Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1562849
MD5:0d1e5334ceac878a5054ae5dbcfe0942
SHA1:1e3bdc4a9a1b54c65cd489187c51f41b51f2a3a2
SHA256:fece7908c91ac1248fe2ac0d2bd28f80c59b6d26669d2f144e8d5f92a7d1166b
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SIDT)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 1816 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 0D1E5334CEAC878A5054AE5DBCFE0942)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: file.exeVirustotal: Detection: 52%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.2129131209.00000000047A0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2262096085.0000000000082000.00000040.00000001.01000000.00000003.sdmp

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0008DBDC0_2_0008DBDC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002F5F370_2_002F5F37
Source: file.exe, 00000000.00000002.2262111249.0000000000086000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeVirustotal: Detection: 52%
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this applicationFDS_WL_
Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exeString found in binary or memory: MRtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNeQ
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 2865664 > 1048576
Source: file.exeStatic PE information: Raw size of hmogoqra is bigger than: 0x100000 < 0x2b5a00
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.2129131209.00000000047A0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2262096085.0000000000082000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.80000.0.unpack :EW;.rsrc:W;.idata :W;hmogoqra:EW;rfkyshch:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x2bea48 should be: 0x2c9aa2
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name: hmogoqra
Source: file.exeStatic PE information: section name: rfkyshch
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0021217D push ebx; mov dword ptr [esp], 7FB5AC64h0_2_0021219F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0021217D push 36BAF694h; mov dword ptr [esp], eax0_2_002121BF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0021217D push 448D5CBFh; mov dword ptr [esp], ecx0_2_002121F2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0021217D push edi; mov dword ptr [esp], 74B71C9Ch0_2_0021220B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0021217D push edi; mov dword ptr [esp], ebp0_2_00212285
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0008E593 push 1B2B1E7Bh; mov dword ptr [esp], ebx0_2_0008F467
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0008E593 push esi; mov dword ptr [esp], ecx0_2_0008F70D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00091789 push eax; mov dword ptr [esp], ebx0_2_00094151
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00211FD0 push ecx; mov dword ptr [esp], 7DB94EF0h0_2_00212059
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00211FD0 push 44690A61h; mov dword ptr [esp], edx0_2_002120B1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00211FD0 push edx; mov dword ptr [esp], 53C36D4Bh0_2_002120D3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00211FD0 push 01CFE120h; mov dword ptr [esp], edx0_2_00212138
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00228022 push 283BF7E3h; mov dword ptr [esp], esi0_2_00228241
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00228022 push esi; mov dword ptr [esp], edi0_2_00228442
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0009300B push ebx; mov dword ptr [esp], esp0_2_00094DF4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00091003 push 79B47304h; mov dword ptr [esp], edi0_2_0009100B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00212017 push ecx; mov dword ptr [esp], 7DB94EF0h0_2_00212059
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00212017 push 44690A61h; mov dword ptr [esp], edx0_2_002120B1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00212017 push edx; mov dword ptr [esp], 53C36D4Bh0_2_002120D3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00212017 push 01CFE120h; mov dword ptr [esp], edx0_2_00212138
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00091030 push 464AB96Ah; mov dword ptr [esp], eax0_2_0009104B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0022A045 push ebp; mov dword ptr [esp], ecx0_2_0022A07D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0022A045 push ebx; mov dword ptr [esp], 3FEE21EAh0_2_0022A0AA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0022A045 push ecx; mov dword ptr [esp], 45CECCC0h0_2_0022A0D4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0022A045 push esi; mov dword ptr [esp], eax0_2_0022A0F0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0022A045 push ebp; mov dword ptr [esp], edi0_2_0022A134
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0022A04D push ebp; mov dword ptr [esp], ecx0_2_0022A07D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0022A04D push ebx; mov dword ptr [esp], 3FEE21EAh0_2_0022A0AA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0022A04D push ecx; mov dword ptr [esp], 45CECCC0h0_2_0022A0D4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0022A04D push esi; mov dword ptr [esp], eax0_2_0022A0F0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0022A04D push ebp; mov dword ptr [esp], edi0_2_0022A134
Source: file.exeStatic PE information: section name: entropy: 7.774489911655783

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 212E82 second address: 212E8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 200516 second address: 200523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007FBCC050B076h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2122E0 second address: 2122FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBCC0CD3BD1h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2122FA second address: 212300 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 214F45 second address: 214F80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FBCC0CD3BD3h 0x0000000b popad 0x0000000c push eax 0x0000000d jmp 00007FBCC0CD3BCEh 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 jp 00007FBCC0CD3BD8h 0x0000001c push eax 0x0000001d push edx 0x0000001e je 00007FBCC0CD3BC6h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 215059 second address: 21505F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 21505F second address: 2150A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCC0CD3BD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 76CA5081h 0x00000010 mov dword ptr [ebp+122D255Ch], edi 0x00000016 lea ebx, dword ptr [ebp+1245AE72h] 0x0000001c or cl, FFFFFFCCh 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 jmp 00007FBCC0CD3BCBh 0x00000028 push ebx 0x00000029 pop ebx 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2151F5 second address: 215209 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 je 00007FBCC050B076h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 215254 second address: 21525A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 21525A second address: 2152FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FBCC050B07Eh 0x0000000a popad 0x0000000b nop 0x0000000c or edi, dword ptr [ebp+122D35A1h] 0x00000012 push 00000000h 0x00000014 sub ecx, dword ptr [ebp+122D3089h] 0x0000001a push B46C0580h 0x0000001f jng 00007FBCC050B07Eh 0x00000025 push eax 0x00000026 jng 00007FBCC050B076h 0x0000002c pop eax 0x0000002d add dword ptr [esp], 4B93FB00h 0x00000034 mov edi, dword ptr [ebp+122D2C2Ch] 0x0000003a push 00000003h 0x0000003c xor cx, FD74h 0x00000041 push 00000000h 0x00000043 push 00000000h 0x00000045 push eax 0x00000046 call 00007FBCC050B078h 0x0000004b pop eax 0x0000004c mov dword ptr [esp+04h], eax 0x00000050 add dword ptr [esp+04h], 00000018h 0x00000058 inc eax 0x00000059 push eax 0x0000005a ret 0x0000005b pop eax 0x0000005c ret 0x0000005d mov edi, dword ptr [ebp+122D25DCh] 0x00000063 push 00000003h 0x00000065 jnp 00007FBCC050B07Ch 0x0000006b or edx, dword ptr [ebp+122D2C80h] 0x00000071 push ebx 0x00000072 sub dword ptr [ebp+122D360Ah], edi 0x00000078 pop edx 0x00000079 push CDA97DAFh 0x0000007e push eax 0x0000007f push edx 0x00000080 push eax 0x00000081 push edx 0x00000082 jmp 00007FBCC050B084h 0x00000087 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2152FF second address: 215303 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 215303 second address: 215309 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 215309 second address: 21530F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 21530F second address: 215313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2278C1 second address: 2278C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2278C7 second address: 2278CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 236A06 second address: 236A0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 236A0A second address: 236A10 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FE9C5 second address: 1FE9D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jno 00007FBCC0CD3BC6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FE9D3 second address: 1FE9F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007FBCC050B0CAh 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FBCC050B082h 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FE9F4 second address: 1FEA26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCC0CD3BD8h 0x00000007 jmp 00007FBCC0CD3BD0h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FEA26 second address: 1FEA2C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 234D32 second address: 234D54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCC0CD3BD8h 0x00000007 jo 00007FBCC0CD3BC6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 234EE1 second address: 234EE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 234EE6 second address: 234EF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBCC0CD3BCAh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 234EF9 second address: 234EFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 235030 second address: 235036 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 235036 second address: 235081 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FBCC050B076h 0x00000008 jno 00007FBCC050B076h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push esi 0x00000011 jo 00007FBCC050B076h 0x00000017 jmp 00007FBCC050B088h 0x0000001c pop esi 0x0000001d pushad 0x0000001e jmp 00007FBCC050B086h 0x00000023 push eax 0x00000024 pop eax 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2351D7 second address: 2351E3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jc 00007FBCC0CD3BC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2351E3 second address: 2351EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 235348 second address: 23535E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FBCC0CD3BCCh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23535E second address: 235368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FBCC050B076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 235368 second address: 23536C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23536C second address: 235372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2359D3 second address: 2359DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FBCC0CD3BC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2359DD second address: 2359ED instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jnp 00007FBCC050B076h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2359ED second address: 2359F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2359F3 second address: 2359F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2359F7 second address: 235A01 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 235A01 second address: 235A07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 235A07 second address: 235A41 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCC0CD3BCEh 0x00000007 jmp 00007FBCC0CD3BD3h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f jl 00007FBCC0CD3BDEh 0x00000015 push eax 0x00000016 push edx 0x00000017 jng 00007FBCC0CD3BC6h 0x0000001d jnl 00007FBCC0CD3BC6h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 235B94 second address: 235BA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FBCC050B076h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 235BA0 second address: 235BA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 236259 second address: 23625F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23625F second address: 236269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 236269 second address: 23626D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 236639 second address: 23663F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23BD2C second address: 23BD30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23BD30 second address: 23BD34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23CFD8 second address: 23CFE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23CFE1 second address: 23CFE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FCF28 second address: 1FCF37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23E643 second address: 23E647 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23E647 second address: 23E657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push edx 0x0000000e pop edx 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23E657 second address: 23E661 instructions: 0x00000000 rdtsc 0x00000002 js 00007FBCC0CD3BCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F6180 second address: 1F6186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F6186 second address: 1F618C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2469C4 second address: 2469CE instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBCC050B076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2469CE second address: 2469EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007FBCC0CD3BD8h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 246CBB second address: 246CD9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCC050B085h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 246CD9 second address: 246CE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FBCC0CD3BC6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 246CE5 second address: 246CF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 jno 00007FBCC050B076h 0x0000000c pop ebx 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 247874 second address: 247891 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBCC0CD3BD8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 247916 second address: 24794F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 add dword ptr [esp], 4EE0394Ah 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007FBCC050B078h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 push A9C2CB65h 0x0000002b push ebx 0x0000002c push edi 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 247C2D second address: 247C38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FBCC0CD3BC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24845E second address: 248484 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCC050B081h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b jc 00007FBCC050B084h 0x00000011 pushad 0x00000012 jnl 00007FBCC050B076h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 248734 second address: 24873A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24873A second address: 24874F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBCC050B081h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 248976 second address: 24897C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 249AE1 second address: 249B73 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 jmp 00007FBCC050B089h 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007FBCC050B078h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 pushad 0x0000002a call 00007FBCC050B086h 0x0000002f sub dword ptr [ebp+122D247Ch], eax 0x00000035 pop eax 0x00000036 jl 00007FBCC050B07Ch 0x0000003c popad 0x0000003d push 00000000h 0x0000003f push eax 0x00000040 pushad 0x00000041 jmp 00007FBCC050B087h 0x00000046 push eax 0x00000047 push edx 0x00000048 push ecx 0x00000049 pop ecx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24B5C4 second address: 24B5CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24B5CB second