Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1565522
MD5:47aa764406ba64383ac50e4101f34474
SHA1:48c14e56cc54ee0095c52a680d41b20e76dd3d2b
SHA256:0bb190f23ae3739409ed5fc96d03728cbb385a58fd544f4fb8a74af959b2f72e
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 4512 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 47AA764406BA64383AC50E4101F34474)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: file.exeReversingLabs: Detection: 47%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.1235075019.0000000004A80000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1368498250.0000000000EF2000.00000040.00000001.01000000.00000003.sdmp

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010720000_2_01072000
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F05C9B0_2_00F05C9B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EFDE070_2_00EFDE07
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0570A0_2_00F0570A
Source: file.exe, 00000000.00000000.1225282989.0000000000EF6000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeReversingLabs: Detection: 47%
Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 2765824 > 1048576
Source: file.exeStatic PE information: Raw size of xbmfzvhb is bigger than: 0x100000 < 0x29d200
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.1235075019.0000000004A80000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1368498250.0000000000EF2000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.ef0000.0.unpack :EW;.rsrc:W;.idata :W;xbmfzvhb:EW;ztggrlpz:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x2a3ab9 should be: 0x2a70e2
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name: xbmfzvhb
Source: file.exeStatic PE information: section name: ztggrlpz
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EFE886 push edi; mov dword ptr [esp], 2ED07954h0_2_00EFE820
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EFE886 push edi; mov dword ptr [esp], eax0_2_00EFEE07
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EFE886 push edx; mov dword ptr [esp], ebx0_2_00EFEE13
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EFE886 push eax; mov dword ptr [esp], 7B0CE75Ah0_2_00EFF2C5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EFE886 push ecx; mov dword ptr [esp], esi0_2_00EFF407
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010760A4 push esi; mov dword ptr [esp], 73CBAB54h0_2_01076113
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010760A4 push edx; mov dword ptr [esp], esi0_2_010761D2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010797E5 push eax; ret 0_2_01079897
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010797E5 push ebp; ret 0_2_01079A4C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01075EEE push 0086ADD4h; mov dword ptr [esp], edx0_2_01076022
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01075EEE push 268A9A21h; mov dword ptr [esp], edx0_2_01076085
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01078903 push 27AF1366h; mov dword ptr [esp], eax0_2_01078915
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01078903 push ecx; mov dword ptr [esp], ebx0_2_01078EB8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107990E push eax; ret 0_2_0107991D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F020E7 push eax; mov dword ptr [esp], edx0_2_00F00677
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107F910 push edi; mov dword ptr [esp], ebx0_2_0107F917
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F030EA push 4F7B91F9h; mov dword ptr [esp], esp0_2_00F030F2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EFC8DF push 09FB554Ch; mov dword ptr [esp], edx0_2_00EFC914
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EFC8DF push edi; mov dword ptr [esp], esi0_2_00EFC994
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F010C2 push esi; mov dword ptr [esp], edx0_2_00F01768
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F010C2 push edx; mov dword ptr [esp], ecx0_2_00F03948
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107E135 push 60D23129h; mov dword ptr [esp], edx0_2_0107E921
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107E135 push ecx; mov dword ptr [esp], ebx0_2_0107EC4F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115C92D push ebp; mov dword ptr [esp], esi0_2_0115C95A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115C92D push ebp; mov dword ptr [esp], edi0_2_0115CA5B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F018B2 push esi; mov dword ptr [esp], 4FE1026Dh0_2_00F018B9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F018B2 push edx; mov dword ptr [esp], 5AE2FE72h0_2_00F018CC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EFC0B8 push edx; mov dword ptr [esp], ecx0_2_00EFC0C5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EFC0B8 push 09FB554Ch; mov dword ptr [esp], edx0_2_00EFC914
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EFC0B8 push edi; mov dword ptr [esp], esi0_2_00EFC994
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107E162 push 29F8124Dh; mov dword ptr [esp], edi0_2_0107E16F
Source: file.exeStatic PE information: section name: entropy: 7.764448278674302

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1075F5C second address: 1075F75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0E1D238F91h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10760BF second address: 10760C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10793DC second address: 10793E6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10793E6 second address: 107940C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E1CD84CB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jo 00007F0E1CD84CB4h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107940C second address: 1079410 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1079410 second address: 1079437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jno 00007F0E1CD84CAEh 0x00000010 mov eax, dword ptr [eax] 0x00000012 pushad 0x00000013 jne 00007F0E1CD84CA8h 0x00000019 push eax 0x0000001a push edx 0x0000001b push esi 0x0000001c pop esi 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10794C9 second address: 