Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1561839
MD5:055e708a61203da74b8aa9a30a791b40
SHA1:9e161a2721659478c2737bebfbd0adb94642eb21
SHA256:84d2e346bb7f4ea07164470eff9eef746dc196a2a7a94ec375133daa958d594e
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SIDT)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7472 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 055E708A61203DA74B8AA9A30A791B40)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.1754394717.0000000005350000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1887562458.0000000000262000.00000040.00000001.01000000.00000003.sdmp

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004041A00_2_004041A0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040E7790_2_0040E779
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040E7840_2_0040E784
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040E7A60_2_0040E7A6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00403B0E0_2_00403B0E
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00448FB2 appears 31 times
Source: file.exe, 00000000.00000002.1887583548.0000000000266000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 2814464 > 1048576
Source: file.exeStatic PE information: Raw size of cmdvelvm is bigger than: 0x100000 < 0x2a9200
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.1754394717.0000000005350000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1887562458.0000000000262000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.260000.0.unpack :EW;.rsrc:W;.idata :W;cmdvelvm:EW;fzyhajxw:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x2af504 should be: 0x2b5312
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name: cmdvelvm
Source: file.exeStatic PE information: section name: fzyhajxw
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002702B8 push edx; mov dword ptr [esp], 00000004h0_2_002702BF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0026E80B push esi; mov dword ptr [esp], edx0_2_0026F525
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404D72 push edx; mov dword ptr [esp], ebx0_2_00404D75
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00404D72 push 06D3F60Bh; mov dword ptr [esp], ebx0_2_00407244
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040C060 push ecx; ret 0_2_0040C06F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00405062 push 76A8C20Bh; mov dword ptr [esp], ebx0_2_00405C2A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0027306D push edi; mov dword ptr [esp], ebp0_2_00275462
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0027407E push ebp; mov dword ptr [esp], eax0_2_00274090
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0027304A push 60166DB1h; mov dword ptr [esp], ecx0_2_0027304F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406031 push edx; mov dword ptr [esp], ecx0_2_00406035
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040C0C3 push eax; ret 0_2_0040C0D2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002710A8 push ecx; mov dword ptr [esp], edi0_2_002710B7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002730BC push ecx; mov dword ptr [esp], 7930E81Ch0_2_002730BE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002730BC push edi; mov dword ptr [esp], ecx0_2_002730DC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004060E7 push 06D3F60Bh; mov dword ptr [esp], ebx0_2_00407244
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004100EE push es; ret 0_2_0041010C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00271094 push 7C6E6961h; mov dword ptr [esp], esi0_2_002744B0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004040F4 push 585D1485h; mov dword ptr [esp], ebp0_2_00406DB1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E50F5 push ebx; mov dword ptr [esp], 562F2D6Fh0_2_004E5134
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E50F5 push eax; mov dword ptr [esp], 559E891Ah0_2_004E5151
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E50F5 push edx; mov dword ptr [esp], ecx0_2_004E5175
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002710EF push 36838ABFh; mov dword ptr [esp], eax0_2_002728CA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040C092 push edx; ret 0_2_0040C0A1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003F90E5 push 3EE50401h; mov dword ptr [esp], eax0_2_003F94A4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003F90E5 push ecx; mov dword ptr [esp], eax0_2_003F96F8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040409C push 0E37E7C7h; mov dword ptr [esp], edi0_2_004040A2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040409C push edx; mov dword ptr [esp], eax0_2_004065F7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040C0A2 push edx; ret 0_2_0040C0A1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040A0A7 push ebx; mov dword ptr [esp], ecx0_2_0040A43D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002710CE push esi; mov dword ptr [esp], ebp0_2_002724BA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0041E0AE push 71C35152h; mov dword ptr [esp], ebp0_2_0041ED29
Source: file.exeStatic PE information: section name: entropy: 7.779976525161044