address: 24B5D0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24C09A second address: 24C0FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 nop 0x00000005 pushad 0x00000006 mov edx, dword ptr [ebp+122D2C90h] 0x0000000c mov di, A076h 0x00000010 popad 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push edi 0x00000016 call 00007FBCC0CD3BC8h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], edi 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc edi 0x00000029 push edi 0x0000002a ret 0x0000002b pop edi 0x0000002c ret 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push eax 0x00000032 call 00007FBCC0CD3BC8h 0x00000037 pop eax 0x00000038 mov dword ptr [esp+04h], eax 0x0000003c add dword ptr [esp+04h], 00000016h 0x00000044 inc eax 0x00000045 push eax 0x00000046 ret 0x00000047 pop eax 0x00000048 ret 0x00000049 sub edi, dword ptr [ebp+122D3A24h] 0x0000004f xchg eax, ebx 0x00000050 pushad 0x00000051 push eax 0x00000052 push edx 0x00000053 jng 00007FBCC0CD3BC6h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24C0FD second address: 24C101 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24BE39 second address: 24BE3F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24C101 second address: 24C10B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24C10B second address: 24C11D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007FBCC0CD3BC8h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24D7B5 second address: 24D7CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCC050B084h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24C961 second address: 24C965 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24D7CD second address: 24D813 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov si, 71B3h 0x0000000d push 00000000h 0x0000000f adc di, 6EF4h 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007FBCC050B078h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 0000001Bh 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 xchg eax, ebx 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 js 00007FBCC050B076h 0x0000003a push edi 0x0000003b pop edi 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24C965 second address: 24C96B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24D813 second address: 24D835 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCC050B087h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24F8D9 second address: 24F8DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24F8DE second address: 24F907 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jc 00007FBCC050B086h 0x00000010 jmp 00007FBCC050B080h 0x00000015 pushad 0x00000016 ja 00007FBCC050B076h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24F907 second address: 24F94C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 or esi, dword ptr [ebp+122D3735h] 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 sub dword ptr [ebp+122D256Dh], ecx 0x00000017 xchg eax, ebx 0x00000018 jns 00007FBCC0CD3BD2h 0x0000001e jno 00007FBCC0CD3BCCh 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 pushad 0x00000029 popad 0x0000002a jmp 00007FBCC0CD3BD4h 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2501AB second address: 2501AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2501AF second address: 2501B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 253315 second address: 253319 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2557E5 second address: 2557EF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2557EF second address: 255831 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a jmp 00007FBCC050B089h 0x0000000f push 00000000h 0x00000011 mov ebx, dword ptr [ebp+1245CDF6h] 0x00000017 push 00000000h 0x00000019 mov di, dx 0x0000001c xchg eax, esi 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FBCC050B07Eh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25672F second address: 2567DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCC0CD3BD6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b jmp 00007FBCC0CD3BD4h 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007FBCC0CD3BC8h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 00000014h 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c push 00000000h 0x0000002e call 00007FBCC0CD3BD7h 0x00000033 pushad 0x00000034 mov ebx, dword ptr [ebp+122D2BE4h] 0x0000003a sub esi, dword ptr [ebp+122D2CD4h] 0x00000040 popad 0x00000041 pop ebx 0x00000042 xchg eax, esi 0x00000043 push edi 0x00000044 jo 00007FBCC0CD3BC8h 0x0000004a push esi 0x0000004b pop esi 0x0000004c pop edi 0x0000004d push eax 0x0000004e pushad 0x0000004f jmp 00007FBCC0CD3BD5h 0x00000054 push eax 0x00000055 push edx 0x00000056 jmp 00007FBCC0CD3BD6h 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2567DF second address: 2567E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2576A8 second address: 2576AD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25A394 second address: 25A39B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25A49C second address: 25A4A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25A57C second address: 25A588 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25A588 second address: 25A58C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25A58C second address: 25A590 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25DF98 second address: 25DFF8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBCC0CD3BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b jmp 00007FBCC0CD3BD7h 0x00000010 pop edi 0x00000011 popad 0x00000012 nop 0x00000013 sbb di, 3A45h 0x00000018 push 00000000h 0x0000001a jmp 00007FBCC0CD3BCBh 0x0000001f push 00000000h 0x00000021 push eax 0x00000022 mov bl, 34h 0x00000024 pop edi 0x00000025 xchg eax, esi 0x00000026 jmp 00007FBCC0CD3BD7h 0x0000002b push eax 0x0000002c push eax 0x0000002d push edx 0x0000002e push edi 0x0000002f jg 00007FBCC0CD3BC6h 0x00000035 pop edi 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25DFF8 second address: 25E003 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FBCC050B076h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2601F9 second address: 2601FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2601FF second address: 260203 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 261188 second address: 26118D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26118D second address: 2611A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCC050B07Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2611A7 second address: 2611AD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 26036D second address: 26037F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBCC050B076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007FBCC050B076h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2611AD second address: 261216 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBCC0CD3BC8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007FBCC0CD3BC8h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 push 00000000h 0x00000027 mov ebx, dword ptr [ebp+122D25E4h] 0x0000002d push 00000000h 0x0000002f push edi 0x00000030 mov edi, 7588B81Bh 0x00000035 pop edi 0x00000036 mov ebx, dword ptr [ebp+122D290Dh] 0x0000003c xchg eax, esi 0x0000003d jmp 00007FBCC0CD3BD7h 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007FBCC0CD3BCDh 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 261216 second address: 26121C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2621FC second address: 262202 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 262202 second address: 262217 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FBCC050B07Dh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 261480 second address: 261486 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 261486 second address: 26148A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 272748 second address: 27274C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27274C second address: 272767 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCC050B07Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007FBCC050B078h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 272767 second address: 27276F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27276F second address: 272773 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 272773 second address: 272777 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27212C second address: 272160 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBCC050B088h 0x00000009 ja 00007FBCC050B07Ah 0x0000000f je 00007FBCC050B082h 0x00000015 jno 00007FBCC050B076h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 272160 second address: 27218E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jbe 00007FBCC0CD3BC6h 0x0000000b jmp 00007FBCC0CD3BD9h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 pushad 0x00000018 popad 0x00000019 pop eax 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27C165 second address: 27C173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FBCC050B076h 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F9874 second address: 1F989F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBCC0CD3BD2h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBCC0CD3BD0h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F989F second address: 1F98A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27E0C4 second address: 27E0C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27E2DE second address: 27E2E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27E2E3 second address: 27E30D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FBCC0CD3BD4h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 pop eax 0x00000014 jns 00007FBCC0CD3BC6h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27E30D second address: 27E312 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27E312 second address: 27E321 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27E321 second address: 27E345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jg 00007FBCC050B080h 0x0000000b popad 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 pushad 0x00000011 pushad 0x00000012 jo 00007FBCC050B076h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 282DB1 second address: 282DC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBCC0CD3BCDh 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 283096 second address: 28309D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28309D second address: 2830A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FBCC0CD3BC6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2830A9 second address: 2830BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jl 00007FBCC050B076h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2830BC second address: 2830D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FBCC0CD3BD0h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2830D5 second address: 2830F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBCC050B088h 0x00000009 jns 00007FBCC050B076h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 283262 second address: 283267 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 283267 second address: 28326D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28326D second address: 28327D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 ja 00007FBCC0CD3BC6h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28327D second address: 283283 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2833C5 second address: 2833CE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2833CE second address: 2833E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBCC050B07Eh 0x00000009 jp 00007FBCC050B076h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 283676 second address: 28367B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2837EA second address: 2837F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2837F0 second address: 2837F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 286D89 second address: 286D8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 286D8F second address: 286D93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 286D93 second address: 286DB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCC050B089h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 286DB6 second address: 286DBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 286DBC second address: 286DC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28C499 second address: 28C4C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 jmp 00007FBCC0CD3BD1h 0x0000000c popad 0x0000000d jo 00007FBCC0CD3BE0h 0x00000013 push ecx 0x00000014 jnc 00007FBCC0CD3BC6h 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c pop ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28C4C6 second address: 28C4CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 207123 second address: 207127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 207127 second address: 20712D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 20712D second address: 20713D instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBCC0CD3BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28B353 second address: 28B35B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28B495 second address: 28B4BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jno 00007FBCC0CD3BD7h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 pop eax 0x00000011 push esi 0x00000012 pop esi 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28BBBD second address: 28BBC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28BBC1 second address: 28BBD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCC0CD3BCEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28BE9D second address: 28BEA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28BEA3 second address: 28BEA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28BEA9 second address: 28BEC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FBCC050B087h 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 28BEC8 second address: 28BF1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBCC0CD3BD1h 0x00000009 pop eax 0x0000000a push ecx 0x0000000b js 00007FBCC0CD3BC6h 0x00000011 pop ecx 0x00000012 popad 0x00000013 jl 00007FBCC0CD3BF9h 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c pushad 0x0000001d popad 0x0000001e jno 00007FBCC0CD3BC6h 0x00000024 popad 0x00000025 pushad 0x00000026 jmp 00007FBCC0CD3BD9h 0x0000002b js 00007FBCC0CD3BC6h 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 295A0F second address: 295A26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FBCC050B07Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 295A26 second address: 295A2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2947D5 second address: 2947F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FBCC050B088h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 294E59 second address: 294E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBCC0CD3BD5h 0x00000009 pop eax 0x0000000a popad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 294E79 second address: 294E7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 294E7D second address: 294E8D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBCC0CD3BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2953E1 second address: 2953F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 jno 00007FBCC050B076h 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2953F5 second address: 2953F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2953F9 second address: 2953FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2953FF second address: 29540F instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBCC0CD3BCAh 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29540F second address: 295413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 295413 second address: 295417 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22E37C second address: 22E386 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22E386 second address: 22E38A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22E38A second address: 22E38E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2958A4 second address: 2958C6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c jmp 00007FBCC0CD3BD6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29A3A5 second address: 29A3AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29A3AC second address: 