107955B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push esi 0x00000007 jnp 00007F0E1D238F8Ch 0x0000000d pop esi 0x0000000e nop 0x0000000f movzx edi, di 0x00000012 push 00000000h 0x00000014 jnp 00007F0E1D238F8Ah 0x0000001a call 00007F0E1D238F89h 0x0000001f push edx 0x00000020 jl 00007F0E1D238F88h 0x00000026 pushad 0x00000027 popad 0x00000028 pop edx 0x00000029 push eax 0x0000002a pushad 0x0000002b pushad 0x0000002c pushad 0x0000002d popad 0x0000002e pushad 0x0000002f popad 0x00000030 popad 0x00000031 push ecx 0x00000032 pushad 0x00000033 popad 0x00000034 pop ecx 0x00000035 popad 0x00000036 mov eax, dword ptr [esp+04h] 0x0000003a push eax 0x0000003b jno 00007F0E1D238F88h 0x00000041 pop eax 0x00000042 mov eax, dword ptr [eax] 0x00000044 pushad 0x00000045 jmp 00007F0E1D238F93h 0x0000004a jns 00007F0E1D238F9Ch 0x00000050 popad 0x00000051 mov dword ptr [esp+04h], eax 0x00000055 push eax 0x00000056 jp 00007F0E1D238F8Ch 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10797B2 second address: 10797BC instructions: 0x00000000 rdtsc 0x00000002 js 00007F0E1CD84CACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10798E0 second address: 10798EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push edi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108A858 second address: 108A878 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0E1CD84CB2h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108A878 second address: 108A87C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108A87C second address: 108A882 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106D861 second address: 106D86B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0E1D238F86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109796E second address: 1097972 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1097972 second address: 1097993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F0E1D238F92h 0x0000000e push edi 0x0000000f pop edi 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1097E04 second address: 1097E08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1097E08 second address: 1097E18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F0E1D238F86h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1097E18 second address: 1097E2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pushad 0x0000000a jno 00007F0E1CD84CAAh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1097E2F second address: 1097E3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F0E1D238F86h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1097E3B second address: 1097E41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1097E41 second address: 1097E4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007F0E1D238F86h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109820F second address: 1098217 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1098346 second address: 1098351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1098351 second address: 1098355 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1098355 second address: 109835B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109849D second address: 10984BE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F0E1CD84CB9h 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10984BE second address: 10984DA instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0E1D238F88h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007F0E1D238F8Eh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109877A second address: 1098780 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1098780 second address: 109878A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109878A second address: 1098790 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1098790 second address: 1098794 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1098901 second address: 1098915 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007F0E1CD84CA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007F0E1CD84CA8h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1098AAB second address: 1098AB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1098AB1 second address: 1098AB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109087F second address: 1090883 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1090883 second address: 109088B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109088B second address: 1090892 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106A368 second address: 106A3A1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0E1CD84CB5h 0x00000010 jmp 00007F0E1CD84CB9h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106A3A1 second address: 106A3CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007F0E1D238F86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnc 00007F0E1D238F99h 0x00000012 push edi 0x00000013 jp 00007F0E1D238F86h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099266 second address: 1099273 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007F0E1CD84CACh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10993F7 second address: 10993FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10993FF second address: 1099403 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109980B second address: 1099810 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109CEF0 second address: 109CEFA instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0E1CD84CACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109D5C6 second address: 109D5E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E1D238F97h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109D5E1 second address: 109D632 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F0E1CD84CB5h 0x0000000f jmp 00007F0E1CD84CACh 0x00000014 popad 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 push eax 0x0000001a push edx 0x0000001b ja 00007F0E1CD84CBFh 0x00000021 jmp 00007F0E1CD84CB9h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A7574 second address: 10A7590 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E1D238F95h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A7590 second address: 10A7599 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A7599 