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282442406.0000000000C9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282479587.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282497302.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282515564.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282532533.0000000000CAF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282550294.0000000000CB1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282565580.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282588560.0000000000CCC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282605368.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282620708.0000000000CCE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282641724.0000000000CE0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282663742.0000000000CF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282680513.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282700239.0000000000D03000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282716759.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282734661.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282753740.0000000000D11000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282770383.0000000000D13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282787011.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282808571.0000000000D29000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282824250.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282840543.0000000000D2C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282857419.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282875596.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282895570.0000000000D3B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282917000.0000000000D45000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282934242.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282971901.0000000000DA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282986934.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283040631.0000000000DB8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283058007.0000000000DBA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b10000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 93cbcb8f785962c83334840d29fa6a6c1f81ff8268d90979fb89c162bfe42248
    • Instruction ID: 5913b05b1bf0e3652481277a848ca048e80b4f9f383770eaa9d89c6ef2e3e0aa
    • Opcode Fuzzy Hash: 93cbcb8f785962c83334840d29fa6a6c1f81ff8268d90979fb89c162bfe42248
    • Instruction Fuzzy Hash: 77E04F7160824DCFD744DF789D482AE7BE5FB80321F50CA69E865C6AD4DA724C50C615
    Memory Dump Source
    • Source File: 00000000.00000002.2282279259.0000000000B1A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true
    • Associated: 00000000.00000002.2282226888.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282244718.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282261626.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282297600.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282399417.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282418198.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282442406.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282442406.0000000000C9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282479587.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282497302.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282515564.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282532533.0000000000CAF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282550294.0000000000CB1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282565580.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282588560.0000000000CCC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282605368.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282620708.0000000000CCE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282641724.0000000000CE0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282663742.0000000000CF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282680513.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282700239.0000000000D03000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282716759.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282734661.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282753740.0000000000D11000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282770383.0000000000D13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282787011.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282808571.0000000000D29000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282824250.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282840543.0000000000D2C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282857419.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282875596.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282895570.0000000000D3B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282917000.0000000000D45000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282934242.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282971901.0000000000DA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282986934.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283040631.0000000000DB8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283058007.0000000000DBA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b10000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 1e78ee4579fb7cde08c86da910050b9e788ea914eb6f02e91783a7b0fbd8d657
    • Instruction ID: bc0aa8d740c767b292395ebc761da1a8f222e72cf162a32b714bdafb5ca373bb
    • Opcode Fuzzy Hash: 1e78ee4579fb7cde08c86da910050b9e788ea914eb6f02e91783a7b0fbd8d657
    • Instruction Fuzzy Hash: EAC1AAB3F106354BF3504D38CD983A276929BA5320F2F42788E5CAB7C5D97E9D0A52C4
    Memory Dump Source
    • Source File: 00000000.00000002.2282934242.0000000000D47000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true
    • Associated: 00000000.00000002.2282226888.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282244718.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282261626.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282279259.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282297600.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282399417.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282418198.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282442406.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282442406.0000000000C9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282479587.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282497302.0000000000CA4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282515564.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282532533.0000000000CAF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282550294.0000000000CB1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282565580.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282588560.0000000000CCC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282605368.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282620708.0000000000CCE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282641724.0000000000CE0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282663742.0000000000CF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282680513.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282700239.0000000000D03000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282716759.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282734661.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282753740.0000000000D11000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282770383.0000000000D13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282787011.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282808571.0000000000D29000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282824250.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282840543.0000000000D2C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282857419.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282875596.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282895570.0000000000D3B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282917000.0000000000D45000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282971901.0000000000DA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282986934.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283040631.0000000000DB8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283058007.0000000000DBA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b10000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5b5b7f027179ca0a1ba397dac3e4f0906e66b96879d4ab476dfe0eb19421004f
    • Instruction ID: 9cfeed44a0908a8aae773b51a65c6ea943427c8fa4ffc833fa38ee589ec54f36
    • Opcode Fuzzy Hash: 5b5b7f027179ca0a1ba397dac3e4f0906e66b96879d4ab476dfe0eb19421004f
    • Instruction Fuzzy Hash: A4515BB360C604DFD3046B28EC5567ABBE5EF95321F34863DE6CB82784F931C804A262
    Memory Dump Source
    • Source File: 00000000.00000002.2282497302.0000000000CA4000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true
    • Associated: 00000000.00000002.2282226888.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282244718.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282261626.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282279259.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282297600.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282399417.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282418198.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282442406.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282442406.0000000000C9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282479587.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282515564.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282532533.0000000000CAF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282550294.0000000000CB1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282565580.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282588560.0000000000CCC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282605368.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282620708.0000000000CCE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282641724.0000000000CE0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282663742.0000000000CF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282680513.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282700239.0000000000D03000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282716759.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282734661.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282753740.0000000000D11000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282770383.0000000000D13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282787011.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282808571.0000000000D29000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282824250.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282840543.0000000000D2C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282857419.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282875596.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282895570.0000000000D3B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282917000.0000000000D45000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282934242.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282971901.0000000000DA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282986934.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283040631.0000000000DB8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283058007.0000000000DBA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b10000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 4ef993606cab63e220b3cf0d33a02fc8f513107552d0466e57fc77412f44d4c9
    • Instruction ID: 6bfc39eb7a490e5f39aed9aefc02063818431333c80bd27303f81e37e2934b45
    • Opcode Fuzzy Hash: 4ef993606cab63e220b3cf0d33a02fc8f513107552d0466e57fc77412f44d4c9
    • Instruction Fuzzy Hash: DEE04F760051419BD700DF54D8459DFFBF4FF59310F208445E444C7222C2358941CB2A
    Memory Dump Source
    • Source File: 00000000.00000002.2282497302.0000000000CA4000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true
    • Associated: 00000000.00000002.2282226888.0000000000B10000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282244718.0000000000B12000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282261626.0000000000B16000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282279259.0000000000B1A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282297600.0000000000B26000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282399417.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282418198.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282442406.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282442406.0000000000C9B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282479587.0000000000C9F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282515564.0000000000CAD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282532533.0000000000CAF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282550294.0000000000CB1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282565580.0000000000CB3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282588560.0000000000CCC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282605368.0000000000CCD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282620708.0000000000CCE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282641724.0000000000CE0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282663742.0000000000CF3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282680513.0000000000CF6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282700239.0000000000D03000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282716759.0000000000D04000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282734661.0000000000D0B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282753740.0000000000D11000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282770383.0000000000D13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282787011.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282808571.0000000000D29000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282824250.0000000000D2B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282840543.0000000000D2C000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282857419.0000000000D32000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282875596.0000000000D3A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282895570.0000000000D3B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282917000.0000000000D45000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282934242.0000000000D47000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282971901.0000000000DA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2282986934.0000000000DA1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA2000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283004053.0000000000DA9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283040631.0000000000DB8000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2283058007.0000000000DBA000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b10000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 149f57d6e79f6696cade109fc46bbdfb775c946ef40b27ac2b012b9b70ff1e4b
    • Instruction ID: 6ee7173f24e8dc253ab2b89002201bba840deab3c0f74af490e4191628134ebb
    • Opcode Fuzzy Hash: 149f57d6e79f6696cade109fc46bbdfb775c946ef40b27ac2b012b9b70ff1e4b
    • Instruction Fuzzy Hash: 09C02B3050C75597C2058339041179420906F0230FF3B81887800211C10107B0001124