29A3C3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 js 00007FBCC0CD3BC6h 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jl 00007FBCC0CD3BF0h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29A3C3 second address: 29A3E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FBCC050B076h 0x0000000a jnc 00007FBCC050B076h 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007FBCC050B07Ah 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2509AB second address: 22D8F8 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBCC0CD3BC8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov dx, di 0x00000012 jmp 00007FBCC0CD3BD0h 0x00000017 lea eax, dword ptr [ebp+1249673Ah] 0x0000001d and dx, 3AACh 0x00000022 nop 0x00000023 jmp 00007FBCC0CD3BD9h 0x00000028 push eax 0x00000029 jbe 00007FBCC0CD3BE2h 0x0000002f jl 00007FBCC0CD3BDCh 0x00000035 jmp 00007FBCC0CD3BD6h 0x0000003a nop 0x0000003b push 00000000h 0x0000003d push edx 0x0000003e call 00007FBCC0CD3BC8h 0x00000043 pop edx 0x00000044 mov dword ptr [esp+04h], edx 0x00000048 add dword ptr [esp+04h], 00000018h 0x00000050 inc edx 0x00000051 push edx 0x00000052 ret 0x00000053 pop edx 0x00000054 ret 0x00000055 mov dword ptr [ebp+122D2790h], ecx 0x0000005b call dword ptr [ebp+1246D40Bh] 0x00000061 push edi 0x00000062 push ebx 0x00000063 pushad 0x00000064 popad 0x00000065 pushad 0x00000066 popad 0x00000067 pop ebx 0x00000068 push eax 0x00000069 push edx 0x0000006a jng 00007FBCC0CD3BC6h 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 250AE2 second address: 250AE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 250AE6 second address: 250AEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 250AEA second address: 250B00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FBCC050B07Bh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 250B00 second address: 250B04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 250B04 second address: 250B0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 251038 second address: 25109C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBCC0CD3BD3h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xor dword ptr [esp], 7831FA0Ch 0x00000014 push 00000000h 0x00000016 push esi 0x00000017 call 00007FBCC0CD3BC8h 0x0000001c pop esi 0x0000001d mov dword ptr [esp+04h], esi 0x00000021 add dword ptr [esp+04h], 0000001Dh 0x00000029 inc esi 0x0000002a push esi 0x0000002b ret 0x0000002c pop esi 0x0000002d ret 0x0000002e ja 00007FBCC0CD3BC7h 0x00000034 mov edi, dword ptr [ebp+122D2E1Ch] 0x0000003a push E19207AFh 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 jl 00007FBCC0CD3BC6h 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25109C second address: 2510A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2511FA second address: 251241 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBCC0CD3BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], esi 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007FBCC0CD3BC8h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 nop 0x00000029 pushad 0x0000002a jmp 00007FBCC0CD3BCDh 0x0000002f push eax 0x00000030 push edx 0x00000031 jne 00007FBCC0CD3BC6h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 251241 second address: 25124F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25124F second address: 251255 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 251556 second address: 25155B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25155B second address: 2515A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c call 00007FBCC0CD3BD9h 0x00000011 sub cx, 6A06h 0x00000016 pop edx 0x00000017 push 00000004h 0x00000019 mov edx, 6D4DE1C5h 0x0000001e nop 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushad 0x00000023 popad 0x00000024 jmp 00007FBCC0CD3BD1h 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 251D32 second address: 251D56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jnp 00007FBCC050B076h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FBCC050B083h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29A66E second address: 29A674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29A674 second address: 29A68A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FBCC050B081h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29A68A second address: 29A697 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBCC0CD3BC8h 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 20C241 second address: 20C247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29ACF4 second address: 29ACF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29ACF8 second address: 29AD16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCC050B084h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d popad 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29AD16 second address: 29AD20 instructions: 0x00000000 rdtsc 0x00000002 js 00007FBCC0CD3BCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29AD20 second address: 29AD2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jnp 00007FBCC050B076h 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29AD2E second address: 29AD32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29AD32 second address: 29AD41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29AD41 second address: 29AD4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FBCC0CD3BC6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29AD4F second address: 29AD55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29AD55 second address: 29AD5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29AD5B second address: 29AD60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29AD60 second address: 29AD85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007FBCC0CD3BD9h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29AD85 second address: 29AD89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29AD89 second address: 29AD8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29AEB1 second address: 29AEB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29B036 second address: 29B03C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A04EA second address: 2A0507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FBCC050B07Eh 0x0000000d jbe 00007FBCC050B076h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A0507 second address: 2A052B instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBCC0CD3BC8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnp 00007FBCC0CD3C00h 0x00000012 pushad 0x00000013 jmp 00007FBCC0CD3BCFh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A052B second address: 2A0534 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A0534 second address: 2A053A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A06D2 second address: 2A06D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A09EC second address: 2A0A0E instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBCC0CD3BC8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBCC0CD3BD6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A5CBD second address: 2A5CD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007FBCC050B076h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jno 00007FBCC050B07Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A5CD3 second address: 2A5CD8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A5F8C second address: 2A5F90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A5F90 second address: 2A5F96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A628E second address: 2A6292 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A907C second address: 2A90B0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jnl 00007FBCC0CD3BC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pushad 0x0000000e jmp 00007FBCC0CD3BD2h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FBCC0CD3BD2h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A91F8 second address: 2A9216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBCC050B083h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A9216 second address: 2A921C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A963A second address: 2A9644 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FBCC050B076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A9644 second address: 2A965F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FBCC0CD3BC6h 0x0000000a jmp 00007FBCC0CD3BD1h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A965F second address: 2A9681 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FBCC050B084h 0x0000000d ja 00007FBCC050B076h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AF3E4 second address: 2AF3EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FBCC0CD3BC6h 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FB418 second address: 1FB433 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBCC050B087h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FB433 second address: 1FB457 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBCC0CD3BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007FBCC0CD3BD3h 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FB457 second address: 1FB463 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jbe 00007FBCC050B076h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FB463 second address: 1FB469 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FB469 second address: 1FB46D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2ADDC8 second address: 2ADDDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCC0CD3BCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2ADDDD second address: 2ADDE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AE1F9 second address: 2AE20F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBCC0CD3BD2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AE36F second address: 2AE373 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 251822 second address: 251827 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B573F second address: 2B5743 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B5743 second address: 2B574E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B574E second address: 2B5753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B5A17 second address: 2B5A29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FBCC0CD3BCDh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B5A29 second address: 2B5A31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B5A31 second address: 2B5A35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B649B second address: 2B64AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c jp 00007FBCC050B07Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B6777 second address: 2B6781 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B6781 second address: 2B6787 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B6DB4 second address: 2B6DBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B70D4 second address: 2B70DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B70DA second address: 2B70DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B70DE second address: 2B70F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007FBCC050B078h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2B70F5 second address: 2B710B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCC0CD3BD2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2BF0D8 second address: 2BF0DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2BF27D second address: 2BF29A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCC0CD3BD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2BF29A second address: 2BF29E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2BF29E second address: 2BF2AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FBCC0CD3BC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2BF2AE second address: 2BF2B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2BF2B2 second address: 2BF2CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCC0CD3BD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2BF2CB second address: 2BF2CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2BF5A0 second address: 2BF5BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FBCC0CD3BD3h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2BF5BA second address: 2BF5D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCC050B087h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2BF7A8 second address: 2BF7AD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2BF8E4 second address: 2BF8E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2BFB9C second address: 2BFBA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2BFD02 second address: 2BFD08 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2BFD08 second address: 2BFD18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007FBCC0CD3BC6h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C7E73 second address: 2C7E7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C6036 second address: 2C603B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C6188 second address: 2C6192 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBCC050B076h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C6604 second address: 2C6609 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C6609 second address: 2C661D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jno 00007FBCC050B076h 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007FBCC050B076h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C675F second address: 2C6763 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C6B92 second address: 2C6B9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jc 00007FBCC050B076h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C6B9F second address: 2C6BB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBCC0CD3BD0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C6BB4 second address: 2C6BBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2C7441 second address: 2C7446 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2CF235 second address: 2CF241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FBCC050B076h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2DF491 second address: 2DF496 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2DF496 second address: 2DF4A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FBCC050B076h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2DF4A2 second address: 2DF4B2 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FBCC0CD3BC6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2DF4B2 second address: 2DF4B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2E75D6 second address: 2E75DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2EBE91 second address: 2EBEA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007FBCC050B076h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2EBEA3 second address: 2EBEA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2EBD2C second address: 2EBD36 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBCC050B07Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2EBD36 second address: 2EBD42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2EBD42 second address: 2EBD46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F2C13 second address: 2F2C3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBCC0CD3BD6h 0x00000009 jmp 00007FBCC0CD3BCFh 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2F2C3D second address: 2F2C43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2FB77A second address: 2FB78A instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBCC0CD3BCAh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2FB78A second address: 2FB78E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2FFF83 second address: 2FFFA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FBCC0CD3BD0h 0x0000000a pop esi 0x0000000b push esi 0x0000000c push edi 0x0000000d pushad 0x0000000e popad 0x0000000f jns 00007FBCC0CD3BC6h 0x00000015 pop edi 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2FFCA3 second address: 2FFCA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2FFCA9 second address: 2FFCAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2FFCAD second address: 2FFCB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2FFCB1 second address: 2FFCC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007FBCC0CD3BCCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3030FC second address: 