second address: 10A759D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A99CA second address: 10A99CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A99CE second address: 10A99D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A9A88 second address: 10A9ABF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E1CD84CB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F0E1CD84CB1h 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007F0E1CD84CA6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A9ABF second address: 10A9AC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A9CDB second address: 10A9CFB instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0E1CD84CA8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d jbe 00007F0E1CD84CA6h 0x00000013 jnp 00007F0E1CD84CA6h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push edi 0x0000001d pop edi 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A9DBC second address: 10A9DC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AA305 second address: 10AA346 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E1CD84CAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F0E1CD84CA8h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 add di, 8C68h 0x00000029 nop 0x0000002a push esi 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AA404 second address: 10AA408 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AA408 second address: 10AA40E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AA40E second address: 10AA413 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AA413 second address: 10AA419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AA852 second address: 10AA870 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F0E1D238F8Ah 0x0000000c pop ebx 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007F0E1D238F88h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AA870 second address: 10AA87A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F0E1CD84CA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AA92B second address: 10AA944 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F0E1D238F88h 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f push esi 0x00000010 pushad 0x00000011 popad 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AA944 second address: 10AA948 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AAE13 second address: 10AAE1D instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0E1D238F86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AAE1D second address: 10AAE6E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0E1CD84CA8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F0E1CD84CB4h 0x00000012 nop 0x00000013 mov dword ptr [ebp+122D2B14h], esi 0x00000019 push 00000000h 0x0000001b jmp 00007F0E1CD84CB8h 0x00000020 cld 0x00000021 push 00000000h 0x00000023 mov dword ptr [ebp+122D1CDAh], edi 0x00000029 xchg eax, ebx 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AE901 second address: 10AE905 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AFF79 second address: 10AFF7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ADB7B second address: 10ADB84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B2BB5 second address: 10B2BB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B2BB9 second address: 10B2BBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B2BBF second address: 10B2C2F instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0E1CD84CA8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnc 00007F0E1CD84CAEh 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007F0E1CD84CA8h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 00000015h 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c mov dword ptr [ebp+122D2AF7h], edx 0x00000032 call 00007F0E1CD84CACh 0x00000037 xor dword ptr [ebp+122D2EC4h], ebx 0x0000003d pop edi 0x0000003e push 00000000h 0x00000040 add edi, dword ptr [ebp+122D2D4Eh] 0x00000046 mov di, ax 0x00000049 push 00000000h 0x0000004b xor ebx, dword ptr [ebp+122D383Eh] 0x00000051 add ebx, 494A71A0h 0x00000057 push eax 0x00000058 push edi 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B3E45 second address: 10B3E4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B70F8 second address: 10B70FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B70FC second address: 10B7102 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B7102 second address: 10B7106 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B7106 second address: 10B7173 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007F0E1D238F88h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 00000019h 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 mov bx, ax 0x00000028 add dword ptr [ebp+1244F3C3h], eax 0x0000002e push 00000000h 0x00000030 movzx ebx, ax 0x00000033 push 00000000h 0x00000035 jmp 00007F0E1D238F95h 0x0000003a push eax 0x0000003b push eax 0x0000003c push edx 0x0000003d jg 00007F0E1D238F99h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B730C second address: 10B7313 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B7313 second address: 10B7325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b jl 00007F0E1D238F86h 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B8280 second address: 10B8284 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B9027 second address: 10B902D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B902D second address: 10B9031 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B9031 second address: 10B905E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F0E1D238F8Bh 0x00000012 popad 0x00000013 pushad 0x00000014 jmp 00007F0E1D238F91h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B905E second address: 10B90C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ecx 0x0000000a call 00007F0E1CD84CA8h 0x0000000f pop ecx 0x00000010 mov dword ptr [esp+04h], ecx 0x00000014 add dword ptr [esp+04h], 0000001Ch 0x0000001c inc ecx 0x0000001d push ecx 0x0000001e ret 0x0000001f pop ecx 0x00000020 ret 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push edx 0x00000026 call 00007F0E1CD84CA8h 0x0000002b pop edx 0x0000002c mov dword ptr [esp+04h], edx 0x00000030 add