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26E257 second address: 26E25C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26E25C second address: 26DB26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jng 00007F5DB8BD7D2Eh 0x00000010 nop 0x00000011 jmp 00007F5DB8BD7D1Bh 0x00000016 push dword ptr [ebp+122D0B6Dh] 0x0000001c jc 00007F5DB8BD7D1Ch 0x00000022 mov dword ptr [ebp+122D1CD1h], esi 0x00000028 call dword ptr [ebp+122D1D41h] 0x0000002e pushad 0x0000002f pushad 0x00000030 or edx, 190EF192h 0x00000036 movzx edi, si 0x00000039 popad 0x0000003a xor eax, eax 0x0000003c pushad 0x0000003d or dword ptr [ebp+122D1D50h], eax 0x00000043 mov eax, dword ptr [ebp+122D2E54h] 0x00000049 popad 0x0000004a stc 0x0000004b mov edx, dword ptr [esp+28h] 0x0000004f mov dword ptr [ebp+122D1D50h], esi 0x00000055 mov dword ptr [ebp+122D2BB8h], eax 0x0000005b jnl 00007F5DB8BD7D24h 0x00000061 mov esi, 0000003Ch 0x00000066 jmp 00007F5DB8BD7D1Bh 0x0000006b add esi, dword ptr [esp+24h] 0x0000006f jl 00007F5DB8BD7D1Ch 0x00000075 add dword ptr [ebp+122D1CDCh], edx 0x0000007b jmp 00007F5DB8BD7D24h 0x00000080 lodsw 0x00000082 mov dword ptr [ebp+122D380Bh], ecx 0x00000088 add eax, dword ptr [esp+24h] 0x0000008c jmp 00007F5DB8BD7D29h 0x00000091 mov ebx, dword ptr [esp+24h] 0x00000095 sub dword ptr [ebp+122D1D50h], esi 0x0000009b nop 0x0000009c push eax 0x0000009d push edx 0x0000009e push edx 0x0000009f jnl 00007F5DB8BD7D16h 0x000000a5 pop edx 0x000000a6 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26DB26 second address: 26DB42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DB8B6AA82h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F8AAA second address: 3F8AC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DB8BD7D23h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F8AC1 second address: 3F8AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F7C43 second address: 3F7C55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5DB8BD7D1Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F7C55 second address: 3F7C59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F7C59 second address: 3F7C5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F7DFD second address: 3F7E01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F7F4D second address: 3F7F51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F8225 second address: 3F822A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F822A second address: 3F822F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F822F second address: 3F823A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F823A second address: 3F8279 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5DB8BD7D22h 0x00000009 popad 0x0000000a jmp 00007F5DB8BD7D1Bh 0x0000000f pushad 0x00000010 jnc 00007F5DB8BD7D16h 0x00000016 jmp 00007F5DB8BD7D24h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FB2BE second address: 3FB2FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DB8B6AA86h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c movzx edi, di 0x0000000f push 00000000h 0x00000011 jnl 00007F5DB8B6AA7Ch 0x00000017 mov dword ptr [ebp+122D39E3h], ecx 0x0000001d call 00007F5DB8B6AA79h 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 push edx 0x00000026 pop edx 0x00000027 pushad 0x00000028 popad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FB2FD second address: 3FB316 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DB8BD7D20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FB410 second address: 3FB417 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FB44C second address: 3FB470 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DB8BD7D1Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F5DB8BD7D1Ch 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FB470 second address: 3FB4C2 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5DB8B6AA76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F5DB8B6AA89h 0x0000000f popad 0x00000010 nop 0x00000011 push 00000000h 0x00000013 jmp 00007F5DB8B6AA88h 0x00000018 push 385CC326h 0x0000001d push eax 0x0000001e push edx 0x0000001f jl 00007F5DB8B6AA7Ch 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FB614 second address: 3FB619 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FB6D5 second address: 3FB6E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FB6E0 second address: 3FB6E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FB6E4 second address: 3FB755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 jmp 00007F5DB8B6AA85h 0x0000000d push 00000003h 0x0000000f jmp 00007F5DB8B6AA86h 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007F5DB8B6AA78h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 00000019h 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 mov ecx, edx 0x00000032 push 00000003h 0x00000034 pushad 0x00000035 movzx esi, bx 0x00000038 popad 0x00000039 push B55D0AE0h 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 jnp 00007F5DB8B6AA76h 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FB755 second address: 3FB75A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FB75A second address: 3FB764 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F5DB8B6AA76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FB764 second address: 3FB7CB instructions: 0x00000000 rdtsc 0x00000002 je 00007F5DB8BD7D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 0AA2F520h 0x00000013 push 00000000h 0x00000015 push ebx 0x00000016 call 00007F5DB8BD7D18h 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], ebx 0x00000020 add dword ptr [esp+04h], 00000014h 0x00000028 inc ebx 0x00000029 push ebx 0x0000002a ret 0x0000002b pop ebx 0x0000002c ret 0x0000002d sub dword ptr [ebp+122D1C84h], esi 0x00000033 lea ebx, dword ptr [ebp+12461133h] 0x00000039 mov ecx, dword ptr [ebp+122D1D80h] 0x0000003f mov edi, dword ptr [ebp+122D367Dh] 0x00000045 xchg eax, ebx 0x00000046 push edi 0x00000047 push ebx 0x00000048 jmp 00007F5DB8BD7D1Ah 0x0000004d pop ebx 0x0000004e pop edi 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007F5DB8BD7D1Eh 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 419931 second address: 419935 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 419935 second address: 419940 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 419940 second address: 419946 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41A27E second address: 41A282 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41A282 second address: 41A28A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41A437 second address: 41A45E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5DB8BD7D16h 0x00000008 jmp 00007F5DB8BD7D29h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41A45E second address: 41A462 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41A462 second address: 41A470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F5DB8BD7D1Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41A5C3 second address: 41A5D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5DB8B6AA7Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E051C second address: 3E0523 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41B148 second address: 41B14C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41B14C second address: 41B167 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DB8BD7D27h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4210A3 second address: 4210B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c pushad 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 425A1D second address: 425A32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 jne 00007F5DB8BD7D1Eh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4262E1 second address: 4262E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4262E5 second address: 4262F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F5DB8BD7D16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007F5DB8BD7D2Ah 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4262F9 second address: 42630F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5DB8B6AA7Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42630F second address: 426319 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5DB8BD7D16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42743B second address: 427472 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5DB8B6AA88h 0x00000008 jmp 00007F5DB8B6AA82h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f add dword ptr [esp], 66C8C803h 0x00000016 sbb di, CAB3h 0x0000001b call 00007F5DB8B6AA79h 0x00000020 push eax 0x00000021 push edx 0x00000022 push esi 0x00000023 push edx 0x00000024 pop edx 0x00000025 pop esi 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 427472 second address: 42748C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5DB8BD7D1Ch 0x00000008 jnl 00007F5DB8BD7D16h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 js 00007F5DB8BD7D16h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42748C second address: 4274B8 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5DB8B6AA76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 je 00007F5DB8B6AA7Ch 0x00000016 jbe 00007F5DB8B6AA76h 0x0000001c jns 00007F5DB8B6AA78h 0x00000022 popad 0x00000023 mov eax, dword ptr [eax] 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 pop eax 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4274B8 second address: 4274BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42793F second address: 42795D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5DB8B6AA89h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4279B4 second address: 4279B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4279B8 second address: 4279BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4279BC second address: 4279C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 427FEB second address: 427FEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 427FEF second address: 427FF9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5DB8BD7D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 427FF9 second address: 427FFE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 428272 second address: 428283 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a je 00007F5DB8BD7D16h 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 428283 second address: 428288 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 428A3B second address: 428AD1 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5DB8BD7D27h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007F5DB8BD7D18h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 add dword ptr [ebp+122D382Ah], eax 0x0000002b mov edi, 32039C00h 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push edi 0x00000035 call 00007F5DB8BD7D18h 0x0000003a pop edi 0x0000003b mov dword ptr [esp+04h], edi 0x0000003f add dword ptr [esp+04h], 00000014h 0x00000047 inc edi 0x00000048 push edi 0x00000049 ret 0x0000004a pop edi 0x0000004b ret 0x0000004c push 00000000h 0x0000004e je 00007F5DB8BD7D22h 0x00000054 jg 00007F5DB8BD7D1Ch 0x0000005a mov esi, dword ptr [ebp+122D38A0h] 0x00000060 xchg eax, ebx 0x00000061 jnp 00007F5DB8BD7D37h 0x00000067 push eax 0x00000068 push edx 0x00000069 jmp 00007F5DB8BD7D1Eh 0x0000006e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4291DB second address: 4291DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42A3B7 second address: 42A3BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42A3BB second address: 42A3E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007F5DB8B6AA8Dh 0x00000010 jmp 00007F5DB8B6AA87h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42A3E2 second address: 42A42B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DB8BD7D24h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov di, dx 0x0000000d push 00000000h 0x0000000f mov esi, dword ptr [ebp+122D3960h] 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ecx 0x0000001a call 00007F5DB8BD7D18h 0x0000001f pop ecx 0x00000020 mov dword ptr [esp+04h], ecx 0x00000024 add dword ptr [esp+04h], 00000016h 0x0000002c inc ecx 0x0000002d push ecx 0x0000002e ret 0x0000002f pop ecx 0x00000030 ret 0x00000031 xchg eax, ebx 0x00000032 push eax 0x00000033 push edi 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42D850 second address: 42D8EF instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5DB8B6AA81h 0x00000008 jmp 00007F5DB8B6AA7Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007F5DB8B6AA78h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 0000001Dh 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a jne 00007F5DB8B6AA76h 0x00000030 mov esi, dword ptr [ebp+122D1D4Ah] 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ebp 0x0000003b call 00007F5DB8B6AA78h 0x00000040 pop ebp 0x00000041 mov dword ptr [esp+04h], ebp 0x00000045 add dword ptr [esp+04h], 00000015h 0x0000004d inc ebp 0x0000004e push ebp 0x0000004f ret 0x00000050 pop ebp 0x00000051 ret 0x00000052 or si, CD3Dh 0x00000057 push 00000000h 0x00000059 pushad 0x0000005a jg 00007F5DB8B6AA7Bh 0x00000060 and ax, EEC0h 0x00000065 jmp 00007F5DB8B6AA83h 0x0000006a popad 0x0000006b push eax 0x0000006c pushad 0x0000006d jno 00007F5DB8B6AA7Ch 0x00000073 push eax 0x00000074 push edx 0x00000075 pushad 0x00000076 popad 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42D8EF second address: 42D8F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42B646 second address: 42B64C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42B64C second address: 42B650 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42B650 second address: 42B66B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jg 00007F5DB8B6AA88h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F5DB8B6AA7Ah 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43181C second address: 431822 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 434D4B second address: 434D4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E6FEE second address: 3E6FF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42E028 second address: 42E032 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5DB8B6AA7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 431EDD second address: 431EF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jc 00007F5DB8BD7D16h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 432F6C second address: 432F70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 437448 second address: 43744E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 431EF0 second address: 431EF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 432F70 second address: 432FA4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DB8BD7D28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5DB8BD7D26h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43744E second address: 437467 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DB8B6AA7Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43853B second address: 438541 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43A432 second address: 43A4AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F5DB8B6AA7Ah 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007F5DB8B6AA78h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push eax 0x0000002d call 00007F5DB8B6AA78h 0x00000032 pop eax 0x00000033 mov dword ptr [esp+04h], eax 0x00000037 add dword ptr [esp+04h], 0000001Ch 0x0000003f inc eax 0x00000040 push eax 0x00000041 ret 0x00000042 pop eax 0x00000043 ret 0x00000044 or dword ptr [ebp+122D3010h], edi 0x0000004a push 00000000h 0x0000004c mov edi, dword ptr [ebp+12471412h] 0x00000052 xchg eax, esi 0x00000053 push eax 0x00000054 push edx 0x00000055 push edx 0x00000056 jmp 00007F5DB8B6AA7Ah 0x0000005b pop edx 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43A4AA second address: 43A4CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DB8BD7D20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5DB8BD7D1Ch 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43A4CE second address: 43A4DC instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5DB8B6AA76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 434025 second address: 43402A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 434F13 second address: 434F17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4376A2 second address: 4376A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43402A second address: 434031 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 434F17 second address: 434F28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007F5DB8BD7D16h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4376A8 second address: 4376AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43876C second address: 43877E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jbe 00007F5DB8BD7D1Eh 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43B5B4 second address: 43B5F9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5DB8B6AA78h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d adc di, 908Ch 0x00000012 jmp 00007F5DB8B6AA7Dh 0x00000017 push 00000000h 0x00000019 push edx 0x0000001a jmp 00007F5DB8B6AA87h 0x0000001f pop edi 0x00000020 push 00000000h 0x00000022 mov bh, 7Ah 0x00000024 xchg eax, esi 0x00000025 push eax 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4376AC second address: 4376B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4397B0 second address: 4397B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43B5F9 second address: 43B61C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F5DB8BD7D29h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43C641 second address: 43C67A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ecx 0x00000008 pushad 0x00000009 jmp 00007F5DB8B6AA7Bh 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pop ecx 0x00000012 nop 0x00000013 mov dword ptr [ebp+1245CCFBh], ecx 0x00000019 push 00000000h 0x0000001b add bx, 0F67h 0x00000020 push 00000000h 0x00000022 or dword ptr [ebp+122D33DFh], ebx 0x00000028 push eax 0x00000029 jo 00007F5DB8B6AA88h 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43C67A second address: 43C67E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43D73E second address: 43D7CD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F5DB8B6AA82h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e sbb ebx, 7ECD4538h 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007F5DB8B6AA78h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 00000018h 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push ebp 0x00000035 call 00007F5DB8B6AA78h 0x0000003a pop ebp 0x0000003b mov dword ptr [esp+04h], ebp 0x0000003f add dword ptr [esp+04h], 00000019h 0x00000047 inc ebp 0x00000048 push ebp 0x00000049 ret 0x0000004a pop ebp 0x0000004b ret 0x0000004c mov bx, 7CAAh 0x00000050 jbe 00007F5DB8B6AA7Ch 0x00000056 mov ebx, dword ptr [ebp+12471412h] 0x0000005c xchg eax, esi 0x0000005d pushad 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007F5DB8B6AA85h 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 440745 second address: 440753 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 440753 second address: 440757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 440757 second address: 4407B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007F5DB8BD7D18h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push esi 0x00000029 call 00007F5DB8BD7D18h 0x0000002e pop esi 0x0000002f mov dword ptr [esp+04h], esi 0x00000033 add dword ptr [esp+04h], 00000016h 0x0000003b inc esi 0x0000003c push esi 0x0000003d ret 0x0000003e pop esi 0x0000003f ret 0x00000040 mov edi, 31447BD4h 0x00000045 push edi 0x00000046 mov dword ptr [ebp+122D1D72h], edi 0x0000004c pop ebx 0x0000004d push eax 0x0000004e pushad 0x0000004f push eax 0x00000050 push edx 0x00000051 jnl 00007F5DB8BD7D16h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43B804 second address: 43B8A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pop edx 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F5DB8B6AA78h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 mov bl, dh 0x00000027 jp 00007F5DB8B6AA7Eh 0x0000002d push dword ptr fs:[00000000h] 0x00000034 ja 00007F5DB8B6AA7Ch 0x0000003a mov dword ptr fs:[00000000h], esp 0x00000041 mov dword ptr [ebp+12471321h], esi 0x00000047 mov eax, dword ptr [ebp+122D176Dh] 0x0000004d js 00007F5DB8B6AA7Ch 0x00000053 or dword ptr [ebp+122D33F2h], esi 0x00000059 push FFFFFFFFh 0x0000005b push 00000000h 0x0000005d push edx 0x0000005e call 00007F5DB8B6AA78h 0x00000063 pop edx 0x00000064 mov dword ptr [esp+04h], edx 0x00000068 add dword ptr [esp+04h], 0000001Ch 0x00000070 inc edx 0x00000071 push edx 0x00000072 ret 0x00000073 pop edx 0x00000074 ret 0x00000075 nop 0x00000076 pushad 0x00000077 jg 00007F5DB8B6AA78h 0x0000007d push edi 0x0000007e push eax 0x0000007f push edx 0x00000080 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43D8FB second address: 43D905 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5DB8BD7D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43E998 second address: 43E9A2 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5DB8B6AA76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43F9E8 second address: 43FA00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jmp 00007F5DB8BD7D1Bh 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43C8D1 second address: 43C8E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F5DB8B6AA76h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43D905 second address: 43D92D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DB8BD7D1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F5DB8BD7D23h 0x00000012 jmp 00007F5DB8BD7D1Dh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4427E1 second address: 4427EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F5DB8B6AA76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43D92D second address: 43D937 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F5DB8BD7D16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4427EB second address: 4427EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F2BFF second address: 3F2C05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F2C05 second address: 3F2C21 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5DB8B6AA84h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43D9F9 second address: 43D9FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 442EDB second address: 442EE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F5DB8B6AA76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 443F12 second address: 443F16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 443087 second address: 44308B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 444087 second address: 444091 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F5DB8BD7D16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 444091 second address: 444095 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 452AC4 second address: 452AC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 452AC8 second address: 452AEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DB8B6AA7Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F5DB8B6AA89h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 452AEF second address: 452AF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F5DB8BD7D16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 452AF9 second address: 452B11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DB8B6AA7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a je 00007F5DB8B6AA76h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 452B11 second address: 452B24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5DB8BD7D1Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 452CC9 second address: 452CCE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 459BC6 second address: 459C28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F5DB8BD7D1Ch 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jmp 00007F5DB8BD7D20h 0x00000014 mov eax, dword ptr [eax] 0x00000016 jno 00007F5DB8BD7D2Eh 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F5DB8BD7D26h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 459C28 second address: 459C3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5DB8B6AA7Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 459C3B second address: 459C3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4606D2 second address: 4606D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4606D6 second address: 4606F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5DB8BD7D1Dh 0x0000000b pop esi 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 js 00007F5DB8BD7D16h 0x00000016 popad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45FB48 second address: 45FB7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 je 00007F5DB8B6AA92h 0x0000000b jns 00007F5DB8B6AA7Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45FB7F second address: 45FB89 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5DB8BD7D16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4600B3 second address: 4600BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46035E second address: 460362 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 460362 second address: 460374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F5DB8B6AA76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 460374 second address: 46037C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46037C second address: 460380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 460380 second address: 46039A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5DB8BD7D20h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46039A second address: 46039E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46039E second address: 4603A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 460512 second address: 460518 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 460518 second address: 46051C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46051C second address: 46052E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jne 00007F5DB8B6AA76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46052E second address: 460563 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DB8BD7D22h 0x00000007 ja 00007F5DB8BD7D16h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 jmp 00007F5DB8BD7D25h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 466B7C second address: 466B80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 466B80 second address: 466B86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 465A3E second address: 465A79 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5DB8B6AA88h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007F5DB8B6AA8Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 465D7D second address: 465D82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 465D82 second address: 465D9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F5DB8B6AA86h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 465F2D second address: 465F31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 465549 second address: 465559 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F5DB8B6AA76h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 465559 second address: 46555D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46637E second address: 46638B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 je 00007F5DB8B6AA76h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46638B second address: 466399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 466399 second address: 4663B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F5DB8B6AA82h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4667F8 second address: 4667FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4667FD second address: 466812 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DB8B6AA7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 466812 second address: 466821 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5DB8BD7D16h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 466821 second address: 466833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F5DB8B6AA7Bh 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46ADB1 second address: 46ADB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46B4A5 second address: 46B4AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46B4AE second address: 46B4B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46B896 second address: 46B89A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 412964 second address: 412970 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jbe 00007F5DB8BD7D16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46BE8A second address: 46BE91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3EC03C second address: 3EC040 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3EC040 second address: 3EC055 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnp 00007F5DB8B6AA76h 0x0000000d jnc 00007F5DB8B6AA76h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3EC055 second address: 3EC064 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42E8F8 second address: 42E8FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42E8FC second address: 42E916 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dl, bh 0x0000000c lea eax, dword ptr [ebp+1249462Bh] 0x00000012 mov edx, eax 0x00000014 push eax 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42EE94 second address: 42EE9E instructions: 0x00000000 rdtsc 0x00000002 js 00007F5DB8B6AA76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42EE9E second address: 26DB26 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov cx, di 0x0000000e push dword ptr [ebp+122D0B6Dh] 0x00000014 sbb ecx, 19E813BAh 0x0000001a call dword ptr [ebp+122D1D41h] 0x00000020 pushad 0x00000021 pushad 0x00000022 or edx, 190EF192h 0x00000028 movzx edi, si 0x0000002b popad 0x0000002c xor eax, eax 0x0000002e pushad 0x0000002f or dword ptr [ebp+122D1D50h], eax 0x00000035 mov eax, dword ptr [ebp+122D2E54h] 0x0000003b popad 0x0000003c stc 0x0000003d mov edx, dword ptr [esp+28h] 0x00000041 mov dword ptr [ebp+122D1D50h], esi 0x00000047 mov dword ptr [ebp+122D2BB8h], eax 0x0000004d jnl 00007F5DB8BD7D24h 0x00000053 pushad 0x00000054 mov edx, dword ptr [ebp+122D2E70h] 0x0000005a or dword ptr [ebp+122D1CDCh], edi 0x00000060 popad 0x00000061 mov esi, 0000003Ch 0x00000066 jmp 00007F5DB8BD7D1Bh 0x0000006b add esi, dword ptr [esp+24h] 0x0000006f jl 00007F5DB8BD7D1Ch 0x00000075 add dword ptr [ebp+122D1CDCh], edx 0x0000007b jmp 00007F5DB8BD7D24h 0x00000080 lodsw 0x00000082 mov dword ptr [ebp+122D380Bh], ecx 0x00000088 add eax, dword ptr [esp+24h] 0x0000008c jmp 00007F5DB8BD7D29h 0x00000091 mov ebx, dword ptr [esp+24h] 0x00000095 sub dword ptr [ebp+122D1D50h], esi 0x0000009b nop 0x0000009c push eax 0x0000009d push edx 0x0000009e push edx 0x0000009f jnl 00007F5DB8BD7D16h 0x000000a5 pop edx 0x000000a6 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42EF0B second address: 42EF0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42EF0F second address: 42EF1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DB8BD7D1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42EF1E second address: 42EF39 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5DB8B6AA7Ch 0x00000008 js 00007F5DB8B6AA76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jl 00007F5DB8B6AA78h 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42EF39 second address: 42EF50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push ecx 0x0000000f jc 00007F5DB8BD7D1Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42F199 second address: 42F19F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42F19F second address: 42F1A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42F1A5 second address: 42F1A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42F1A9 second address: 42F1DE instructions: 0x00000000 rdtsc 0x00000002 js 00007F5DB8BD7D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jnp 00007F5DB8BD7D22h 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F5DB8BD7D20h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42F1DE second address: 42F1E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42F1E4 second address: 42F1F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42F1F5 second address: 42F1FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42F1FA second address: 42F214 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5DB8BD7D1Ch 0x00000008 jne 00007F5DB8BD7D16h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 pushad 0x00000018 popad 0x00000019 pop eax 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42F41B second address: 42F48C instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5DB8B6AA8Ah 0x00000008 jmp 00007F5DB8B6AA84h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007F5DB8B6AA78h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 00000018h 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c mov edx, dword ptr [ebp+122D2E74h] 0x00000032 push 00000004h 0x00000034 mov edx, dword ptr [ebp+122D2236h] 0x0000003a nop 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e jmp 00007F5DB8B6AA83h 0x00000043 jmp 00007F5DB8B6AA7Ah 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42F48C second address: 42F4A3 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5DB8BD7D1Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42F4A3 second address: 42F4A9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42F83A second address: 42F8A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F5DB8BD7D27h 0x0000000e jmp 00007F5DB8BD7D20h 0x00000013 popad 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push edi 0x00000018 call 00007F5DB8BD7D18h 0x0000001d pop edi 0x0000001e mov dword ptr [esp+04h], edi 0x00000022 add dword ptr [esp+04h], 00000014h 0x0000002a inc edi 0x0000002b push edi 0x0000002c ret 0x0000002d pop edi 0x0000002e ret 0x0000002f push edi 0x00000030 mov dword ptr [ebp+122D3A4Dh], eax 0x00000036 pop edi 0x00000037 mov dl, F9h 0x00000039 push 0000001Eh 0x0000003b mov cl, bl 0x0000003d nop 0x0000003e push edi 0x0000003f pushad 0x00000040 je 00007F5DB8BD7D16h 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42FBF7 second address: 42FC33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a jmp 00007F5DB8B6AA7Bh 0x0000000f lea eax, dword ptr [ebp+1249466Fh] 0x00000015 call 00007F5DB8B6AA7Fh 0x0000001a mov dword ptr [ebp+122D1D1Dh], ecx 0x00000020 pop edi 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jnp 00007F5DB8B6AA76h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42FC33 second address: 42FC37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42FC37 second address: 42FC3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42FC3D second address: 42FC8C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F5DB8BD7D26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d pushad 0x0000000e mov ebx, dword ptr [ebp+122D2432h] 0x00000014 mov eax, 7C497617h 0x00000019 popad 0x0000001a lea eax, dword ptr [ebp+1249462Bh] 0x00000020 adc dh, FFFFFFD5h 0x00000023 nop 0x00000024 pushad 0x00000025 jmp 00007F5DB8BD7D27h 0x0000002a push esi 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42FC8C second address: 42FC98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42FC98 second address: 412964 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DB8BD7D1Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007F5DB8BD7D18h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 call dword ptr [ebp+122D1E2Dh] 0x0000002b jns 00007F5DB8BD7D2Eh 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 jne 00007F5DB8BD7D16h 0x0000003b jmp 00007F5DB8BD7D1Fh 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46F91F second address: 46F925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46F925 second address: 46F931 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46FD70 second address: 46FD76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46FD76 second address: 46FD7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46FD7B second address: 46FD93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5DB8B6AA84h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46FD93 second address: 46FD9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 470237 second address: 47023C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 470393 second address: 470399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 470399 second address: 47039D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47039D second address: 4703A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4744C3 second address: 4744CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F5DB8B6AA76h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4744CE second address: 474503 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5DB8BD7D2Ah 0x00000008 jmp 00007F5DB8BD7D24h 0x0000000d pushad 0x0000000e jmp 00007F5DB8BD7D20h 0x00000013 jg 00007F5DB8BD7D16h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47716F second address: 477188 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F5DB8B6AA76h 0x00000009 pushad 0x0000000a popad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pushad 0x00000011 je 00007F5DB8B6AA76h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 477188 second address: 4771A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jng 00007F5DB8BD7D30h 0x0000000d push esi 0x0000000e jc 00007F5DB8BD7D16h 0x00000014 pushad 0x00000015 popad 0x00000016 pop esi 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DD0EA second address: 3DD0F5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47915B second address: 47916A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jno 00007F5DB8BD7D16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47916A second address: 47918D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5DB8B6AA89h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47918D second address: 4791A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F5DB8BD7D16h 0x0000000a jmp 00007F5DB8BD7D1Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4791A7 second address: 4791B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5DB8B6AA7Ch 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47BCD5 second address: 47BCDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47BCDB second address: 47BCE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47BCE4 second address: 47BD0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jbe 00007F5DB8BD7D16h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jmp 00007F5DB8BD7D22h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jc 00007F5DB8BD7D16h 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47BE93 second address: 47BE9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47BE9E second address: 47BEA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47BEA4 second address: 47BEB9 instructions: 0x00000000 rdtsc 0x00000002 je 00007F5DB8B6AA78h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b jne 00007F5DB8B6AA7Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4800FB second address: 480101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 480101 second address: 480107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47F879 second address: 47F8A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F5DB8BD7D16h 0x0000000a jmp 00007F5DB8BD7D27h 0x0000000f push eax 0x00000010 pop eax 0x00000011 popad 0x00000012 popad 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47F8A3 second address: 47F8A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47F8A9 second address: 47F8AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47F9F2 second address: 47F9F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47F9F6 second address: 47F9FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48640A second address: 486434 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DB8B6AA83h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jmp 00007F5DB8B6AA81h 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 486434 second address: 48644C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DB8BD7D1Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007F5DB8BD7D16h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3EA560 second address: 3EA567 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48519B second address: 4851C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jp 00007F5DB8BD7D2Bh 0x0000000e popad 0x0000000f jnp 00007F5DB8BD7D26h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 485316 second address: 48531A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48531A second address: 48531E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48942C second address: 489430 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4895B7 second address: 4895CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jmp 00007F5DB8BD7D1Bh 0x0000000b pop edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4895CC second address: 4895D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4895D9 second address: 4895E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jl 00007F5DB8BD7D16h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4895E7 second address: 4895EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4895EE second address: 489618 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DB8BD7D24h 0x00000007 pushad 0x00000008 jno 00007F5DB8BD7D16h 0x0000000e jmp 00007F5DB8BD7D1Bh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4898DF second address: 4898E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4898E5 second address: 4898F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007F5DB8BD7D1Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 489B98 second address: 489B9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48F473 second address: 48F47D instructions: 0x00000000 rdtsc 0x00000002 jc 00007F5DB8BD7D1Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48F47D second address: 48F487 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48F487 second address: 48F48B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48F48B second address: 48F4AB instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5DB8B6AA76h 0x00000008 jng 00007F5DB8B6AA76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 jmp 00007F5DB8B6AA7Ah 0x0000001a pop esi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48F757 second address: 48F761 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48F761 second address: 48F76B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F5DB8B6AA76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48F76B second address: 48F771 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48FA55 second address: 48FA6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5DB8B6AA85h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48FA6E second address: 48FA72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48FA72 second address: 48FA78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48FA78 second address: 48FA99 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F5DB8BD7D23h 0x00000008 jng 00007F5DB8BD7D16h 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48FD03 second address: 48FD31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DB8B6AA86h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5DB8B6AA80h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48FD31 second address: 48FD35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48FD35 second address: 48FD39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48FD39 second address: 48FD45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48FD45 second address: 48FD4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48FD4B second address: 48FD4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48FD4F second address: 48FD55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48FD55 second address: 48FD61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnc 00007F5DB8BD7D16h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48FD61 second address: 48FD6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 490870 second address: 49087A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F5DB8BD7D16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49087A second address: 49087E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49087E second address: 4908A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 jmp 00007F5DB8BD7D27h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4908A0 second address: 4908A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 490B42 second address: 490B55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F5DB8BD7D16h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 490B55 second address: 490B59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 490B59 second address: 490B88 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DB8BD7D27h 0x00000007 jmp 00007F5DB8BD7D24h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 490B88 second address: 490BA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DB8B6AA82h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4937BE second address: 4937CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F5DB8BD7D16h 0x00000009 pushad 0x0000000a popad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 494DD2 second address: 494DD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49D203 second address: 49D216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 jmp 00007F5DB8BD7D1Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49D216 second address: 49D22B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5DB8B6AA7Bh 0x00000009 jno 00007F5DB8B6AA76h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E398B second address: 3E3990 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E3990 second address: 3E399D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jbe 00007F5DB8B6AA7Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C40E second address: 49C423 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DB8BD7D21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C423 second address: 49C42F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F5DB8B6AA76h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C42F second address: 49C43E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DB8BD7D1Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C43E second address: 49C447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C562 second address: 49C56D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C56D second address: 49C573 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C573 second address: 49C579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C579 second address: 49C57F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49CDD0 second address: 49CDDA instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5DB8BD7D1Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49CF2A second address: 49CF4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DB8B6AA88h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jbe 00007F5DB8B6AA76h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A57EB second address: 4A57EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A39CA second address: 4A39F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5DB8B6AA83h 0x00000009 jmp 00007F5DB8B6AA86h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A427B second address: 4A427F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A455A second address: 4A455E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A455E second address: 4A4564 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A4564 second address: 4A456E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A456E second address: 4A4572 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A486B second address: 4A4872 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A4872 second address: 4A488E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5DB8BD7D26h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A488E second address: 4A4892 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A4892 second address: 4A4896 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A4896 second address: 4A48AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F5DB8B6AA9Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A48AA second address: 4A48AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A48AE second address: 4A48BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A56B1 second address: 4A56B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A56B7 second address: 4A56DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5DB8B6AA85h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F5DB8B6AA7Ah 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A35CB second address: 4A35DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jnp 00007F5DB8BD7D1Eh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ABF1C second address: 4ABF2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F5DB8B6AA76h 0x0000000a popad 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ABF2C second address: 4ABF4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 push esi 0x00000007 pop esi 0x00000008 pop ebx 0x00000009 popad 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F5DB8BD7D25h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AB931 second address: 4AB952 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5DB8B6AA93h 0x00000008 jmp 00007F5DB8B6AA87h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B6CD0 second address: 4B6CED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007F5DB8BD7D24h 0x0000000f jmp 00007F5DB8BD7D1Eh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B6A0D second address: 4B6A30 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5DB8B6AA76h 0x00000008 jmp 00007F5DB8B6AA84h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B9C55 second address: 4B9C7D instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5DB8BD7D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b pushad 0x0000000c jmp 00007F5DB8BD7D1Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F5DB8BD7D1Ch 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C1BC9 second address: 4C1BD0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C0793 second address: 4C0797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C0797 second address: 4C07AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DB8B6AA7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jns 00007F5DB8B6AA76h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C07AF second address: 4C07B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DEAB9 second address: 3DEABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CDBF4 second address: 4CDBFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CDBFA second address: 4CDBFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CDBFE second address: 4CDC14 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5DB8BD7D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 jbe 00007F5DB8BD7D16h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D645C second address: 4D6462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D506C second address: 4D5072 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D5072 second address: 4D509E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DB8B6AA7Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F5DB8B6AA87h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D9EA1 second address: 4D9EC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007F5DB8BD7D16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnl 00007F5DB8BD7D18h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F5DB8BD7D20h 0x00000019 push esi 0x0000001a pop esi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D9EC9 second address: 4D9ECD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D9ECD second address: 4D9EDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D9EDB second address: 4D9EEF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007F5DB8B6AA78h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D9EEF second address: 4D9EF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DC644 second address: 4DC64E instructions: 0x00000000 rdtsc 0x00000002 js 00007F5DB8B6AA76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DC505 second address: 4DC50B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E07B4 second address: 4E07C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DB8B6AA81h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F367D second address: 4F3685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F3685 second address: 4F3698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push esi 0x00000008 jnp 00007F5DB8B6AA76h 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F3698 second address: 4F369E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F369E second address: 4F36A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F36A2 second address: 4F36B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F5DB8BD7D16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F36B5 second address: 4F36BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F5DB8B6AA76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F36BF second address: 4F36C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F36C3 second address: 4F36C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F64D9 second address: 4F64F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5DB8BD7D26h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F61F3 second address: 4F61F9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F61F9 second address: 4F6202 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC0E7 second address: 4FC0FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F5DB8B6AA7Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC0FA second address: 4FC100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC100 second address: 4FC106 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC59C second address: 4FC5A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC5A1 second address: 4FC5AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007F5DB8B6AA76h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC777 second address: 4FC794 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5DB8BD7D23h 0x00000009 jno 00007F5DB8BD7D16h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC794 second address: 4FC79A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC914 second address: 4FC942 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b jnl 00007F5DB8BD7D33h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FFC43 second address: 4FFC49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FFC49 second address: 4FFC4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FFC4F second address: 4FFC66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5DB8B6AA7Ah 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F5DB8B6AA76h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 508179 second address: 50817E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50A17C second address: 50A194 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5DB8B6AA84h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50A194 second address: 50A198 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50A198 second address: 50A1A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F5DB8B6AA76h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50A1A8 second address: 50A1AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50A1AC second address: 50A1BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50A1BB second address: 50A1BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50A1BF second address: 50A1D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jno 00007F5DB8B6AA76h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50A1D3 second address: 50A1EB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5DB8BD7D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F5DB8BD7D1Ah 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50A1EB second address: 50A1EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FFDDE second address: 4FFDE8 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5DB8BD7D1Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50109D second address: 5010A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F5DB8B6AA76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5010A7 second address: 5010AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 26DAF4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 26DB5E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 41F7CF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 44565D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 4AD4E3 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 5430000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 56D0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 76D0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0026E143 rdtsc 0_2_0026E143
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040D09E sidt fword ptr [esp-02h]0_2_0040D09E
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7628Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.1887770776.0000000000402000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1887770776.0000000000402000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0026E143 rdtsc 0_2_0026E143
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040C19A LdrInitializeThunk,0_2_0040C19A
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, 00000000.00000002.1887892948.0000000000450000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044D0FF GetSystemTime,GetFileTime,0_2_0044D0FF