30310A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FBCC050B076h 0x0000000a pop ebx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 302F7A second address: 302F7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 305CE4 second address: 305CE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 308564 second address: 30856E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FBCC0CD3BC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 30A36F second address: 30A374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 30E90F second address: 30E919 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 30E919 second address: 30E91D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31216D second address: 312173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 312173 second address: 312178 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 312178 second address: 312192 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCC0CD3BCAh 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 312192 second address: 312198 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 312198 second address: 3121A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 31EEF4 second address: 31EEFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 321C7C second address: 321CA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBCC0CD3BCEh 0x00000009 jng 00007FBCC0CD3BC6h 0x0000000f popad 0x00000010 jmp 00007FBCC0CD3BD1h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 321E40 second address: 321E49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 321E49 second address: 321E5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 popad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007FBCC0CD3BC6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 328E21 second address: 328E25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 328E25 second address: 328E2A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 328182 second address: 3281C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBCC050B081h 0x00000008 jmp 00007FBCC050B089h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 jmp 00007FBCC050B083h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3281C9 second address: 3281E1 instructions: 0x00000000 rdtsc 0x00000002 je 00007FBCC0CD3BC6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007FBCC0CD3BCCh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3281E1 second address: 3281E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3281E5 second address: 328204 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FBCC0CD3BCDh 0x00000008 jnc 00007FBCC0CD3BC6h 0x0000000e pop ebx 0x0000000f jc 00007FBCC0CD3BCCh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3284C8 second address: 3284EB instructions: 0x00000000 rdtsc 0x00000002 jns 00007FBCC050B08Eh 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 328662 second address: 328671 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBCC0CD3BCAh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 328A8D second address: 328AAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCC050B088h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 328AAF second address: 328AC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FBCC0CD3BD3h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 328AC8 second address: 328ACC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 328ACC second address: 328AD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32C3BC second address: 32C3CB instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBCC050B076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32BDBD second address: 32BDC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32BDC8 second address: 32BDCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32BDCC second address: 32BDE5 instructions: 0x00000000 rdtsc 0x00000002 je 00007FBCC0CD3BC6h 0x00000008 jmp 00007FBCC0CD3BCFh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32BDE5 second address: 32BDEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 32BDEB second address: 32BE19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBCC0CD3BCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c pop eax 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007FBCC0CD3BCAh 0x00000015 jmp 00007FBCC0CD3BCBh 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 334832 second address: 334839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 334839 second address: 33483F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 33483F second address: 334849 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FBCC050B076h 0x0000000a rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 8DBF5 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 264C4F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 250B40 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 8DBEF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 2D2FE2 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 91A23 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4980000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4B20000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 6B20000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0021217D rdtsc 0_2_0021217D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0022750E sidt fword ptr [esp-02h]0_2_0022750E
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5332Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0027806A GetSystemInfo,VirtualAlloc,0_2_0027806A
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exeBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exeBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0021217D rdtsc 0_2_0021217D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0022794E LdrInitializeThunk,0_2_0022794E
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, 00000000.00000002.2262521421.000000000026F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: )Program Manager

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping641
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		41
Disable or Modify Tools		LSASS Memory2
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Bypass User Account Control		271
Virtualization/Sandbox Evasion		Security Account Manager271
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS23
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
Software Packing		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
Bypass User Account Control		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe53%VirustotalBrowse
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1562849
Start date and time:2024-11-26 06:46:07 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 16s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.evad.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net
  • Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File
Process:C:\Users\user\Desktop\file.exe
File Type:CSV text
Category:dropped
Size (bytes):226
Entropy (8bit):5.360398796477698
Encrypted:false
SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:3A8957C6382192B71471BD14359D0B12
SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:true
Reputation:high, very likely benign file
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.451573518842377
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:2'865'664 bytes
MD5:0d1e5334ceac878a5054ae5dbcfe0942
SHA1:1e3bdc4a9a1b54c65cd489187c51f41b51f2a3a2
SHA256:fece7908c91ac1248fe2ac0d2bd28f80c59b6d26669d2f144e8d5f92a7d1166b
SHA512:d96f09715b513b8bfa277df9524c4da73ad7e761128714f9da21c4fdff354d10f6bfe75936156fc70f2e6ed9fc02a827b29e2967fe3da9234e6f584d7dddf945
SSDEEP:49152:D2BmPOW1jNQtAmK3qXzuh4gC7rIQP41d5Im7KMGBX:D2YPOW1j4AT3qX66gC7rIQPs7EB
TLSH:11D53AA2B50972DFD48E17BC9427CE43A96D03B9472448D3EC5D64BABE73CC912B6C24
File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$........... ,.. ...`....@.. .......................`,.....H.+...`................................

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x6c2000
Entrypoint Section:.taggant
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FBCC07F33AAh
sets byte ptr [ebx]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+03h], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
lahf
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
jnle 00007FBCC07F3322h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xlatb
add al, 00h
add byte ptr [edx], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi+00000080h], bl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx+00000080h], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x20000x40000x12002dbe1de676ecf766a793530514ccbd27False0.9309895833333334data7.774489911655783IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
hmogoqra0xa0000x2b60000x2b5a001084d6f5da6bb153dd95c49aa0e2a833unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
rfkyshch0x2c00000x20000x400a82204abf5d5aef725bd7bd23ab20aeeFalse0.7685546875data5.990471089881212IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant0x2c20000x40000x2200fd09caf8b64716465742b0ee551b2284False0.06548713235294118DOS executable (COM)0.7584354531593667IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x60900x30cdata0.42948717948717946
RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

Imports

DLLImport
kernel32.dlllstrcpy

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:00:46:58
Start date:26/11/2024
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\file.exe"
Imagebase:0x80000
File size:2'865'664 bytes
MD5 hash:0D1E5334CEAC878A5054AE5DBCFE0942
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:4.2%
    Dynamic/Decrypted Code Coverage:11%
    Signature Coverage:17.1%
    Total number of Nodes:82
    Total number of Limit Nodes:12
    execution_graph 6580 2205a2 6584 2205aa 6580->6584 6581 222208 RegOpenKeyA 6582 22222f RegOpenKeyA 6581->6582 6581->6584 6582->6584 6583 222290 GetNativeSystemInfo 6583->6584 6584->6581 6584->6582 6584->6583 6585 22234c 6584->6585 6586 91789 6587 932da 6586->6587 6588 94569 6587->6588 6590 27820b 6587->6590 6591 278219 6590->6591 6592 278239 6591->6592 6594 2784db 6591->6594 6592->6588 6595 2784eb 6594->6595 6597 27850e 6594->6597 6595->6597 6598 2788d5 6595->6598 6597->6591 6602 2788dc 6598->6602 6600 278926 6600->6597 6602->6600 6603 2787e3 6602->6603 6607 278a96 6602->6607 6606 2787f8 6603->6606 6604 2788b8 6604->6602 6605 278882 GetModuleFileNameA 6605->6606 6606->6604 6606->6605 6609 278aaa 6607->6609 6608 278ac2 6608->6602 6609->6608 6610 278be5 VirtualProtect 6609->6610 6610->6609 6611 279004 6613 279010 6611->6613 6614 279022 6613->6614 6617 278c2b 6614->6617 6618 278c3c 6617->6618 6619 278cbf 6617->6619 6618->6619 6620 2788d5 2 API calls 6618->6620 6621 278a96 VirtualProtect 6618->6621 6620->6618 6621->6618 6622 4981510 6623 4981514 ControlService 6622->6623 6625 498158f 6623->6625 6626 27906e 6628 27907a 6626->6628 6629 27908c 6628->6629 6630 2790b4 6629->6630 6631 278c2b 2 API calls 6629->6631 6631->6630 6632 27806a GetSystemInfo 6633 27808a 6632->6633 6634 2780c8 VirtualAlloc 6632->6634 6633->6634 6647 2783b6 6634->6647 6636 27810f 6637 2783b6 VirtualAlloc GetModuleFileNameA VirtualProtect 6636->6637 6646 2781e4 6636->6646 6639 278139 6637->6639 6638 278200 GetModuleFileNameA VirtualProtect 6640 2781a8 6638->6640 6641 2783b6 VirtualAlloc GetModuleFileNameA VirtualProtect 6639->6641 6639->6646 6642 278163 6641->6642 6643 2783b6 VirtualAlloc GetModuleFileNameA VirtualProtect 6642->6643 6642->6646 6644 27818d 6643->6644 6644->6640 6645 2783b6 VirtualAlloc GetModuleFileNameA VirtualProtect 6644->6645 6644->6646 6645->6646 6646->6638 6646->6640 6649 2783be 6647->6649 6650 2783d2 6649->6650 6651 2783ea 6649->6651 6657 278282 6650->6657 6653 278282 2 API calls 6651->6653 6654 2783fb 6653->6654 6659 27840d 6654->6659 6662 27828a 6657->6662 6660 278409 6659->6660 6661 27841e VirtualAlloc 6659->6661 6661->6660 6663 27829d 6662->6663 6664 2788d5 2 API calls 6663->6664 6665 2782e0 6663->6665 6664->6665 6666 4981308 6667 4981349 ImpersonateLoggedOnUser 6666->6667 6668 4981376 6667->6668 6669 4980d48 6671 4980d4c OpenSCManagerW 6669->6671 6672 4980ddc 6671->6672 6673 21f270 6674 2204f3 LoadLibraryA 6673->6674 6676 211fd0 LoadLibraryA 6677 211fd9 6676->6677 6678 8e593 VirtualAlloc 6679 8e5a5 6678->6679

    Executed Functions

    Function 0021217D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 21217d-21217f LoadLibraryA 1 212185-21218f 0->1 2 21219d-2122ce 0->2 1->2 3 212195-21219c 1->3 3->2
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2262288785.0000000000210000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
    • Associated: 00000000.00000002.2262079083.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262096085.0000000000082000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262111249.0000000000086000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262127368.000000000008A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262143117.0000000000096000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262238974.00000000001F3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262254998.00000000001F5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262274195.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262303181.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262303181.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262332112.000000000021F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262345733.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262359950.0000000000226000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262373839.0000000000227000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262389704.0000000000230000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262403271.0000000000231000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262415866.0000000000233000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262430671.0000000000236000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262450238.0000000000251000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262464356.0000000000252000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262479157.0000000000259000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262493697.0000000000263000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262508295.000000000026E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262521421.000000000026F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262535339.0000000000270000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262574175.0000000000274000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262589565.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262604850.0000000000277000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262619472.0000000000278000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262633727.000000000027B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262650575.0000000000285000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262664499.0000000000287000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262677523.0000000000288000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262691929.000000000028D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262706549.0000000000294000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262722471.0000000000297000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262737487.000000000029F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262750970.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262766291.00000000002AB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262779768.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262794663.00000000002B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262810170.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262823533.00000000002BD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262836815.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262850775.00000000002C1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262866719.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262885091.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262898887.00000000002DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262925505.000000000031E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262938656.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262953600.000000000032B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262953600.0000000000332000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262985278.0000000000340000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262999284.0000000000342000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_80000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: Z&{$z,>y