dword ptr [esp+04h], 00000019h 0x00000038 inc edx 0x00000039 push edx 0x0000003a ret 0x0000003b pop edx 0x0000003c ret 0x0000003d xor edi, 35C07CE4h 0x00000043 push 00000000h 0x00000045 jmp 00007F0E1CD84CAAh 0x0000004a push eax 0x0000004b push ecx 0x0000004c pushad 0x0000004d push ecx 0x0000004e pop ecx 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BA126 second address: 10BA13A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F0E1D238F88h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B9210 second address: 10B9221 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E1CD84CADh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BA13A second address: 10BA145 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0E1D238F86h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B9221 second address: 10B92E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E1CD84CB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F0E1CD84CA8h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 mov dword ptr [ebp+122D5813h], eax 0x0000002c pushad 0x0000002d movzx edx, di 0x00000030 sub dword ptr [ebp+122D2EBAh], esi 0x00000036 popad 0x00000037 push dword ptr fs:[00000000h] 0x0000003e push 00000000h 0x00000040 push edi 0x00000041 call 00007F0E1CD84CA8h 0x00000046 pop edi 0x00000047 mov dword ptr [esp+04h], edi 0x0000004b add dword ptr [esp+04h], 00000014h 0x00000053 inc edi 0x00000054 push edi 0x00000055 ret 0x00000056 pop edi 0x00000057 ret 0x00000058 mov edi, dword ptr [ebp+122D3133h] 0x0000005e mov dword ptr fs:[00000000h], esp 0x00000065 mov bx, si 0x00000068 mov eax, dword ptr [ebp+122D0C5Dh] 0x0000006e mov edi, 211731DFh 0x00000073 or dword ptr [ebp+122D2792h], eax 0x00000079 push FFFFFFFFh 0x0000007b jmp 00007F0E1CD84CB8h 0x00000080 push eax 0x00000081 push eax 0x00000082 push edx 0x00000083 push edx 0x00000084 jmp 00007F0E1CD84CB3h 0x00000089 pop edx 0x0000008a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB057 second address: 10BB078 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0E1D238F97h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB078 second address: 10BB086 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0E1CD84CA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BD21C second address: 10BD248 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 mov dword ptr [ebp+122D2D92h], ecx 0x0000000f push 00000000h 0x00000011 add ebx, 2F94A068h 0x00000017 cld 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F0E1D238F91h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BE205 second address: 10BE21C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0E1CD84CB0h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BD435 second address: 10BD439 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BD439 second address: 10BD455 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E1CD84CB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BD455 second address: 10BD45A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C10B0 second address: 10C10B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BD45A second address: 10BD46F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jnl 00007F0E1D238F88h 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C1199 second address: 10C119D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C20E9 second address: 10C20EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C541D second address: 10C543A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0E1CD84CB9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CD7E4 second address: 10CD7EA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CD7EA second address: 10CD7F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CD7F3 second address: 10CD7F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CCEE7 second address: 10CCEEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CCEEB second address: 10CCF15 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0E1D238F86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F0E1D238F95h 0x0000000f popad 0x00000010 ja 00007F0E1D238FABh 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CCF15 second address: 10CCF1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CD1EF second address: 10CD1FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F0E1D238F86h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10CD1FC second address: 10CD208 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007F0E1CD84CA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DCBDF second address: 10DCC11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0E1D238F86h 0x0000000a jl 00007F0E1D238F86h 0x00000010 ja 00007F0E1D238F86h 0x00000016 popad 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F0E1D238F98h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DCC11 second address: 10DCC20 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 jbe 00007F0E1CD84CA6h 0x0000000b pop edi 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106F2DB second address: 106F2E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106F2E1 second address: 106F2E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DF7DD second address: 10DF7E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DF8A3 second address: 10DF8C6 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0E1CD84CACh 0x00000008 jnl 00007F0E1CD84CA6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 pushad 0x00000015 pushad 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 push esi 0x00000019 pop esi 0x0000001a popad 0x0000001b jl 00007F0E1CD84CACh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DF8C6 second address: 10DF905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 jmp 00007F0E1D238F96h 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 pushad 0x00000011 push ebx 0x00000012 jmp 00007F0E1D238F97h 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DF905 second address: 10DF909 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E4946 second address: 10E494C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1070E82 second address: 1070E8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1070E8E second address: 1070E92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1070E92 