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		41
Disable or Modify Tools		LSASS Memory641
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Bypass User Account Control		271
Virtualization/Sandbox Evasion		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS271
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets23
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
Obfuscated Files or Information		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
Software Packing		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
Bypass User Account Control		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1561839
Start date and time:2024-11-24 12:48:09 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 24s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.evad.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • VT rate limit hit for: file.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File
Process:C:\Users\user\Desktop\file.exe
File Type:CSV text
Category:dropped
Size (bytes):226
Entropy (8bit):5.360398796477698
Encrypted:false
SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:3A8957C6382192B71471BD14359D0B12
SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:true
Reputation:high, very likely benign file
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.463027407824113
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:2'814'464 bytes
MD5:055e708a61203da74b8aa9a30a791b40
SHA1:9e161a2721659478c2737bebfbd0adb94642eb21
SHA256:84d2e346bb7f4ea07164470eff9eef746dc196a2a7a94ec375133daa958d594e
SHA512:44f65be3835129d8c29ce63ccf094731b74423caaa378bd944b25b7d8c5e9cdda843be891d7e909176506ba6824c76b9690f87eedefaaf7cda4dab5e836a46d7
SSDEEP:49152:j7PlMArSDpMkM3BbpRlVrn9YtK4m3vckDZlBXuf:j7tnrSDp1M3RpRbrnYavc2lB
TLSH:D7D53B62F55472CBD48E167889ABCD92E95E43F9472408C3DC6CA47E7EA3CC115BBC28
File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$...........`+.. ...`....@.. ........................+.......*...`................................