    • API String ID: 1029625771-272874197
    • Opcode ID: f69aed9e7794a1a0007270c281bd9f69bda44d2762ddd18a3dd1b4f322024b39
    • Instruction ID: c75f52ec9d51dbd3503a85c91fc82f1c7ad376469cbf0a45c0862d0fcd5a0892
    • Opcode Fuzzy Hash: f69aed9e7794a1a0007270c281bd9f69bda44d2762ddd18a3dd1b4f322024b39
    • Instruction Fuzzy Hash: 34318AB241C314AFD701AF59EC80ABAFBE8EF54760F16481DE6C893310D67659808B97
    Function 0027806A Relevance: 3.1, APIs: 2, Instructions: 107memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 47 27806a-278084 GetSystemInfo 48 27808a-2780c2 47->48 49 2780c8-278111 VirtualAlloc call 2783b6 47->49 48->49 53 2781f7-2781fc call 278200 49->53 54 278117-27813b call 2783b6 49->54 61 2781fe-2781ff 53->61 54->53 60 278141-278165 call 2783b6 54->60 60->53 64 27816b-27818f call 2783b6 60->64 64->53 67 278195-2781a2 64->67 68 2781c8-2781df call 2783b6 67->68 69 2781a8-2781c3 67->69 72 2781e4-2781e6 68->72 73 2781f2 69->73 72->53 74 2781ec 72->74 73->61 74->73
    APIs
    • GetSystemInfo.KERNELBASE(?,-12245FEC), ref: 00278076
    • VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 002780D7
    Memory Dump Source
    • Source File: 00000000.00000002.2262619472.0000000000278000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
    • Associated: 00000000.00000002.2262079083.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262096085.0000000000082000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262111249.0000000000086000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262127368.000000000008A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262143117.0000000000096000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262238974.00000000001F3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262254998.00000000001F5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262274195.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262288785.0000000000210000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262303181.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262303181.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262332112.000000000021F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262345733.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262359950.0000000000226000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262373839.0000000000227000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262389704.0000000000230000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262403271.0000000000231000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262415866.0000000000233000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262430671.0000000000236000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262450238.0000000000251000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262464356.0000000000252000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262479157.0000000000259000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262493697.0000000000263000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262508295.000000000026E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262521421.000000000026F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262535339.0000000000270000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262574175.0000000000274000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262589565.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262604850.0000000000277000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262633727.000000000027B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262650575.0000000000285000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262664499.0000000000287000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262677523.0000000000288000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262691929.000000000028D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262706549.0000000000294000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262722471.0000000000297000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262737487.000000000029F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262750970.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262766291.00000000002AB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262779768.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262794663.00000000002B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262810170.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262823533.00000000002BD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262836815.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262850775.00000000002C1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262866719.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262885091.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262898887.00000000002DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262925505.000000000031E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262938656.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262953600.000000000032B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262953600.0000000000332000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262985278.0000000000340000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262999284.0000000000342000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_80000_file.jbxd
    Similarity
    • API ID: AllocInfoSystemVirtual
    • String ID:
    • API String ID: 3440192736-0
    • Opcode ID: 4a9ff99f94a50cd48984bcaf987f272c75f56066b0092951a6334e8d0edcad46
    • Instruction ID: 75d2b5d10757492385a96c0e4ba27c7a9c92c4bac78db76e8942d672150f096d
    • Opcode Fuzzy Hash: 4a9ff99f94a50cd48984bcaf987f272c75f56066b0092951a6334e8d0edcad46
    • Instruction Fuzzy Hash: 3C4185B1D51246EFD728DF648C45FA677ACBF4C700F0040E2B24AD9886EA7095E48BA6
    Function 0022794E Relevance: .0, Instructions: 42COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2262373839.0000000000227000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
    • Associated: 00000000.00000002.2262079083.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262096085.0000000000082000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262111249.0000000000086000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262127368.000000000008A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262143117.0000000000096000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262238974.00000000001F3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262254998.00000000001F5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262274195.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262288785.0000000000210000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262303181.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262303181.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262332112.000000000021F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262345733.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262359950.0000000000226000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262389704.0000000000230000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262403271.0000000000231000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262415866.0000000000233000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262430671.0000000000236000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262450238.0000000000251000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262464356.0000000000252000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262479157.0000000000259000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262493697.0000000000263000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262508295.000000000026E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262521421.000000000026F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262535339.0000000000270000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262574175.0000000000274000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262589565.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262604850.0000000000277000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262619472.0000000000278000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262633727.000000000027B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262650575.0000000000285000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262664499.0000000000287000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262677523.0000000000288000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262691929.000000000028D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262706549.0000000000294000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262722471.0000000000297000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262737487.000000000029F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262750970.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262766291.00000000002AB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262779768.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262794663.00000000002B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262810170.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262823533.00000000002BD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262836815.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262850775.00000000002C1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262866719.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262885091.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262898887.00000000002DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262925505.000000000031E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262938656.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262953600.000000000032B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262953600.0000000000332000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262985278.0000000000340000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262999284.0000000000342000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_80000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 98f8058643d14a582f8c1592fdd7446edb348c7b2a09d4c5a1e08c50bc468d75
    • Instruction ID: 51fbf01d0fc1d11ad6b1cc413f2386dcde7be9017918a3333b9e55264d47df16
    • Opcode Fuzzy Hash: 98f8058643d14a582f8c1592fdd7446edb348c7b2a09d4c5a1e08c50bc468d75
    • Instruction Fuzzy Hash: E8F0783262C327AEEB005F78AC0AB9E3A88EF15324F101216E800C77C2C675CC68CB05
    Function 0021FDF0 Relevance: 4.6, APIs: 3, Instructions: 93registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 6 21fdf0-220501 8 221988-22199d 6->8 9 2205be-22167f 6->9 11 221e94-221e96 8->11 12 2221de-222206 8->12 9->11 11->12 16 222208-222223 RegOpenKeyA 12->16 17 22222f-22224a RegOpenKeyA 12->17 16->17 18 222225 16->18 19 222262-22228e 17->19 20 22224c-222256 17->20 18->17 23 222290-222299 GetNativeSystemInfo 19->23 24 22229b-2222a5 19->24 20->19 23->24 25 2222b1-2222bf 24->25 26 2222a7 24->26 28 2222c1 25->28 29 2222cb-2222d2 25->29 26->25 28->29 30 2222e5 29->30 31 2222d8-2222df 29->31 32 22233f-222346 30->32 31->30 31->32 32->9 33 22234c-222352 32->33
    APIs
    • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0022221B
    • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00222242
    • GetNativeSystemInfo.KERNELBASE(?), ref: 00222299
    Memory Dump Source
    • Source File: 00000000.00000002.2262332112.000000000021F000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
    • Associated: 00000000.00000002.2262079083.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262096085.0000000000082000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262111249.0000000000086000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262127368.000000000008A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262143117.0000000000096000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262238974.00000000001F3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262254998.00000000001F5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262274195.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262288785.0000000000210000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262303181.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262303181.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262345733.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262359950.0000000000226000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262373839.0000000000227000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262389704.0000000000230000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262403271.0000000000231000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262415866.0000000000233000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262430671.0000000000236000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262450238.0000000000251000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262464356.0000000000252000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262479157.0000000000259000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262493697.0000000000263000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262508295.000000000026E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262521421.000000000026F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262535339.0000000000270000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262574175.0000000000274000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262589565.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262604850.0000000000277000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262619472.0000000000278000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262633727.000000000027B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262650575.0000000000285000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262664499.0000000000287000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262677523.0000000000288000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262691929.000000000028D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262706549.0000000000294000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262722471.0000000000297000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262737487.000000000029F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262750970.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262766291.00000000002AB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262779768.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262794663.00000000002B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262810170.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262823533.00000000002BD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262836815.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262850775.00000000002C1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262866719.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262885091.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262898887.00000000002DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262925505.000000000031E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262938656.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262953600.000000000032B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262953600.0000000000332000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262985278.0000000000340000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262999284.0000000000342000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_80000_file.jbxd
    Similarity
    • API ID: Open$InfoNativeSystem
    • String ID:
    • API String ID: 1247124224-0
    • Opcode ID: 016d5a53d7cd8148e0f1591fc23e3e10015233132e8e0f901eab5f562a36004c
    • Instruction ID: 4a495320bf454d1a8fbb8132a089a6b55d5417652b866ee3ccb3c6efa4e28a4e
    • Opcode Fuzzy Hash: 016d5a53d7cd8148e0f1591fc23e3e10015233132e8e0f901eab5f562a36004c
    • Instruction Fuzzy Hash: D4316C7142521FEFEF21DF90DC44BEE37A9EB15301F500616AA0282941EBB65CB89F19
    Function 00211FD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 34 211fd0-211fd3 LoadLibraryA 35 211fd9-211fda 34->35 36 211fdb-211ffe 34->36 35->36 39 212004-212009 36->39 40 21200a-21200b 36->40 39->40 41 212011-212023 40->41 42 21202b-212177 40->42 41->42 45 212029-21202a 41->45 46 212178 42->46 45->42 46->46
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2262288785.0000000000210000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
    • Associated: 00000000.00000002.2262079083.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262096085.0000000000082000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262111249.0000000000086000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262127368.000000000008A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262143117.0000000000096000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262238974.00000000001F3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262254998.00000000001F5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262274195.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262303181.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262303181.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262332112.000000000021F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262345733.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262359950.0000000000226000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262373839.0000000000227000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262389704.0000000000230000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262403271.0000000000231000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262415866.0000000000233000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262430671.0000000000236000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262450238.0000000000251000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262464356.0000000000252000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262479157.0000000000259000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262493697.0000000000263000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262508295.000000000026E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262521421.000000000026F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262535339.0000000000270000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262574175.0000000000274000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262589565.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262604850.0000000000277000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262619472.0000000000278000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262633727.000000000027B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262650575.0000000000285000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262664499.0000000000287000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262677523.0000000000288000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262691929.000000000028D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262706549.0000000000294000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262722471.0000000000297000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262737487.000000000029F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262750970.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262766291.00000000002AB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262779768.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262794663.00000000002B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262810170.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262823533.00000000002BD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262836815.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262850775.00000000002C1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262866719.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262885091.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262898887.00000000002DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262925505.000000000031E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262938656.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262953600.000000000032B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262953600.0000000000332000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262985278.0000000000340000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262999284.0000000000342000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_80000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: O
    • API String ID: 1029625771-878818188
    • Opcode ID: c009a8aaa5dbdcabef8f0d02cbe99655a1441edbbf43c200eaaf7b1abdf0d89a
    • Instruction ID: 7295bd96e1275c552a0a9c178c9c31a6f8dcfba2b8f451a6f4fec5b186a8d4a7
    • Opcode Fuzzy Hash: c009a8aaa5dbdcabef8f0d02cbe99655a1441edbbf43c200eaaf7b1abdf0d89a
    • Instruction Fuzzy Hash: 824122B201C700EFE305AF19E8816BEFBE5FBA8720F168D2DE6C582611D37448919B57
    Function 00278A96 Relevance: 1.6, APIs: 1, Instructions: 112COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 75 278a96-278aa4 76 278ac7-278ad1 call 27892b 75->76 77 278aaa-278abc 75->77 81 278ad7 76->81 82 278adc-278ae5 76->82 77->76 83 278ac2 77->83 84 278c26-278c28 81->84 85 278afd-278b04 82->85 86 278aeb-278af2 82->86 83->84 88 278b0f-278b1f 85->88 89 278b0a 85->89 86->85 87 278af8 86->87 87->84 88->84 90 278b25-278b31 call 278a00 88->90 89->84 93 278b34-278b38 90->93 93->84 94 278b3e-278b48 93->94 95 278b6f-278b72 94->95 96 278b4e-278b61 94->96 97 278b75-278b78 95->97 96->95 101 278b67-278b69 96->101 98 278c1e-278c21 97->98 99 278b7e-278b85 97->99 98->93 102 278bb3-278bcc 99->102 103 278b8b-278b91 99->103 101->95 101->98 109 278be5-278bed VirtualProtect 102->109 110 278bd2-278be0 102->110 104 278b97-278b9c 103->104 105 278bae 103->105 104->105 106 278ba2-278ba8 104->106 107 278c16-278c19 105->107 106->102 106->105 107->97 111 278bf3-278bf6 109->111 110->111 111->107 112 278bfc-278c15 111->112 112->107
    Memory Dump Source
    • Source File: 00000000.00000002.2262619472.0000000000278000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
    • Associated: 00000000.00000002.2262079083.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262096085.0000000000082000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262111249.0000000000086000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262127368.000000000008A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262143117.0000000000096000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262238974.00000000001F3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262254998.00000000001F5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262274195.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262288785.0000000000210000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262303181.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262303181.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262332112.000000000021F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262345733.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262359950.0000000000226000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262373839.0000000000227000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262389704.0000000000230000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262403271.0000000000231000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262415866.0000000000233000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262430671.0000000000236000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262450238.0000000000251000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262464356.0000000000252000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262479157.0000000000259000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262493697.0000000000263000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262508295.000000000026E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262521421.000000000026F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262535339.0000000000270000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262574175.0000000000274000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262589565.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262604850.0000000000277000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262633727.000000000027B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262650575.0000000000285000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262664499.0000000000287000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262677523.0000000000288000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262691929.000000000028D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262706549.0000000000294000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262722471.0000000000297000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262737487.000000000029F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262750970.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262766291.00000000002AB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262779768.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262794663.00000000002B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262810170.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262823533.00000000002BD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262836815.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262850775.00000000002C1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262866719.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262885091.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262898887.00000000002DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262925505.000000000031E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262938656.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262953600.000000000032B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262953600.0000000000332000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262985278.0000000000340000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262999284.0000000000342000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_80000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c532e65f39b0b8b8e0a9c2a02d248babc33da23a7a8b83969f97ff2404f5c93f
    • Instruction ID: a184d3fde7db915cc2e456e6db036d361426ca7c7417263bbfad196a752e1666
    • Opcode Fuzzy Hash: c532e65f39b0b8b8e0a9c2a02d248babc33da23a7a8b83969f97ff2404f5c93f
    • Instruction Fuzzy Hash: 18419FB1D51106EFDB25CF24D948BAEB7B1FF05314F14C49AE50AA7181DBB1ACA0CB62
    Function 002787E3 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 115 2787e3-2787f2 116 2787fe-278812 115->116 117 2787f8 115->117 119 2788d0-2788d2 116->119 120 278818-278822 116->120 117->116 121 2788bf-2788cb 120->121 122 278828-278832 120->122 121->116 122->121 123 278838-278842 122->123 123->121 124 278848-278857 123->124 126 278862-278867 124->126 127 27885d 124->127 126->121 128 27886d-27887c 126->128 127->121 128->121 129 278882-278899 GetModuleFileNameA 128->129 129->121 130 27889f-2788ad call 27873f 129->130 133 2788b3 130->133 134 2788b8-2788ba 130->134 133->121 134->119
    APIs
    • GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,00000000), ref: 00278890
    Memory Dump Source
    • Source File: 00000000.00000002.2262619472.0000000000278000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
    • Associated: 00000000.00000002.2262079083.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262096085.0000000000082000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262111249.0000000000086000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262127368.000000000008A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262143117.0000000000096000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262238974.00000000001F3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262254998.00000000001F5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262274195.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262288785.0000000000210000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262303181.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262303181.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262332112.000000000021F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262345733.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262359950.0000000000226000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262373839.0000000000227000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262389704.0000000000230000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262403271.0000000000231000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262415866.0000000000233000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262430671.0000000000236000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262450238.0000000000251000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262464356.0000000000252000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262479157.0000000000259000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262493697.0000000000263000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262508295.000000000026E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262521421.000000000026F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262535339.0000000000270000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262574175.0000000000274000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262589565.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262604850.0000000000277000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262633727.000000000027B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262650575.0000000000285000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262664499.0000000000287000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262677523.0000000000288000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262691929.000000000028D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262706549.0000000000294000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262722471.0000000000297000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262737487.000000000029F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262750970.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262766291.00000000002AB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262779768.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262794663.00000000002B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262810170.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262823533.00000000002BD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262836815.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262850775.00000000002C1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262866719.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262885091.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262898887.00000000002DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262925505.000000000031E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262938656.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262953600.000000000032B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262953600.0000000000332000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262985278.0000000000340000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262999284.0000000000342000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_80000_file.jbxd
    Similarity
    • API ID: FileModuleName
    • String ID:
    • API String ID: 514040917-0
    • Opcode ID: 1581e7fc3f7403014b3bfe853d0d494f1122ee6d942386cbf575588fe0f686e4
    • Instruction ID: 7143eaa55211af6c5042ae045935ea199f2f1d3c08be98d69696b0841ef34ef1
    • Opcode Fuzzy Hash: 1581e7fc3f7403014b3bfe853d0d494f1122ee6d942386cbf575588fe0f686e4
    • Instruction Fuzzy Hash: 69119671E6122E9FFB205E158C4CBABBB6CEF55750F50C095E80D96041EFB09D908AA6
    Function 04980D43 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 135 4980d43-4980d46 136 4980d48-4980d4b 135->136 137 4980d4c-4980d97 135->137 136->137 139 4980d99-4980d9c 137->139 140 4980d9f-4980da3 137->140 139->140 141 4980dab-4980dda OpenSCManagerW 140->141 142 4980da5-4980da8 140->142 143 4980ddc-4980de2 141->143 144 4980de3-4980df7 141->144 142->141 143->144
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04980DCD
    Memory Dump Source
    • Source File: 00000000.00000002.2264551557.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4980000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: ffb72ee304bbfca07a57d69c98012cd780df19a156abe64ff34e643ed49891db
    • Instruction ID: 5036d535f237802de4dd821aeb87ca835d7f162f5cbfbd5adeae9b1de8982340
    • Opcode Fuzzy Hash: ffb72ee304bbfca07a57d69c98012cd780df19a156abe64ff34e643ed49891db