File Icon

Icon Hash:90cececece8e8eb0

Static PE Info

General

Entrypoint:0x6b6000
Entrypoint Section:.taggant
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F5DB8E29FFAh

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x20000x40000x1200d2a9276158ef9eca487977614e928f1bFalse0.9318576388888888data7.779976525161044IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
cmdvelvm0xa0000x2aa0000x2a92001217736a45e51435a53b849a9cf9e46aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
fzyhajxw0x2b40000x20000x400ca3635b769ba1a4866ff3a3c8f5de679False0.7724609375data6.043664776792846IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant0x2b60000x40000x22009ca424dbf7e0915f4df45dc93583cf53False0.06583180147058823DOS executable (COM)0.769472325131959IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x60900x30cdata0.42948717948717946
RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

Imports

DLLImport
kernel32.dlllstrcpy

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:06:49:05
Start date:24/11/2024
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\file.exe"
Imagebase:0x260000
File size:2'814'464 bytes
MD5 hash:055E708A61203DA74B8AA9A30A791B40
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:4.1%
    Dynamic/Decrypted Code Coverage:4.1%
    Signature Coverage:0%
    Total number of Nodes:290
    Total number of Limit Nodes:9
    execution_graph 7808 44ab21 7810 44ab2d 7808->7810 7811 44ab41 7810->7811 7813 44ab49 7810->7813 7818 4490ee 7811->7818 7815 44ab69 7813->7815 7816 44ab82 7813->7816 7822 44ab8b 7816->7822 7819 44910c 7818->7819 7858 449090 7819->7858 7823 44ab9a 7822->7823 7824 44aba2 7823->7824 7832 448fb2 GetCurrentThreadId 7823->7832 7826 44ac45 GetModuleHandleW 7824->7826 7827 44ac53 GetModuleHandleA 7824->7827 7831 44abda 7826->7831 7827->7831 7829 44abc7 7829->7824 7829->7831 7833 448fca 7832->7833 7833->7829 7834 4496c4 7833->7834 7835 4496d5 7834->7835 7836 449712 7834->7836 7835->7836 7838 449565 7835->7838 7836->7829 7839 449592 7838->7839 7840 4495c0 PathAddExtensionA 7839->7840 7841 4495db 7839->7841 7848 449698 7839->7848 7840->7841 7845 4495fd 7841->7845 7850 449206 7841->7850 7843 449646 7844 44966f 7843->7844 7847 449206 lstrcmpiA 7843->7847 7843->7848 7844->7848 7849 449206 lstrcmpiA 7844->7849 7845->7843 7846 449206 lstrcmpiA 7845->7846 7845->7848 7846->7843 7847->7844 7848->7835 7849->7848 7851 449224 7850->7851 7852 44923b 7851->7852 7854 449183 7851->7854 7852->7845 7856 4491ae 7854->7856 7855 4491f6 7855->7852 7856->7855 7857 4491e0 lstrcmpiA 7856->7857 7857->7855 7859 44909a 7858->7859 7860 4490b1 7859->7860 7861 4490a3 RtlAllocateHeap 7859->7861 7860->7813 7861->7860 7862 44d582 7864 44d58e 7862->7864 7865 448fb2 GetCurrentThreadId 7864->7865 7866 44d59a 7865->7866 7867 4490ee RtlAllocateHeap 7866->7867 7868 44d5b2 7867->7868 7870 44d5ba 7868->7870 7871 44d4d9 7868->7871 7873 44d4e5 7871->7873 7874 44d4f9 7873->7874 7875 448fb2 GetCurrentThreadId 7874->7875 7876 44d511 7875->7876 7884 449716 7876->7884 7879 4496c4 2 API calls 7880 44d534 7879->7880 7881 44d53c 7880->7881 7882 44d558 GetFileAttributesW 7880->7882 7883 44d569 GetFileAttributesA 7880->7883 7882->7881 7883->7881 7885 4497ca 7884->7885 7887 44972a 7884->7887 7885->7879 7885->7881 7886 449565 2 API calls 7886->7887 7887->7885 7887->7886 7888 26b80e 7889 26b813 7888->7889 7890 26b97e LdrInitializeThunk 7889->7890 7891 44b6ec 7892 44b703 7891->7892 7899 44b715 7891->7899 7894 449090 RtlAllocateHeap 7892->7894 7893 449090 RtlAllocateHeap 7896 44b733 7893->7896 7894->7899 7895 44b800 7896->7895 7897 44b76c CreateFileA 7896->7897 7898 44b7b1 7897->7898 7898->7895 7903 448dd2 7898->7903 7899->7893 7899->7895 7904 449090 RtlAllocateHeap 7903->7904 7905 448de0 7904->7905 7905->7895 7906 44adcb CloseHandle 7905->7906 7907 44addf 7906->7907 7907->7895 7908 44d06d 7909 448fb2 GetCurrentThreadId 7908->7909 7910 44d079 GetCurrentProcess 7909->7910 7911 44d0c5 7910->7911 7913 44d089 7910->7913 7912 44d0ca DuplicateHandle 7911->7912 7916 44d0c0 7912->7916 7913->7911 7914 44d0b4 7913->7914 7917 44ae0a 7914->7917 7918 44ae34 7917->7918 7920 448dd2 RtlAllocateHeap 7918->7920 7922 44ae82 7918->7922 7919 44aec7 7919->7916 7920->7922 7922->7919 7923 44adf2 7922->7923 7926 448e5d 7923->7926 7927 448e73 7926->7927 7928 448e8d 7927->7928 7930 448e41 7927->7930 7928->7919 7931 44adcb CloseHandle 7930->7931 7932 448e51 7931->7932 7932->7928 7933 44aced 7935 44acf9 7933->7935 7936 44ad0d 7935->7936 7938 44ad15 7935->7938 7937 4490ee RtlAllocateHeap 7936->7937 7937->7938 7939 5430d48 7940 5430d93 OpenSCManagerW 7939->7940 7942 5430ddc 7940->7942 7943 5431308 7944 5431349 ImpersonateLoggedOnUser 7943->7944 7945 5431376 7944->7945 7946 44a7c9 7949 44a611 7946->7949 7952 44a678 7949->7952 7954 44a685 7952->7954 7955 44a69b 7954->7955 7956 448fb2 GetCurrentThreadId 7955->7956 7965 44a6a3 7955->7965 7959 44a6c5 7956->7959 7957 44a770 7985 44a4b0 7957->7985 7958 44a783 7961 44a7a1 LoadLibraryExA 7958->7961 7962 44a78d LoadLibraryExW 7958->7962 7963 4496c4 2 API calls 7959->7963 7964 44a747 7961->7964 7962->7964 7966 44a6d6 7963->7966 7965->7957 7965->7958 7966->7965 7967 44a704 7966->7967 7969 449ff0 7967->7969 7970 44a016 7969->7970 7971 44a00c 7969->7971 7989 449843 7970->7989 7971->7964 7978 44a066 7979 44a093 7978->7979 7984 44a0cb 7978->7984 7999 449a21 7978->7999 8003 449cbc 7979->8003 7982 44a09e 7982->7984 8008 449c33 7982->8008 7984->7971 8012 44a802 7984->8012 7986 44a4bb 7985->7986 7987 44a4dc LoadLibraryExA 7986->7987 7988 44a4cb 7986->7988 7987->7988 7988->7964 7990 4498b8 7989->7990 7991 44985f 7989->7991 7990->7971 7993 4498e9 VirtualAlloc 7990->7993 7991->7990 7992 44988f VirtualAlloc 7991->7992 7992->7990 7994 44992e 7993->7994 7994->7984 7995 449966 7994->7995 7998 44998e 7995->7998 7996 449a05 7996->7978 7997 4499a7 VirtualAlloc 7997->7996 7997->7998 7998->7996 7998->7997 8000 449a3c 7999->8000 8002 449a41 7999->8002 8000->7979 8001 449a74 lstrcmpiA 8001->8000 8001->8002 8002->8000 8002->8001 8004 449dc8 8003->8004 8006 449ce9 8003->8006 8004->7982 8006->8004 8014 4497ce 8006->8014 8024 44a8df 8006->8024 8009 449c5c 8008->8009 8010 449c9d 8009->8010 8011 449c74 VirtualProtect 8009->8011 8010->7984 8011->8009 8011->8010 8054 44a80e 8012->8054 8015 44a611 16 API calls 8014->8015 8016 4497e1 8015->8016 8017 449833 8016->8017 8018 44980a 8016->8018 8023 449827 8016->8023 8019 44a802 2 API calls 8017->8019 8026 448d2b 8018->8026 8019->8023 8022 44a802 2 API calls 8022->8023 8023->8006 8029 44a8e8 8024->8029 8027 449090 RtlAllocateHeap 8026->8027 8028 448d39 8027->8028 8028->8022 8028->8023 8030 44a8f7 8029->8030 8032 448fb2 GetCurrentThreadId 8030->8032 8034 44a8ff 8030->8034 8031 44a92c GetProcAddress 8037 44a922 8031->8037 8033 44a909 8032->8033 8033->8034 8035 44a919 8033->8035 8034->8031 8038 44a340 8035->8038 8039 44a35f 8038->8039 8043 44a42c 8038->8043 8040 44a39c lstrcmpiA 8039->8040 8041 44a3c6 8039->8041 8039->8043 8040->8039 8040->8041 8041->8043 8044 44a289 8041->8044 8043->8037 8045 44a29a 8044->8045 8046 449090 RtlAllocateHeap 8045->8046 8053 44a325 8045->8053 8047 44a2c2 8046->8047 8048 44a2ca lstrcpyn 8047->8048 8047->8053 8050 44a2e6 8048->8050 8048->8053 8049 4497ce 15 API calls 8051 44a314 8049->8051 8050->8049 8050->8053 8052 44a8df 15 API calls 8051->8052 8051->8053 8052->8053 8053->8043 8055 44a81d 8054->8055 8056 44a825 8055->8056 8058 448fb2 GetCurrentThreadId 8055->8058 8057 44a873 FreeLibrary 8056->8057 8062 44a85a 8057->8062 8059 44a82f 8058->8059 8059->8056 8060 44a83f 8059->8060 8063 44a1f0 8060->8063 8064 44a213 8063->8064 8066 44a253 8063->8066 8064->8066 8067 448dac 8064->8067 8066->8062 8068 448db5 8067->8068 8069 448dcd 8068->8069 8071 448d93 8068->8071 8069->8066 8072 44a802 2 API calls 8071->8072 8073 448da0 8072->8073 8073->8068 8074 26e80b VirtualAlloc 8075 26e82b 8074->8075 8076 44d7e9 8078 44d7f5 8076->8078 8079 448fb2 GetCurrentThreadId 8078->8079 8080 44d801 8079->8080 8081 4490ee RtlAllocateHeap 8080->8081 8082 44d819 8081->8082 8084 44d821 8082->8084 8085 44d6f5 8082->8085 8087 44d701 8085->8087 8088 44d715 8087->8088 8089 448fb2 GetCurrentThreadId 8088->8089 8090 44d72d 8089->8090 8091 44d742 8090->8091 8114 44d60e 8090->8114 8095 44d74a 8091->8095 8103 44d6b3 IsBadWritePtr 8091->8103 8098 44d7be CreateFileA 8095->8098 8099 44d79b CreateFileW 8095->8099 8096 4496c4 2 API calls 8097 44d77d 8096->8097 8097->8095 8100 44d785 8097->8100 8102 44d78b 8098->8102 8099->8102 8105 44af08 8100->8105 8104 44d6d5 8103->8104 8104->8095 8104->8096 8106 449090 RtlAllocateHeap 8105->8106 8111 44af15 8106->8111 8107 44b010 8107->8102 8108 44af4e CreateFileA 8109 44af9a 8108->8109 8109->8107 8110 448dd2 RtlAllocateHeap 8109->8110 8112 44affc 8110->8112 8111->8107 8111->8108 8112->8107 8113 44adcb CloseHandle 8112->8113 8113->8107 8116 44d61d GetWindowsDirectoryA 8114->8116 8117 44d647 8116->8117 8118 44a7ea 8121 44a62a 8118->8121 8123 44a636 8121->8123 8124 4490ee RtlAllocateHeap 8123->8124 8125 44a64b 8124->8125 8126 44a678 16 API calls 8125->8126 8127 44a669 8125->8127 8126->8127 8128 44ac74 8129 448fb2 GetCurrentThreadId 8128->8129 8130 44ac80 8129->8130 8131 44ac9e 8130->8131 8132 4496c4 2 API calls 8130->8132 8133 44accf GetModuleHandleExA 8131->8133 8134 44aca6 8131->8134 8132->8131 8133->8134 8135 404d72 8136 4058e6 8135->8136 8137 405934 RegOpenKeyA 8136->8137 8138 40595b RegOpenKeyA 8136->8138 8137->8138 8139 405951 8137->8139 8140 405978 8138->8140 8139->8138 8141 4059bc GetNativeSystemInfo 8140->8141 8142 404027 8140->8142 8141->8142 8143 54310f0 8144 5431131 8143->8144 8147 44bd06 8144->8147 8145 5431151 8148 448fb2 GetCurrentThreadId 8147->8148 8149 44bd12 8148->8149 8150 44bd3b 8149->8150 8151 44bd2b 8149->8151 8153 44bd40 CloseHandle 8150->8153 8152 44adf2 CloseHandle 8151->8152 8154 44bd31 8152->8154 8153->8154 8154->8145 8155 5431510 8156 5431558 ControlService 8155->8156 8157 543158f 8156->8157 8158 44d8fc 8160 44d905 8158->8160 8161 448fb2 GetCurrentThreadId 8160->8161 8162 44d911 8161->8162 8163 44d92a 8162->8163 8164 44d961 ReadFile 8162->8164 8164->8163

    Executed Functions

    Function 0044A685 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • LoadLibraryExW.KERNEL32(?,?,?), ref: 0044A796
    • LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 0044A7AA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1887861164.0000000000444000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1887541470.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887562458.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887583548.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887600241.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887623421.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887735851.00000000003DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887751644.00000000003DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.00000000003F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887806538.000000000041B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887825415.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887845089.0000000000438000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887876930.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887892948.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887905829.0000000000451000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887919133.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887944489.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887959976.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887972087.000000000046D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887987243.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888001013.0000000000478000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888019489.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888033621.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888048102.000000000047D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888062380.0000000000488000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888076027.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888089896.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888107407.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888123247.000000000049B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888145419.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888161617.00000000004A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888173628.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.00000000004FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.0000000000506000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888236442.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888250916.0000000000516000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: .dll$.exe$1002
    • API String ID: 1029625771-847511843
    • Opcode ID: ec3724155b1c0c81145209b1daeb15ba08b91ed7aa946be5c0777dd9e8bc4546
    • Instruction ID: bef95d2d23f41b7b756b0defb24e45de03a4eca5481cda13efcb0802e7aac493
    • Opcode Fuzzy Hash: ec3724155b1c0c81145209b1daeb15ba08b91ed7aa946be5c0777dd9e8bc4546
    • Instruction Fuzzy Hash: 2431A731144109EFFF21AF60D800AAE7BB6BF04354F10402BF9069A221D738D9B5EB5A
    Function 0044AB8B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 44ab8b-44ab9c call 44a4ef 40 44aba7-44abb0 call 448fb2 37->40 41 44aba2 37->41 48 44abe4-44abeb 40->48 49 44abb6-44abc2 call 4496c4 40->49 42 44ac3b-44ac3f 41->42 44 44ac45-44ac4e GetModuleHandleW 42->44 45 44ac53-44ac56 GetModuleHandleA 42->45 47 44ac5c 44->47 45->47 50 44ac66-44ac68 47->50 51 44ac36 call 44905d 48->51 52 44abf1-44abf8 48->52 54 44abc7-44abc9 49->54 51->42 52->51 55 44abfe-44ac05 52->55 54->51 57 44abcf-44abd4 54->57 55->51 58 44ac0b-44ac12 55->58 57->51 59 44abda-44ac61 call 44905d 57->59 58->51 60 44ac18-44ac2c 58->60 59->50 60->51
    APIs
    • GetModuleHandleW.KERNEL32(?,?,?,?,0044AB1D,?,00000000,00000000), ref: 0044AC48
    • GetModuleHandleA.KERNEL32(00000000,?,?,?,0044AB1D,?,00000000,00000000), ref: 0044AC56
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1887861164.0000000000444000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1887541470.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887562458.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887583548.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887600241.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887623421.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887735851.00000000003DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887751644.00000000003DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.00000000003F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887806538.000000000041B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887825415.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887845089.0000000000438000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887876930.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887892948.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887905829.0000000000451000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887919133.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887944489.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887959976.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887972087.000000000046D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887987243.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888001013.0000000000478000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888019489.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888033621.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888048102.000000000047D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888062380.0000000000488000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888076027.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888089896.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888107407.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888123247.000000000049B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888145419.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888161617.00000000004A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888173628.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.00000000004FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.0000000000506000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888236442.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888250916.0000000000516000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: HandleModule
    • String ID: .dll
    • API String ID: 4139908857-2738580789
    • Opcode ID: f3faf41075e8fe6b0bd961053efe28f2605873c96f1ffdd845a208b2470665e8
    • Instruction ID: b7b582b778757d8bfdade0982ae55b649f399a22072a915643d25c3478cd6522
    • Opcode Fuzzy Hash: f3faf41075e8fe6b0bd961053efe28f2605873c96f1ffdd845a208b2470665e8
    • Instruction Fuzzy Hash: 04114870284609EBFB749F20C84C7AA7AA1AF01349F048227A505441E1DBBDA9B4DA9B
    Function 0044D4E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 64 44d4e5-44d4f3 65 44d505 64->65 66 44d4f9-44d500 64->66 67 44d50c-44d522 call 448fb2 call 449716 65->67 66->67 72 44d541 67->72 73 44d528-44d536 call 4496c4 67->73 74 44d545-44d548 72->74 78 44d53c 73->78 79 44d54d-44d552 73->79 76 44d578-44d57f call 44905d 74->76 78->74 81 44d558-44d564 GetFileAttributesW 79->81 82 44d569-44d56c GetFileAttributesA 79->82 84 44d572-44d573 81->84 82->84 84->76
    APIs
    • GetFileAttributesW.KERNELBASE(01671214,-12065FEC), ref: 0044D55E
    • GetFileAttributesA.KERNEL32(00000000,-12065FEC), ref: 0044D56C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1887861164.0000000000444000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1887541470.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887562458.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887583548.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887600241.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887623421.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887735851.00000000003DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887751644.00000000003DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.00000000003F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887806538.000000000041B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887825415.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887845089.0000000000438000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887876930.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887892948.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887905829.0000000000451000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887919133.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887944489.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887959976.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887972087.000000000046D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887987243.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888001013.0000000000478000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888019489.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888033621.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888048102.000000000047D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888062380.0000000000488000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888076027.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888089896.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888107407.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888123247.000000000049B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888145419.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888161617.00000000004A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888173628.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.00000000004FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.0000000000506000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888236442.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888250916.0000000000516000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: ac599efe42cd9a3b407da65ba47da0525e6dedfbd165ce85cb7feba9aecf1ab9
    • Instruction ID: ac1c1f0941277488fa57d2621158f54d9e8ae53eb1bf379dc7c2af8ffef741f2
    • Opcode Fuzzy Hash: ac599efe42cd9a3b407da65ba47da0525e6dedfbd165ce85cb7feba9aecf1ab9
    • Instruction Fuzzy Hash: FF013171A04105FAFB219F65C849B9D7E70AF4134CF204167E50269191CB789E95EB4E
    Function 00404D72 Relevance: 4.6, APIs: 3, Instructions: 120registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 85 404d72-405932 88 405934-40594f RegOpenKeyA 85->88 89 40595b-405976 RegOpenKeyA 85->89 88->89 90 405951 88->90 91 405978-405982 89->91 92 40598e-4059ba 89->92 90->89 91->92 95 4059c7-4059d1 92->95 96 4059bc-4059c5 GetNativeSystemInfo 92->96 97 4059d3 95->97 98 4059dd-4059eb 95->98 96->95 97->98 100 4059f7-4059fe 98->100 101 4059ed 98->101 102 405a11 100->102 103 405a04-405a0b 100->103 101->100 105 407239-407261 102->105 103->102 104 404027-406c16 103->104 104->105 112 407508-407cc8 104->112 110 407266 105->110 110->110
    APIs
    • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00405947
    • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 0040596E
    • GetNativeSystemInfo.KERNELBASE(?), ref: 004059C5
    Memory Dump Source
    • Source File: 00000000.00000002.1887770776.0000000000402000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1887541470.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887562458.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887583548.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887600241.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887623421.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887735851.00000000003DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887751644.00000000003DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.00000000003F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887806538.000000000041B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887825415.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887845089.0000000000438000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887861164.0000000000444000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887876930.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887892948.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887905829.0000000000451000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887919133.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887944489.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887959976.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887972087.000000000046D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887987243.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888001013.0000000000478000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888019489.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888033621.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888048102.000000000047D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888062380.0000000000488000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888076027.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888089896.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888107407.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888123247.000000000049B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888145419.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888161617.00000000004A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888173628.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.00000000004FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.0000000000506000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888236442.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888250916.0000000000516000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: Open$InfoNativeSystem
    • String ID:
    • API String ID: 1247124224-0
    • Opcode ID: f19df91cb735aecfec38f05027f809b6cfee7028ff77364eb1a78ef845bd17cf
    • Instruction ID: 12bd835eb06512c97d980da5ecc41c3fea633fc024b762cffc42d85fbdf9e0b2
    • Opcode Fuzzy Hash: f19df91cb735aecfec38f05027f809b6cfee7028ff77364eb1a78ef845bd17cf
    • Instruction Fuzzy Hash: 8A4162B151860EDFEB10DF24C8497DF3AA4EB04310F10053AE981D6A81E7B99DA5DF5E
    Function 00449565 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 114 449565-449595 116 4496c0-4496c1 114->116 117 44959b-4495b0 114->117 117->116 119 4495b6-4495ba 117->119 120 4495c0-4495d2 PathAddExtensionA 119->120 121 4495dc-4495e3 119->121 124 4495db 120->124 122 449605-44960c 121->122 123 4495e9-4495f8 call 449206 121->123 126 449612-449619 122->126 127 44964e-449655 122->127 132 4495fd-4495ff 123->132 124->121 128 449632-449641 call 449206 126->128 129 44961f-449628 126->129 130 449677-44967e 127->130 131 44965b-449671 call 449206 127->131 138 449646-449648 128->138 129->128 133 44962e 129->133 136 449684-44969a call 449206 130->136 137 4496a0-4496a7 130->137 131->116 131->130 132->116 132->122 133->128 136->116 136->137 137->116 141 4496ad-4496ba call 44923f 137->141 138->116 138->127 141->116
    APIs
    • PathAddExtensionA.KERNELBASE(?,00000000), ref: 004495C7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1887861164.0000000000444000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1887541470.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887562458.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887583548.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887600241.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887623421.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887735851.00000000003DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887751644.00000000003DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.00000000003F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887806538.000000000041B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887825415.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887845089.0000000000438000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887876930.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887892948.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887905829.0000000000451000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887919133.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887944489.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887959976.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887972087.000000000046D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887987243.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888001013.0000000000478000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888019489.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888033621.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888048102.000000000047D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888062380.0000000000488000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888076027.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888089896.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888107407.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888123247.000000000049B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888145419.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888161617.00000000004A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888173628.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.00000000004FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.0000000000506000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888236442.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888250916.0000000000516000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: ExtensionPath
    • String ID: \\?\
    • API String ID: 158807944-4282027825
    • Opcode ID: 4f2631a8226752a78fe1c6c5ffe848fd2a13d8abae4cd1d9db95552e6c28ad8e
    • Instruction ID: b5cd8fdb3cd6868f52b1a0db65f3811da2ff8651a9a03b0f6e336c86d4a1a859
    • Opcode Fuzzy Hash: 4f2631a8226752a78fe1c6c5ffe848fd2a13d8abae4cd1d9db95552e6c28ad8e
    • Instruction Fuzzy Hash: 58310A31A00209BFEF21DF95C809B9F7776BF54704F010166FA11A51A0D7BA9E61EF58
    Function 0044AC74 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 145 44ac74-44ac87 call 448fb2 148 44ac8d-44ac99 call 4496c4 145->148 149 44acca-44acde call 44905d GetModuleHandleExA 145->149 152 44ac9e-44aca0 148->152 155 44ace8-44acea 149->155 152->149 154 44aca6-44acad 152->154 156 44acb6-44ace3 call 44905d 154->156 157 44acb3 154->157 156->155 157->156
    APIs
      • Part of subcall function 00448FB2: GetCurrentThreadId.KERNEL32 ref: 00448FC1
    • GetModuleHandleExA.KERNELBASE(?,?,?), ref: 0044ACD8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1887861164.0000000000444000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1887541470.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887562458.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887583548.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887600241.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887623421.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887735851.00000000003DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887751644.00000000003DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.00000000003F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887806538.000000000041B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887825415.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887845089.0000000000438000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887876930.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887892948.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887905829.0000000000451000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887919133.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887944489.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887959976.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887972087.000000000046D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887987243.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888001013.0000000000478000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888019489.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888033621.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888048102.000000000047D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888062380.0000000000488000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888076027.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888089896.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888107407.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888123247.000000000049B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888145419.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888161617.00000000004A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888173628.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.00000000004FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.0000000000506000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888236442.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888250916.0000000000516000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: CurrentHandleModuleThread
    • String ID: .dll
    • API String ID: 2752942033-2738580789
    • Opcode ID: 9346fc97182c17d89b239ac6c3c6333e5f848bb545e5662fd5c58c5f5b138c7c
    • Instruction ID: 05ad04fa260f7770dd6327cac8d8fc81ad945a626c8fede2da9a312b4d702f21
    • Opcode Fuzzy Hash: 9346fc97182c17d89b239ac6c3c6333e5f848bb545e5662fd5c58c5f5b138c7c
    • Instruction Fuzzy Hash: CFF0B471200204AFFF60DF55C889AAF3BB1BF54354F108027FE154A292C739C865EB66
    Function 0044D701 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 160 44d701-44d70f 161 44d715-44d71c 160->161 162 44d721 160->162 163 44d728-44d734 call 448fb2 161->163 162->163 166 44d74f-44d75f call 44d6b3 163->166 167 44d73a-44d744 call 44d60e 163->167 173 44d765-44d76c 166->173 174 44d771-44d77f call 4496c4 166->174 167->166 172 44d74a 167->172 176 44d790-44d795 172->176 173->176 174->176 180 44d785-44d786 call 44af08 174->180 178 44d7be-44d7d3 CreateFileA 176->178 179 44d79b-44d7b9 CreateFileW 176->179 181 44d7d9-44d7da 178->181 179->181 184 44d78b 180->184 183 44d7df-44d7e6 call 44905d 181->183 184->183
    APIs
    • CreateFileW.KERNELBASE(01671214,?,?,-12065FEC,?,?,?,-12065FEC,?), ref: 0044D7B3
      • Part of subcall function 0044D6B3: IsBadWritePtr.KERNEL32(?,00000004), ref: 0044D6C1
    • CreateFileA.KERNEL32(?,?,?,-12065FEC,?,?,?,-12065FEC,?), ref: 0044D7D3
    Memory Dump Source
    • Source File: 00000000.00000002.1887861164.0000000000444000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1887541470.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887562458.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887583548.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887600241.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887623421.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887735851.00000000003DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887751644.00000000003DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.00000000003F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887806538.000000000041B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887825415.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887845089.0000000000438000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887876930.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887892948.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887905829.0000000000451000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887919133.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887944489.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887959976.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887972087.000000000046D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887987243.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888001013.0000000000478000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888019489.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888033621.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888048102.000000000047D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888062380.0000000000488000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888076027.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888089896.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888107407.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888123247.000000000049B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888145419.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888161617.00000000004A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888173628.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.00000000004FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.0000000000506000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888236442.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888250916.0000000000516000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: CreateFile$Write
    • String ID:
    • API String ID: 1125675974-0
    • Opcode ID: 817e4a3a1ca8210642cdc13dc32ef1e8c486fe44403fb64f780d15feb9ec1add
    • Instruction ID: 66386278f8cb2a4e59da6f546ab585b3f6cabc164670db4d62d390da17b4eda5
    • Opcode Fuzzy Hash: 817e4a3a1ca8210642cdc13dc32ef1e8c486fe44403fb64f780d15feb9ec1add
    • Instruction Fuzzy Hash: 9F113A32904149FAEF229F90CD09B9E7F72BF04348F144027F916645A1C77E99B1EB99
    Function 0044D06D Relevance: 3.0, APIs: 2, Instructions: 41COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 187 44d06d-44d083 call 448fb2 GetCurrentProcess 190 44d0c5-44d0e7 call 44905d DuplicateHandle 187->190 191 44d089-44d08c 187->191 197 44d0f1-44d0f3 190->197 191->190 193 44d092-44d095 191->193 193->190 195 44d09b-44d0ae call 448e0c 193->195 195->190 199 44d0b4-44d0ec call 44ae0a call 44905d 195->199 199->197
    APIs
      • Part of subcall function 00448FB2: GetCurrentThreadId.KERNEL32 ref: 00448FC1
    • GetCurrentProcess.KERNEL32(-12065FEC), ref: 0044D07A
    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0044D0E0
    Memory Dump Source
    • Source File: 00000000.00000002.1887861164.0000000000444000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1887541470.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887562458.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887583548.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887600241.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887623421.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887735851.00000000003DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887751644.00000000003DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.00000000003F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887806538.000000000041B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887825415.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887845089.0000000000438000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887876930.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887892948.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887905829.0000000000451000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887919133.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887944489.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887959976.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887972087.000000000046D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887987243.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888001013.0000000000478000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888019489.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888033621.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888048102.000000000047D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888062380.0000000000488000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888076027.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888089896.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888107407.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888123247.000000000049B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888145419.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888161617.00000000004A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888173628.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.00000000004FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.0000000000506000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888236442.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888250916.0000000000516000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: Current$DuplicateHandleProcessThread
    • String ID:
    • API String ID: 3748180921-0
    • Opcode ID: b75808a338b59959bcd0558c501b55a3c9ce1220536a7732c1b375afc337e3bd
    • Instruction ID: 60669bc27f9295eff031e95bf0e92fcc91b8fb4946e664b58ca618049ebceeae
    • Opcode Fuzzy Hash: b75808a338b59959bcd0558c501b55a3c9ce1220536a7732c1b375afc337e3bd
    • Instruction Fuzzy Hash: 5A016D3260004AFBAF22AF95CC0CC9F3B75BF89758B00451BF92196050C739C462EB66
    Function 0044B6EC Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 204 44b6ec-44b6fd 205 44b703-44b717 call 449090 204->205 206 44b72c-44b735 call 449090 204->206 216 44b81a 205->216 217 44b71d-44b72b 205->217 211 44b812-44b815 call 4490b5 206->211 212 44b73b-44b74c call 44aece 206->212 211->216 220 44b752-44b756 212->220 221 44b76c-44b7ab CreateFileA 212->221 219 44b821-44b825 216->219 217->206 222 44b75c-44b768 220->222 223 44b769 220->223 224 44b7b1-44b7ce 221->224 225 44b7cf-44b7d2 221->225 222->223 223->221 224->225 227 44b805-44b80d call 44ad5d 225->227 228 44b7d8-44b7ef call 448dd2 225->228 227->216 228->219 235 44b7f5-44b800 call 44adcb 228->235 235->216
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 0044B7A1
      • Part of subcall function 00449090: RtlAllocateHeap.NTDLL(00000000,00000000,00448D39,?,?,00448D39,00000008), ref: 004490AA
    Memory Dump Source