    • Instruction Fuzzy Hash: E12134B68003099FDB50DF99D884ADEFBF4EB88720F15822AD908AB244D774A545CBA4
    Function 04980D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 146 4980d48-4980d97 149 4980d99-4980d9c 146->149 150 4980d9f-4980da3 146->150 149->150 151 4980dab-4980dda OpenSCManagerW 150->151 152 4980da5-4980da8 150->152 153 4980ddc-4980de2 151->153 154 4980de3-4980df7 151->154 152->151 153->154
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04980DCD
    Memory Dump Source
    • Source File: 00000000.00000002.2264551557.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4980000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: d5429dffc3f4f8cdcf46bed2a8f22293a815ecbe2ce12895d21ba43eb8624512
    • Instruction ID: ee72d81b4a7774dfaac6be6e109a90d3700b0f7837836d69e85913997291c4d3
    • Opcode Fuzzy Hash: d5429dffc3f4f8cdcf46bed2a8f22293a815ecbe2ce12895d21ba43eb8624512
    • Instruction Fuzzy Hash: 642134B68003099FCB50DF99D884ADEFBF4EB88720F15822AD908AB204D774A544CBA4
    Function 04981509 Relevance: 1.6, APIs: 1, Instructions: 56serviceCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 156 4981509-498150e 157 4981510-4981513 156->157 158 4981514-4981550 156->158 157->158 159 4981558-498158d ControlService 158->159 160 498158f-4981595 159->160 161 4981596-49815b7 159->161 160->161
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 04981580
    Memory Dump Source
    • Source File: 00000000.00000002.2264551557.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4980000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 0738b462d6651d8622186a8fcf719a68ad649a10c2515507b31f04bbd7076693
    • Instruction ID: cfedfb262ae247e282ebae8428b23a5da2ffa50f6fcff170f7ca2f0827daf268
    • Opcode Fuzzy Hash: 0738b462d6651d8622186a8fcf719a68ad649a10c2515507b31f04bbd7076693
    • Instruction Fuzzy Hash: C32103B19003499FDB10DF9AC585BDEFBF8AB48324F10802AE559A3250D778AA44CFA5
    Function 04981510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 163 4981510-498158d ControlService 166 498158f-4981595 163->166 167 4981596-49815b7 163->167 166->167
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 04981580
    Memory Dump Source
    • Source File: 00000000.00000002.2264551557.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4980000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 7879cc4f69b5774eec90021ca6de8a3a23aa725b9f2fd96721e660ea9808541f
    • Instruction ID: dc0b4cdc4b946d60388f954bada8c3cd02d88f41dfb00d9096066355d26119bb
    • Opcode Fuzzy Hash: 7879cc4f69b5774eec90021ca6de8a3a23aa725b9f2fd96721e660ea9808541f
    • Instruction Fuzzy Hash: 2E11E4B19003499FDB10DF9AD585BDEFBF8EB48324F10802AE559A3250D778A644CFA5
    Function 04981301 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 169 4981301-4981341 171 4981349-4981374 ImpersonateLoggedOnUser 169->171 172 498137d-498139e 171->172 173 4981376-498137c 171->173 173->172
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 04981367
    Memory Dump Source
    • Source File: 00000000.00000002.2264551557.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4980000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: d88dcbdcc4ef06af7a833b69baf2651a11924d74ac36ba128a4d301eee61faee
    • Instruction ID: 9d87948959a33af0099f5a61a437a6aadaf0af3eb8db4d92867215637a887624
    • Opcode Fuzzy Hash: d88dcbdcc4ef06af7a833b69baf2651a11924d74ac36ba128a4d301eee61faee
    • Instruction Fuzzy Hash: D61143B2800249CFDB10DF9AC545BDEFBF8EF88324F24846AD518A3240D778A945CFA1
    Function 04981308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 175 4981308-4981374 ImpersonateLoggedOnUser 177 498137d-498139e 175->177 178 4981376-498137c 175->178 178->177
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 04981367
    Memory Dump Source
    • Source File: 00000000.00000002.2264551557.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4980000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 7b598d1489d52e20116e19cff545a686a4eb0dcbeb1b0699f40508baf67ca4ec
    • Instruction ID: c24ebbcece33f65d9b9caedb42fb226ec0e4f54e8ea355810ac8799daac90854
    • Opcode Fuzzy Hash: 7b598d1489d52e20116e19cff545a686a4eb0dcbeb1b0699f40508baf67ca4ec
    • Instruction Fuzzy Hash: A01122B1800349CFDB10DF9AC545BDEFBF8AB48324F20846AD558A3650D778A944CBA5
    Function 0021F270 Relevance: 1.5, APIs: 1, Instructions: 30libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 180 21f270-22370c LoadLibraryA
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2262332112.000000000021F000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
    • Associated: 00000000.00000002.2262079083.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262096085.0000000000082000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262111249.0000000000086000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262127368.000000000008A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262143117.0000000000096000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262238974.00000000001F3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262254998.00000000001F5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262274195.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262288785.0000000000210000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262303181.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262303181.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262345733.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262359950.0000000000226000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262373839.0000000000227000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262389704.0000000000230000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262403271.0000000000231000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262415866.0000000000233000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262430671.0000000000236000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262450238.0000000000251000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262464356.0000000000252000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262479157.0000000000259000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262493697.0000000000263000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262508295.000000000026E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262521421.000000000026F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262535339.0000000000270000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262574175.0000000000274000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262589565.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262604850.0000000000277000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262619472.0000000000278000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262633727.000000000027B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262650575.0000000000285000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262664499.0000000000287000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262677523.0000000000288000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262691929.000000000028D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262706549.0000000000294000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262722471.0000000000297000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262737487.000000000029F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262750970.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262766291.00000000002AB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262779768.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262794663.00000000002B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262810170.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262823533.00000000002BD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262836815.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262850775.00000000002C1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262866719.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262885091.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262898887.00000000002DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262925505.000000000031E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262938656.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262953600.000000000032B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262953600.0000000000332000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262985278.0000000000340000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262999284.0000000000342000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_80000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 569f031b381925b26bba56a200aced8108c6fef04f7984abf7ccff911b59dd65
    • Instruction ID: b08d2049fd7e5711033cf49dbb96033931aa121e0d7098ab94ae8cd65f55b32f
    • Opcode Fuzzy Hash: 569f031b381925b26bba56a200aced8108c6fef04f7984abf7ccff911b59dd65
    • Instruction Fuzzy Hash: 67E0A9B223C134FBC3102A84FC457FAB798EB24762F11042AD39282610E9754820D6D6
    Function 0008E593 Relevance: 1.3, APIs: 1, Instructions: 40memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 186 8e593-8e599 VirtualAlloc 187 8e5a5-8f710 186->187
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2262127368.000000000008A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
    • Associated: 00000000.00000002.2262079083.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262096085.0000000000082000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262111249.0000000000086000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262143117.0000000000096000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262238974.00000000001F3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262254998.00000000001F5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262274195.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262288785.0000000000210000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262303181.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262303181.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262332112.000000000021F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262345733.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262359950.0000000000226000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262373839.0000000000227000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262389704.0000000000230000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262403271.0000000000231000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262415866.0000000000233000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262430671.0000000000236000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262450238.0000000000251000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262464356.0000000000252000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262479157.0000000000259000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262493697.0000000000263000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262508295.000000000026E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262521421.000000000026F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262535339.0000000000270000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262574175.0000000000274000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262589565.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262604850.0000000000277000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262619472.0000000000278000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262633727.000000000027B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262650575.0000000000285000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262664499.0000000000287000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262677523.0000000000288000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262691929.000000000028D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262706549.0000000000294000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262722471.0000000000297000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262737487.000000000029F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262750970.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262766291.00000000002AB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262779768.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262794663.00000000002B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262810170.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262823533.00000000002BD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262836815.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262850775.00000000002C1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262866719.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262885091.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262898887.00000000002DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262925505.000000000031E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262938656.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262953600.000000000032B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262953600.0000000000332000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262985278.0000000000340000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262999284.0000000000342000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_80000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 2db2ae16bd00bdb5eb35b50ef958ea8f5f437e88828248d827784660c84b475d
    • Instruction ID: f3c7995ef828c83e1a2c503b639874d5a165f30155ee78f99d97d1d03c4bb08b
    • Opcode Fuzzy Hash: 2db2ae16bd00bdb5eb35b50ef958ea8f5f437e88828248d827784660c84b475d
    • Instruction Fuzzy Hash: 60F0F4B2109806D7D7183F39985407E7AA4FF85361B35833EF4D343750EA7048508B2A
    Function 0027840D Relevance: 1.3, APIs: 1, Instructions: 37memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 196 27840d-278418 197 278447-278454 196->197 198 27841e-278440 VirtualAlloc 196->198 200 278485-278487 197->200 201 27845a-278466 197->201 198->197 203 27846c-27846f 201->203 204 278475-278478 203->204 205 27847d-278482 203->205 204->203 205->200
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,?,00278409,?,?,0027810F,?,?,0027810F,?,?,0027810F), ref: 0027842D
    Memory Dump Source
    • Source File: 00000000.00000002.2262619472.0000000000278000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
    • Associated: 00000000.00000002.2262079083.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262096085.0000000000082000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262111249.0000000000086000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262127368.000000000008A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262143117.0000000000096000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262238974.00000000001F3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262254998.00000000001F5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262274195.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262288785.0000000000210000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262303181.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262303181.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262332112.000000000021F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262345733.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262359950.0000000000226000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262373839.0000000000227000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262389704.0000000000230000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262403271.0000000000231000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262415866.0000000000233000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262430671.0000000000236000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262450238.0000000000251000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262464356.0000000000252000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262479157.0000000000259000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262493697.0000000000263000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262508295.000000000026E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262521421.000000000026F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262535339.0000000000270000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262574175.0000000000274000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262589565.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262604850.0000000000277000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262633727.000000000027B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262650575.0000000000285000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262664499.0000000000287000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262677523.0000000000288000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262691929.000000000028D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262706549.0000000000294000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262722471.0000000000297000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262737487.000000000029F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262750970.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262766291.00000000002AB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262779768.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262794663.00000000002B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262810170.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262823533.00000000002BD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262836815.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262850775.00000000002C1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262866719.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262885091.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262898887.00000000002DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262925505.000000000031E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262938656.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262953600.000000000032B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262953600.0000000000332000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262985278.0000000000340000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262999284.0000000000342000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_80000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: cbdb7a21f31e3ea2d99944ca45d2df4c2af8b1783416079efc1ae9e9db7dda3a
    • Instruction ID: c3164571928b4076629d715e1efcdadddd99fd0b2725669230cc5934573dc8de
    • Opcode Fuzzy Hash: cbdb7a21f31e3ea2d99944ca45d2df4c2af8b1783416079efc1ae9e9db7dda3a
    • Instruction Fuzzy Hash: 89F0D1B1900207EFD7208F54CC08B59BBA4FF89762F10C065F48A9B191D3B088D08B51

    Non-executed Functions

    Function 0008DBDC Relevance: 1.5, Strings: 1, Instructions: 206COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2262127368.000000000008A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
    • Associated: 00000000.00000002.2262079083.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262096085.0000000000082000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262111249.0000000000086000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262143117.0000000000096000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262238974.00000000001F3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262254998.00000000001F5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262274195.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262288785.0000000000210000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262303181.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262303181.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262332112.000000000021F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262345733.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262359950.0000000000226000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262373839.0000000000227000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262389704.0000000000230000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262403271.0000000000231000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262415866.0000000000233000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262430671.0000000000236000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262450238.0000000000251000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262464356.0000000000252000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262479157.0000000000259000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262493697.0000000000263000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262508295.000000000026E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262521421.000000000026F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262535339.0000000000270000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262574175.0000000000274000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262589565.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262604850.0000000000277000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262619472.0000000000278000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262633727.000000000027B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262650575.0000000000285000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262664499.0000000000287000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262677523.0000000000288000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262691929.000000000028D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262706549.0000000000294000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262722471.0000000000297000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262737487.000000000029F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262750970.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262766291.00000000002AB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262779768.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262794663.00000000002B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262810170.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262823533.00000000002BD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262836815.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262850775.00000000002C1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262866719.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262885091.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262898887.00000000002DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262925505.000000000031E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262938656.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262953600.000000000032B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262953600.0000000000332000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262985278.0000000000340000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262999284.0000000000342000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_80000_file.jbxd
    Similarity
    • API ID:
    • String ID: NTDL
    • API String ID: 0-3662016964
    • Opcode ID: f2a1d9453b7e606eae784f974a2ba0fdb6676f6ae7445113b6f57335dbe29f04
    • Instruction ID: 81d41bfbac41e4dc5f7fb805f96ba31bfdcc8e03b67645ab0586758a0893ac29
    • Opcode Fuzzy Hash: f2a1d9453b7e606eae784f974a2ba0fdb6676f6ae7445113b6f57335dbe29f04
    • Instruction Fuzzy Hash: 1361ED7250420E9BCB25EF29C5411EF3BF1FB56330B14436AE8819BA82D2B29C12DF49
    Function 002F5F37 Relevance: .2, Instructions: 154COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2262898887.00000000002DB000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
    • Associated: 00000000.00000002.2262079083.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262096085.0000000000082000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262111249.0000000000086000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262127368.000000000008A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262143117.0000000000096000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262238974.00000000001F3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262254998.00000000001F5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262274195.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262288785.0000000000210000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262303181.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262303181.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262332112.000000000021F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262345733.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262359950.0000000000226000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262373839.0000000000227000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262389704.0000000000230000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262403271.0000000000231000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262415866.0000000000233000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262430671.0000000000236000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262450238.0000000000251000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262464356.0000000000252000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262479157.0000000000259000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262493697.0000000000263000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262508295.000000000026E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262521421.000000000026F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262535339.0000000000270000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262574175.0000000000274000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262589565.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262604850.0000000000277000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262619472.0000000000278000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262633727.000000000027B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262650575.0000000000285000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262664499.0000000000287000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262677523.0000000000288000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262691929.000000000028D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262706549.0000000000294000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262722471.0000000000297000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262737487.000000000029F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262750970.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262766291.00000000002AB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262779768.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262794663.00000000002B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262810170.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262823533.00000000002BD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262836815.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262850775.00000000002C1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262866719.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262885091.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262925505.000000000031E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262938656.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262953600.000000000032B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262953600.0000000000332000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262985278.0000000000340000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262999284.0000000000342000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_80000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: fd3e9c4d2b2c6a6adb2669916b206b8152d080bf375fbb0bd617a72a35c6a553
    • Instruction ID: 04e53f070f875f183dc68f60b90339e4705269fd8816ed4f011edd014aa68023
    • Opcode Fuzzy Hash: fd3e9c4d2b2c6a6adb2669916b206b8152d080bf375fbb0bd617a72a35c6a553
    • Instruction Fuzzy Hash: 6F5190B253C708DBD3446E15D88953AF7E5FF95350F268A3EE7C683250EA7158609B03
    Function 0022750E Relevance: .0, Instructions: 21COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2262373839.0000000000227000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
    • Associated: 00000000.00000002.2262079083.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262096085.0000000000082000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262111249.0000000000086000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262127368.000000000008A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262143117.0000000000096000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262238974.00000000001F3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262254998.00000000001F5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262274195.000000000020F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262288785.0000000000210000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262303181.0000000000213000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262303181.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262332112.000000000021F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262345733.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262359950.0000000000226000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262389704.0000000000230000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262403271.0000000000231000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262415866.0000000000233000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262430671.0000000000236000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262450238.0000000000251000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262464356.0000000000252000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262479157.0000000000259000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262493697.0000000000263000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262508295.000000000026E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262521421.000000000026F000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262535339.0000000000270000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262574175.0000000000274000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262589565.0000000000276000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262604850.0000000000277000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262619472.0000000000278000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262633727.000000000027B000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262650575.0000000000285000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262664499.0000000000287000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262677523.0000000000288000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262691929.000000000028D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262706549.0000000000294000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262722471.0000000000297000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262737487.000000000029F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262750970.00000000002A1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262766291.00000000002AB000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262779768.00000000002B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262794663.00000000002B7000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262810170.00000000002BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262823533.00000000002BD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262836815.00000000002C0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262850775.00000000002C1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262866719.00000000002C9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262885091.00000000002DA000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262898887.00000000002DB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262925505.000000000031E000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262938656.0000000000320000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262953600.000000000032B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262953600.0000000000332000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262985278.0000000000340000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2262999284.0000000000342000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_80000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b09e5d970fd961d32276e3a8e6de9ed079e47dfa4085a0764549291731cd2f85
    • Instruction ID: 3fb23b6634d1572f0e1e42e17e1180e26a7ca9238f18f54a4fd5cc1e7cbe934d
    • Opcode Fuzzy Hash: b09e5d970fd961d32276e3a8e6de9ed079e47dfa4085a0764549291731cd2f85
    • Instruction Fuzzy Hash: EDE04F76018101AED7009F64D85599FFBF4FF19320F649855E844CB622C2358C51CB29