    • Source File: 00000000.00000002.1887861164.0000000000444000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1887541470.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887562458.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887583548.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887600241.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887623421.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887735851.00000000003DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887751644.00000000003DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.00000000003F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887806538.000000000041B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887825415.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887845089.0000000000438000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887876930.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887892948.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887905829.0000000000451000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887919133.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887944489.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887959976.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887972087.000000000046D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887987243.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888001013.0000000000478000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888019489.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888033621.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888048102.000000000047D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888062380.0000000000488000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888076027.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888089896.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888107407.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888123247.000000000049B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888145419.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888161617.00000000004A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888173628.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.00000000004FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.0000000000506000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888236442.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888250916.0000000000516000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: AllocateCreateFileHeap
    • String ID:
    • API String ID: 3125202945-0
    • Opcode ID: 50bdfdf1b447ac836c76612d3583f204ec0e7b3005fde8761147edec0ebbe7bf
    • Instruction ID: bb3e912c5e67bd4c444f7e30bf743dc96a1a5e12ee811141d0933ceec08e3566
    • Opcode Fuzzy Hash: 50bdfdf1b447ac836c76612d3583f204ec0e7b3005fde8761147edec0ebbe7bf
    • Instruction Fuzzy Hash: 4131B071A00204FBFB20AF65CC85F9EBBB8FF44314F20816AF515AA291C779D951CB58
    Function 0044AF08 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 238 44af08-44af17 call 449090 241 44b01d 238->241 242 44af1d-44af2e call 44aece 238->242 243 44b024-44b028 241->243 246 44af34-44af38 242->246 247 44af4e-44af94 CreateFileA 242->247 250 44af3e-44af4a 246->250 251 44af4b 246->251 248 44afdf-44afe2 247->248 249 44af9a-44afbb 247->249 252 44b015-44b018 call 44ad5d 248->252 253 44afe8-44afff call 448dd2 248->253 249->248 258 44afc1-44afde 249->258 250->251 251->247 252->241 253->243 260 44b005-44b010 call 44adcb 253->260 258->248 260->241
    APIs
      • Part of subcall function 00449090: RtlAllocateHeap.NTDLL(00000000,00000000,00448D39,?,?,00448D39,00000008), ref: 004490AA
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 0044AF8A
    Memory Dump Source
    • Source File: 00000000.00000002.1887861164.0000000000444000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1887541470.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887562458.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887583548.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887600241.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887623421.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887735851.00000000003DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887751644.00000000003DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.00000000003F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887806538.000000000041B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887825415.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887845089.0000000000438000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887876930.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887892948.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887905829.0000000000451000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887919133.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887944489.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887959976.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887972087.000000000046D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887987243.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888001013.0000000000478000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888019489.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888033621.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888048102.000000000047D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888062380.0000000000488000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888076027.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888089896.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888107407.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888123247.000000000049B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888145419.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888161617.00000000004A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888173628.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.00000000004FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.0000000000506000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888236442.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888250916.0000000000516000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: AllocateCreateFileHeap
    • String ID:
    • API String ID: 3125202945-0
    • Opcode ID: cd6b4b5700755e2bcf680b72a1b49e0909f96fa68879d7b811076aa17c7106a7
    • Instruction ID: 5353d6abe5901e5b067bad096babedf9a32bde9c25041e648904af484d33fb3c
    • Opcode Fuzzy Hash: cd6b4b5700755e2bcf680b72a1b49e0909f96fa68879d7b811076aa17c7106a7
    • Instruction Fuzzy Hash: 2C31F571640204BAF7309F64DC45F9A77B8EF04728F20426AF621AE2D1C37AE955CB58
    Function 05430D42 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 264 5430d42-5430d44 265 5430d46-5430d97 264->265 266 5430da5-5430da8 264->266 272 5430d99-5430d9c 265->272 273 5430d9f-5430da3 265->273 268 5430dab-5430dda OpenSCManagerW 266->268 269 5430de3-5430df7 268->269 270 5430ddc-5430de2 268->270 270->269 272->273 273->266 273->268
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 05430DCD
    Memory Dump Source
    • Source File: 00000000.00000002.1890303781.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5430000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 074dfda64299aff26f499d6b4f8347589ad300cb48a6c3ba5e0440aae964914b
    • Instruction ID: ab215bda161e8c279d913ec13656b4b001c84540246a07b3f93cf3055220dcbc
    • Opcode Fuzzy Hash: 074dfda64299aff26f499d6b4f8347589ad300cb48a6c3ba5e0440aae964914b
    • Instruction Fuzzy Hash: A3211AB6C002199FCB50CF99D889ADEFBF5FB88320F15825AD909AB314D7746540CBA4
    Function 05430D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 275 5430d48-5430d97 277 5430d99-5430d9c 275->277 278 5430d9f-5430da3 275->278 277->278 279 5430da5-5430da8 278->279 280 5430dab-5430dda OpenSCManagerW 278->280 279->280 281 5430de3-5430df7 280->281 282 5430ddc-5430de2 280->282 282->281
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 05430DCD
    Memory Dump Source
    • Source File: 00000000.00000002.1890303781.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5430000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 8da2a7381e180bf438046fc9955fda593dc5f742c532fe52ebdf28afd9386b9a
    • Instruction ID: f64d62c9c7485f172fb47e734c680e68156750b40674b21a25cce43c40494730
    • Opcode Fuzzy Hash: 8da2a7381e180bf438046fc9955fda593dc5f742c532fe52ebdf28afd9386b9a
    • Instruction Fuzzy Hash: 622127B6C002199FCB50CF99D885ADEFBF5FF88320F14825AD909AB314D774A540CBA4
    Function 05431509 Relevance: 1.6, APIs: 1, Instructions: 56serviceCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 284 5431509-5431550 286 5431558-543158d ControlService 284->286 287 5431596-54315b7 286->287 288 543158f-5431595 286->288 288->287
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 05431580
    Memory Dump Source
    • Source File: 00000000.00000002.1890303781.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5430000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 79afa0f2a3eb1d47fc43d4e2a746acd013c870685c7d91cfa939ab260593deb7
    • Instruction ID: 2c34e7598903cb8d5e835367313f996fc724e88b5b57b1ed3370a066488d5fff
    • Opcode Fuzzy Hash: 79afa0f2a3eb1d47fc43d4e2a746acd013c870685c7d91cfa939ab260593deb7
    • Instruction Fuzzy Hash: 9B2103B59002499FDB10CF9AC585BDEFBF8EB48320F10842AE519A3250D378A644CFA5
    Function 05431510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 290 5431510-543158d ControlService 292 5431596-54315b7 290->292 293 543158f-5431595 290->293 293->292
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 05431580
    Memory Dump Source
    • Source File: 00000000.00000002.1890303781.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5430000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 8e403162b6f7cf69c147f98fd90a2b5f5e22f4b6df37f51a9aa3a27ac82ecb95
    • Instruction ID: fb1776cd83e0eac68b360cda790843b4de2f466a29d938aa7436ec6ae9cd362f
    • Opcode Fuzzy Hash: 8e403162b6f7cf69c147f98fd90a2b5f5e22f4b6df37f51a9aa3a27ac82ecb95
    • Instruction Fuzzy Hash: D911E4B5D002499FDB10CF9AC585BDEFBF8EB48320F14842AE559A3350D378A644CFA5
    Function 05431301 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 295 5431301-5431341 297 5431349-5431374 ImpersonateLoggedOnUser 295->297 298 5431376-543137c 297->298 299 543137d-543139e 297->299 298->299
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 05431367
    Memory Dump Source
    • Source File: 00000000.00000002.1890303781.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5430000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 47d85667ca4efad771426250e125abec9f2d3ee28b4b7a731f1de647025d1d76
    • Instruction ID: 91dfa1ad0898554a2a03df2fabea94cc0885e261310cfd115cad98b620bbdfc0
    • Opcode Fuzzy Hash: 47d85667ca4efad771426250e125abec9f2d3ee28b4b7a731f1de647025d1d76
    • Instruction Fuzzy Hash: 451125B5800249CFDB10CF9AD945BDEFBF8EB48320F24846AE518A3650D778A944CFA5
    Function 05431308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 05431367
    Memory Dump Source
    • Source File: 00000000.00000002.1890303781.0000000005430000.00000040.00000800.00020000.00000000.sdmp, Offset: 05430000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5430000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 46c2db454868ebddf5561c471232bca9841ab8d17b4138e7007d9437da8c7561
    • Instruction ID: 8f98516a814c24f661d7bee0007af20e77d29376bb8e933cf66720b7c6694d31
    • Opcode Fuzzy Hash: 46c2db454868ebddf5561c471232bca9841ab8d17b4138e7007d9437da8c7561
    • Instruction Fuzzy Hash: 281106B5800249CFDB10CF9AD945BDEFBF8EB48324F24845AD518A3750D778A544CFA5
    Function 0044D905 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00448FB2: GetCurrentThreadId.KERNEL32 ref: 00448FC1
    • ReadFile.KERNELBASE(?,00000000,?,00000400,?,-12065FEC,?,?,0044B634,?,?,00000400,?,00000000,?,00000000), ref: 0044D971
    Memory Dump Source
    • Source File: 00000000.00000002.1887861164.0000000000444000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1887541470.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887562458.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887583548.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887600241.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887623421.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887735851.00000000003DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887751644.00000000003DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.00000000003F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887806538.000000000041B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887825415.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887845089.0000000000438000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887876930.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887892948.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887905829.0000000000451000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887919133.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887944489.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887959976.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887972087.000000000046D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887987243.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888001013.0000000000478000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888019489.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888033621.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888048102.000000000047D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888062380.0000000000488000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888076027.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888089896.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888107407.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888123247.000000000049B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888145419.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888161617.00000000004A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888173628.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.00000000004FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.0000000000506000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888236442.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888250916.0000000000516000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: CurrentFileReadThread
    • String ID:
    • API String ID: 2348311434-0
    • Opcode ID: 84526b3337d937307433bab6d28bc1224947a7354d3f51da63ecfd682333009a
    • Instruction ID: 1498840eaccd8f1bf399cf7c68eacc3eb03a36fa2c6105a037b5c9e101882273
    • Opcode Fuzzy Hash: 84526b3337d937307433bab6d28bc1224947a7354d3f51da63ecfd682333009a
    • Instruction Fuzzy Hash: 17F03C7220010AFBEF129F95C809E9F3F66BF85354F004027FA1589061C73AC8A2EBA5
    Function 00449090 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON
    Download Yara Rule
    APIs
    • RtlAllocateHeap.NTDLL(00000000,00000000,00448D39,?,?,00448D39,00000008), ref: 004490AA
    Memory Dump Source
    • Source File: 00000000.00000002.1887861164.0000000000444000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1887541470.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887562458.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887583548.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887600241.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887623421.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887735851.00000000003DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887751644.00000000003DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.00000000003F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887806538.000000000041B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887825415.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887845089.0000000000438000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887876930.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887892948.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887905829.0000000000451000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887919133.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887944489.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887959976.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887972087.000000000046D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887987243.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888001013.0000000000478000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888019489.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888033621.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888048102.000000000047D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888062380.0000000000488000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888076027.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888089896.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888107407.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888123247.000000000049B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888145419.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888161617.00000000004A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888173628.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.00000000004FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.0000000000506000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888236442.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888250916.0000000000516000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: e9c31ccb7e640edccc08abd72e12ef44354cc4dcc0527766050e69993e1bbbbc
    • Instruction ID: 9a734711f49dd456c19d31a858eac6b4d12cc8bcd8c005c321bb1b207334d1df
    • Opcode Fuzzy Hash: e9c31ccb7e640edccc08abd72e12ef44354cc4dcc0527766050e69993e1bbbbc
    • Instruction Fuzzy Hash: 6DD0C972300205B6DA306A699C09E9B7A6CAB85A90F000132B91290044D7A9E45196A5
    Function 00449183 Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1887861164.0000000000444000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1887541470.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887562458.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887583548.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887600241.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887623421.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887735851.00000000003DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887751644.00000000003DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.00000000003F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887806538.000000000041B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887825415.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887845089.0000000000438000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887876930.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887892948.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887905829.0000000000451000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887919133.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887944489.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887959976.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887972087.000000000046D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887987243.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888001013.0000000000478000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888019489.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888033621.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888048102.000000000047D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888062380.0000000000488000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888076027.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888089896.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888107407.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888123247.000000000049B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888145419.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888161617.00000000004A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888173628.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.00000000004FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.0000000000506000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888236442.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888250916.0000000000516000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: lstrcmpi
    • String ID:
    • API String ID: 1586166983-0
    • Opcode ID: 773606709f262e419de35b25ca143766a168bb3c6344e329eba911afc802fd80
    • Instruction ID: 38da0ef09b71a073b7dcce3a7b495716d0392e33271dee75f87406db2318c472
    • Opcode Fuzzy Hash: 773606709f262e419de35b25ca143766a168bb3c6344e329eba911afc802fd80
    • Instruction Fuzzy Hash: A001E836A0010EBFEF219FA5CC09D9FBF76FF45340F0041A6E511A4164D7368A62EB64
    Function 0026E80B Relevance: 1.3, APIs: 1, Instructions: 34memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 0026E819
    Memory Dump Source
    • Source File: 00000000.00000002.1887600241.000000000026A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1887541470.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887562458.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887583548.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887623421.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887735851.00000000003DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887751644.00000000003DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.00000000003F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887806538.000000000041B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887825415.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887845089.0000000000438000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887861164.0000000000444000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887876930.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887892948.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887905829.0000000000451000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887919133.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887944489.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887959976.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887972087.000000000046D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887987243.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888001013.0000000000478000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888019489.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888033621.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888048102.000000000047D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888062380.0000000000488000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888076027.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888089896.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888107407.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888123247.000000000049B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888145419.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888161617.00000000004A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888173628.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.00000000004FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.0000000000506000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888236442.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888250916.0000000000516000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 2244c817dc49a4589ba07b907affb58a91d620e1443f6116c4ad33af2d706de6
    • Instruction ID: d67a6e0d868c59cd2a6cd9c6d165bbf47d6acdc6db0caa954b4d5eed50956622
    • Opcode Fuzzy Hash: 2244c817dc49a4589ba07b907affb58a91d620e1443f6116c4ad33af2d706de6
    • Instruction Fuzzy Hash: F8F02B76918118DBDB001F29EC0869F76A2EF48330F220B29ECA5533C4C2B15C358B46
    Function 0044BD06 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00448FB2: GetCurrentThreadId.KERNEL32 ref: 00448FC1
    • CloseHandle.KERNELBASE(0044B6C9,-12065FEC,?,?,0044B6C9,?), ref: 0044BD44
    Memory Dump Source
    • Source File: 00000000.00000002.1887861164.0000000000444000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1887541470.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887562458.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887583548.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887600241.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887623421.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887735851.00000000003DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887751644.00000000003DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.00000000003F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887806538.000000000041B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887825415.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887845089.0000000000438000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887876930.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887892948.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887905829.0000000000451000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887919133.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887944489.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887959976.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887972087.000000000046D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887987243.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888001013.0000000000478000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888019489.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888033621.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888048102.000000000047D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888062380.0000000000488000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888076027.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888089896.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888107407.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888123247.000000000049B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888145419.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888161617.00000000004A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888173628.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.00000000004FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.0000000000506000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888236442.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888250916.0000000000516000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: CloseCurrentHandleThread
    • String ID:
    • API String ID: 3305057742-0
    • Opcode ID: e116f15fb3458c99a445fee89257bff6c2b6708a049bec6c95a7beed67f22221
    • Instruction ID: f08ee185cc584a9b8bc6b8fa0e8c97c7bf537fb64477da7e257d380a2256eb30
    • Opcode Fuzzy Hash: e116f15fb3458c99a445fee89257bff6c2b6708a049bec6c95a7beed67f22221
    • Instruction Fuzzy Hash: 61E04FB2604145A6FE206ABAD809D4F6B29AFC2358B00453FB51299051CB2CC896E6AA
    Function 0044ADCB Relevance: 1.3, APIs: 1, Instructions: 8COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNELBASE(?,?,00448E51,?,?), ref: 0044ADD1
    Memory Dump Source
    • Source File: 00000000.00000002.1887861164.0000000000444000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1887541470.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887562458.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887583548.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887600241.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887623421.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887735851.00000000003DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887751644.00000000003DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.00000000003F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887806538.000000000041B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887825415.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887845089.0000000000438000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887876930.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887892948.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887905829.0000000000451000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887919133.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887944489.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887959976.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887972087.000000000046D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887987243.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888001013.0000000000478000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888019489.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888033621.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888048102.000000000047D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888062380.0000000000488000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888076027.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888089896.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888107407.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888123247.000000000049B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888145419.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888161617.00000000004A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888173628.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.00000000004FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.0000000000506000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888236442.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888250916.0000000000516000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: abb0ffe5f7516cfe2b2a89ce7cea463fca805bb2d34a94a53b828ea27c962d05
    • Instruction ID: 84a8777fe147a36528c879b5f803e668279905d51ab8a89d7f772a3fab16cd9d
    • Opcode Fuzzy Hash: abb0ffe5f7516cfe2b2a89ce7cea463fca805bb2d34a94a53b828ea27c962d05
    • Instruction Fuzzy Hash: 2DB09B3110410977CB51BF91DC05C8D7F65BF553597008531B557584318775E570D795

    Non-executed Functions

    Function 0044D0FF Relevance: 3.0, APIs: 2, Instructions: 43timeCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00448FB2: GetCurrentThreadId.KERNEL32 ref: 00448FC1
    • GetSystemTime.KERNEL32(?,-12065FEC), ref: 0044D134
    • GetFileTime.KERNEL32(?,?,?,?,-12065FEC), ref: 0044D177
    Memory Dump Source
    • Source File: 00000000.00000002.1887861164.0000000000444000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1887541470.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887562458.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887583548.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887600241.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887623421.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887735851.00000000003DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887751644.00000000003DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.00000000003F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887806538.000000000041B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887825415.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887845089.0000000000438000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887876930.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887892948.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887905829.0000000000451000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887919133.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887944489.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887959976.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887972087.000000000046D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887987243.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888001013.0000000000478000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888019489.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888033621.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888048102.000000000047D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888062380.0000000000488000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888076027.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888089896.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888107407.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888123247.000000000049B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888145419.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888161617.00000000004A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888173628.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.00000000004FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.0000000000506000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888236442.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888250916.0000000000516000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: Time$CurrentFileSystemThread
    • String ID:
    • API String ID: 2191017843-0
    • Opcode ID: 8ed77a5ebc4e2fbb01dd4b63362c7b52c6e0ac309dfcaaa0030618e9c87cb319
    • Instruction ID: 97caab67927bd75217edf08ed3ddff64917db4218ae198d23b0a8185b9e33723
    • Opcode Fuzzy Hash: 8ed77a5ebc4e2fbb01dd4b63362c7b52c6e0ac309dfcaaa0030618e9c87cb319
    • Instruction Fuzzy Hash: 1C012C32604446FBEB21AF5ADC0CD8F7F36EFC5350B104527F81185460C736C9A1DA65
    Function 0026E143 Relevance: 1.4, Strings: 1, Instructions: 173COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1887600241.000000000026A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1887541470.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887562458.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887583548.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887623421.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887735851.00000000003DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887751644.00000000003DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.00000000003F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887806538.000000000041B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887825415.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887845089.0000000000438000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887861164.0000000000444000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887876930.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887892948.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887905829.0000000000451000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887919133.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887944489.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887959976.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887972087.000000000046D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887987243.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888001013.0000000000478000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888019489.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888033621.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888048102.000000000047D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888062380.0000000000488000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888076027.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888089896.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888107407.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888123247.000000000049B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888145419.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888161617.00000000004A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888173628.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.00000000004FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.0000000000506000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888236442.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888250916.0000000000516000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID:
    • String ID: V
    • API String ID: 0-1342839628
    • Opcode ID: 7fe28cb63cc4a90b2d4455dcec487ad5ca51dc3b3a95c6e3ca2b2256b9927967
    • Instruction ID: e07d972f5072053952d3e684f33dc5bd697e6fd19ba9db616ee99ede845ba0f2
    • Opcode Fuzzy Hash: 7fe28cb63cc4a90b2d4455dcec487ad5ca51dc3b3a95c6e3ca2b2256b9927967
    • Instruction Fuzzy Hash: 01514DB652C3599FDB018F3485112DB3FA5EF43320F3540AAEC41C7682E2A64C799B59
    Function 0040E784 Relevance: .1, Instructions: 119COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1887770776.0000000000402000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1887541470.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887562458.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887583548.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887600241.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887623421.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887735851.00000000003DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887751644.00000000003DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.00000000003F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887806538.000000000041B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887825415.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887845089.0000000000438000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887861164.0000000000444000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887876930.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887892948.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887905829.0000000000451000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887919133.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887944489.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887959976.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887972087.000000000046D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887987243.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888001013.0000000000478000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888019489.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888033621.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888048102.000000000047D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888062380.0000000000488000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888076027.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888089896.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888107407.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888123247.000000000049B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888145419.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888161617.00000000004A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888173628.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.00000000004FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.0000000000506000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888236442.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888250916.0000000000516000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 4f12e46060ed78ad7035eb010f2e4254e894ce52fbd27d34353f493a722917ba
    • Instruction ID: 21b8f8db81f15bf89d087cdc769580eb5e4d748077789321fd4c64eca55088a7
    • Opcode Fuzzy Hash: 4f12e46060ed78ad7035eb010f2e4254e894ce52fbd27d34353f493a722917ba
    • Instruction Fuzzy Hash: A7416FB250C300EFE301BE29D8856AEFBE5EF84720F16892DE6D483254E7349855CB97
    Function 0040E779 Relevance: .1, Instructions: 116COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1887770776.0000000000402000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1887541470.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887562458.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887583548.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887600241.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887623421.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887735851.00000000003DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887751644.00000000003DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.00000000003F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887806538.000000000041B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887825415.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887845089.0000000000438000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887861164.0000000000444000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887876930.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887892948.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887905829.0000000000451000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887919133.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887944489.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887959976.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887972087.000000000046D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887987243.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888001013.0000000000478000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888019489.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888033621.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888048102.000000000047D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888062380.0000000000488000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888076027.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888089896.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888107407.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888123247.000000000049B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888145419.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888161617.00000000004A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888173628.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.00000000004FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.0000000000506000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888236442.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888250916.0000000000516000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0c51b8b7ce9699733b8ca6c8e2c576ad341b84f5c199d2c487445fb741376697
    • Instruction ID: cf7c7fc5ef973dad2b9fb482ce01aa44c62477be5cf3c8d386f26f02ad4b756b
    • Opcode Fuzzy Hash: 0c51b8b7ce9699733b8ca6c8e2c576ad341b84f5c199d2c487445fb741376697
    • Instruction Fuzzy Hash: 7E316FB250C300EFE301BE29D8856BEFBE5EF84720F168D2DE6D483254E6349855CA97
    Function 0040E7A6 Relevance: .1, Instructions: 110COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1887770776.0000000000402000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1887541470.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887562458.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887583548.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887600241.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887623421.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887735851.00000000003DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887751644.00000000003DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.00000000003F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887806538.000000000041B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887825415.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887845089.0000000000438000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887861164.0000000000444000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887876930.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887892948.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887905829.0000000000451000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887919133.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887944489.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887959976.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887972087.000000000046D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887987243.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888001013.0000000000478000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888019489.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888033621.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888048102.000000000047D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888062380.0000000000488000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888076027.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888089896.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888107407.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888123247.000000000049B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888145419.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888161617.00000000004A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888173628.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.00000000004FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.0000000000506000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888236442.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888250916.0000000000516000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 6bf111d7d853a3e26df114056cc50474c900bb4ea74e8c057ec4ef5ac3547b06
    • Instruction ID: 68837f61da4249c512a6f10327f97cd2441e858d10a1e97fb165555caeeb395e
    • Opcode Fuzzy Hash: 6bf111d7d853a3e26df114056cc50474c900bb4ea74e8c057ec4ef5ac3547b06
    • Instruction Fuzzy Hash: 80316AB250C3009FE711BE2AD8856AEFBE5EF94720F068D2DE6D483254E7349851CB97
    Function 004041A0 Relevance: .1, Instructions: 73COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1887770776.0000000000402000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1887541470.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887562458.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887583548.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887600241.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887623421.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887735851.00000000003DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887751644.00000000003DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.00000000003F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887806538.000000000041B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887825415.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887845089.0000000000438000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887861164.0000000000444000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887876930.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887892948.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887905829.0000000000451000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887919133.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887944489.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887959976.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887972087.000000000046D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887987243.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888001013.0000000000478000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888019489.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888033621.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888048102.000000000047D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888062380.0000000000488000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888076027.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888089896.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888107407.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888123247.000000000049B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888145419.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888161617.00000000004A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888173628.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.00000000004FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.0000000000506000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888236442.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888250916.0000000000516000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 284a88abfdb5cf9529a0d94204766f395f39c771c20379cb1d208c1f019141fd
    • Instruction ID: 14a902f71f1a50c31f5bff7991a81b8fd9cbd27fd22eb2698e927cafd044d5f7
    • Opcode Fuzzy Hash: 284a88abfdb5cf9529a0d94204766f395f39c771c20379cb1d208c1f019141fd
    • Instruction Fuzzy Hash: F93120B110D609DFE705AF25C408A6EBBF0EF50710F26092ED4C296A90E7785896DF1B
    Function 00403B0E Relevance: .1, Instructions: 72COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1887770776.0000000000402000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1887541470.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887562458.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887583548.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887600241.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887623421.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887735851.00000000003DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887751644.00000000003DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.00000000003F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887806538.000000000041B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887825415.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887845089.0000000000438000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887861164.0000000000444000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887876930.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887892948.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887905829.0000000000451000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887919133.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887944489.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887959976.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887972087.000000000046D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887987243.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888001013.0000000000478000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888019489.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888033621.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888048102.000000000047D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888062380.0000000000488000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888076027.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888089896.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888107407.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888123247.000000000049B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888145419.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888161617.00000000004A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888173628.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.00000000004FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.0000000000506000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888236442.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888250916.0000000000516000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9e87a87aeb7e60c15882a1d82e6bcfdf03a9cd6e3c58b72583be90459128ee1f
    • Instruction ID: 871274abaa15b096142301878874dfa159618fd89510ccd50bce2aea857876c2
    • Opcode Fuzzy Hash: 9e87a87aeb7e60c15882a1d82e6bcfdf03a9cd6e3c58b72583be90459128ee1f
    • Instruction Fuzzy Hash: 0E212CB110DA04DFE705AF248408A2ABBF0FF50760F26092ED5C296AA0E7781496DF1B
    Function 0040C19A Relevance: .1, Instructions: 55COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1887770776.0000000000402000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1887541470.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887562458.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887583548.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887600241.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887623421.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887735851.00000000003DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887751644.00000000003DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.00000000003F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887806538.000000000041B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887825415.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887845089.0000000000438000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887861164.0000000000444000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887876930.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887892948.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887905829.0000000000451000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887919133.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887944489.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887959976.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887972087.000000000046D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887987243.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888001013.0000000000478000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888019489.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888033621.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888048102.000000000047D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888062380.0000000000488000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888076027.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888089896.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888107407.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888123247.000000000049B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888145419.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888161617.00000000004A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888173628.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.00000000004FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.0000000000506000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888236442.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888250916.0000000000516000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: cb4d9f6f144c704a1f24534ebbd47d737c8fdd815190d3b306c39cdbb3a1fb26
    • Instruction ID: ee3fe905640cbc555e38ff41a0cec421ce558d0a59295a12c553a61f7b00d17d
    • Opcode Fuzzy Hash: cb4d9f6f144c704a1f24534ebbd47d737c8fdd815190d3b306c39cdbb3a1fb26
    • Instruction Fuzzy Hash: 770149B2A64201CBDB108B7489D539F3785EB16320F344777E806FA2C2C57D9C46AA0E
    Function 0040D09E Relevance: .0, Instructions: 21COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1887770776.0000000000402000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1887541470.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887562458.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887583548.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887600241.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887623421.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887735851.00000000003DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887751644.00000000003DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.00000000003F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887806538.000000000041B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887825415.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887845089.0000000000438000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887861164.0000000000444000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887876930.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887892948.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887905829.0000000000451000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887919133.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887944489.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887959976.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887972087.000000000046D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887987243.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888001013.0000000000478000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888019489.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888033621.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888048102.000000000047D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888062380.0000000000488000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888076027.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888089896.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888107407.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888123247.000000000049B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888145419.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888161617.00000000004A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888173628.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.00000000004FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.0000000000506000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888236442.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888250916.0000000000516000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f8d401787e38979b6c21b61dc170f163129372763360e5cad707ffebc6650098
    • Instruction ID: 015091d2d92091e45d18c13c663219d408aa554d599e237a330e8f9cd35e4d38
    • Opcode Fuzzy Hash: f8d401787e38979b6c21b61dc170f163129372763360e5cad707ffebc6650098
    • Instruction Fuzzy Hash: BCE04F360041069AC7009F54C85599FFBF4FF59320F208446F844C7722C2354C41C729
    Function 0044C635 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00448FB2: GetCurrentThreadId.KERNEL32 ref: 00448FC1
      • Part of subcall function 0044D6B3: IsBadWritePtr.KERNEL32(?,00000004), ref: 0044D6C1
    • wsprintfA.USER32 ref: 0044C67B
    • LoadImageA.USER32(?,?,?,?,?,?), ref: 0044C73F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1887861164.0000000000444000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1887541470.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887562458.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887583548.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887600241.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887623421.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887735851.00000000003DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887751644.00000000003DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.00000000003F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887806538.000000000041B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887825415.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887845089.0000000000438000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887876930.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887892948.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887905829.0000000000451000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887919133.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887944489.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887959976.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887972087.000000000046D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887987243.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888001013.0000000000478000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888019489.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888033621.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888048102.000000000047D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888062380.0000000000488000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888076027.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888089896.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888107407.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888123247.000000000049B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888145419.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888161617.00000000004A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888173628.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.00000000004FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.0000000000506000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888236442.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888250916.0000000000516000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: CurrentImageLoadThreadWritewsprintf
    • String ID: %8x$%8x
    • API String ID: 439219941-2046107164
    • Opcode ID: d42c6bf6e93c4e9acf7eb5ea13ddf566b209336dfdff8a2556d3fbf0dabe902f
    • Instruction ID: 503f541cce300e86a9a805709e4321fa895cfd2072dff5df1888bbff909b9ec8
    • Opcode Fuzzy Hash: d42c6bf6e93c4e9acf7eb5ea13ddf566b209336dfdff8a2556d3fbf0dabe902f
    • Instruction Fuzzy Hash: 9E312831A0010AFBDF21DF94DC45EAEBF75FF85310F108126FA11A61A1C7359A61EB94
    Function 0044D206 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesExW.KERNEL32(01671214,00004020,00000000,-12065FEC), ref: 0044D2F3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1887861164.0000000000444000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1887541470.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887562458.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887583548.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887600241.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887623421.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887735851.00000000003DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887751644.00000000003DE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.00000000003F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887770776.0000000000402000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887806538.000000000041B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887825415.000000000041D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887845089.0000000000438000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887876930.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887892948.0000000000450000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887905829.0000000000451000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887919133.0000000000453000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887944489.0000000000468000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887959976.000000000046C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887972087.000000000046D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1887987243.0000000000471000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888001013.0000000000478000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888019489.000000000047A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888033621.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888048102.000000000047D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888062380.0000000000488000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888076027.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888089896.000000000048B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888107407.0000000000492000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888123247.000000000049B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888145419.000000000049E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888161617.00000000004A6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888173628.00000000004A7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.00000000004FF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888206138.0000000000506000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888236442.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1888250916.0000000000516000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: 75e4cf44cf6892dbbe8c48bc5cefb52fef0d2a80742a6a12be3cc63d6a7396f2
    • Instruction ID: fcd4803ac23970a82c2cc8a7783098070e3d6f0533c273e494447e6619f52450
    • Opcode Fuzzy Hash: 75e4cf44cf6892dbbe8c48bc5cefb52fef0d2a80742a6a12be3cc63d6a7396f2
    • Instruction Fuzzy Hash: 4F318BB1900605EFEB25CF44D844B8EBBB0FF08300F00852AF95667690C3B8EAA5DF95