second address: 1070E98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E3659 second address: 10E365F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E3D1D second address: 10E3D28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F0E1CD84CA6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E3E68 second address: 10E3EA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edx 0x00000007 pop edx 0x00000008 jmp 00007F0E1D238F8Bh 0x0000000d popad 0x0000000e jc 00007F0E1D238F9Fh 0x00000014 jng 00007F0E1D238F86h 0x0000001a jmp 00007F0E1D238F93h 0x0000001f pop eax 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 push esi 0x00000024 pop esi 0x00000025 jp 00007F0E1D238F86h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E3EA7 second address: 10E3EC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E1CD84CAFh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007F0E1CD84CA6h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E4053 second address: 10E405B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E405B second address: 10E405F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E41C8 second address: 10E41CD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EAAA8 second address: 10EAABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E1CD84CB1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EAABD second address: 10EAAF6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jl 00007F0E1D238F86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F0E1D238F8Dh 0x00000011 pop edx 0x00000012 push ecx 0x00000013 push ebx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 pop ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F0E1D238F98h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E98BC second address: 10E98C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E98C0 second address: 10E98EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jp 00007F0E1D238F8Ah 0x0000000e pushad 0x0000000f push edx 0x00000010 pop edx 0x00000011 jmp 00007F0E1D238F93h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A8280 second address: 10A8286 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A8286 second address: 109087F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E1D238F8Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F0E1D238F88h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 call dword ptr [ebp+1244F24Fh] 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 jo 00007F0E1D238F86h 0x00000038 pushad 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A8383 second address: 10A86F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E1CD84CB7h 0x00000009 popad 0x0000000a pop ecx 0x0000000b xchg eax, ebx 0x0000000c sub dword ptr [ebp+122D1DE9h], edi 0x00000012 push dword ptr fs:[00000000h] 0x00000019 cld 0x0000001a mov dword ptr fs:[00000000h], esp 0x00000021 mov dword ptr [ebp+12460C3Dh], edx 0x00000027 mov dword ptr [ebp+1247DFEAh], esp 0x0000002d xor dword ptr [ebp+122D2792h], ebx 0x00000033 cmp dword ptr [ebp+122D39EEh], 00000000h 0x0000003a jne 00007F0E1CD84DD5h 0x00000040 cmp dword ptr [ebp+122D39FAh], 00000000h 0x00000047 jne 00007F0E1CD84D59h 0x0000004d cmp dword ptr [ebp+122D3B2Eh], 00000000h 0x00000054 jne 00007F0E1CD84D88h 0x0000005a mov byte ptr [ebp+122D2B4Bh], 0000006Ch 0x00000061 pushad 0x00000062 mov dword ptr [ebp+122D1E17h], ebx 0x00000068 mov eax, dword ptr [ebp+122D3557h] 0x0000006e popad 0x0000006f mov eax, DB057083h 0x00000074 push 00000000h 0x00000076 push edi 0x00000077 call 00007F0E1CD84CA8h 0x0000007c pop edi 0x0000007d mov dword ptr [esp+04h], edi 0x00000081 add dword ptr [esp+04h], 00000017h 0x00000089 inc edi 0x0000008a push edi 0x0000008b ret 0x0000008c pop edi 0x0000008d ret 0x0000008e mov edx, dword ptr [ebp+122D1CDAh] 0x00000094 push eax 0x00000095 push edi 0x00000096 push eax 0x00000097 push edx 0x00000098 pushad 0x00000099 popad 0x0000009a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A886F second address: 10A8875 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A8875 second address: 10A8899 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0E1CD84CB5h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnl 00007F0E1CD84CB8h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A8899 second address: 10A889D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A889D second address: 10A88A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A88A1 second address: 10A88DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007F0E1D238F8Dh 0x0000000f mov eax, dword ptr [eax] 0x00000011 push edi 0x00000012 jmp 00007F0E1D238F90h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c push eax 0x0000001d push edx 0x0000001e ja 00007F0E1D238F88h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A88DA second address: 10A8921 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0E1CD84CA8h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F0E1CD84CA8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 mov ecx, dword ptr [ebp+122D2B94h] 0x0000002d mov edx, ebx 0x0000002f push 3CE1A9BAh 0x00000034 push eax 0x00000035 push edx 0x00000036 push edx 0x00000037 jnl 00007F0E1CD84CA6h 0x0000003d pop edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A8A0B second address: 10A8A53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a jmp 00007F0E1D238F90h 0x0000000f pop edi 0x00000010 xchg eax, esi 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007F0E1D238F88h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 00000017h 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b mov edi, dword ptr [ebp+122D27A9h] 0x00000031 nop 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 pop eax 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A8A53 second address: 10A8A59 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A9095 second address: 10A909A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A94D4 second address: 10913B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d xor cl, FFFFFFA8h 0x00000010 call dword ptr [ebp+122D2EBEh] 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10913B3 second address: 10913B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10913B7 second address: 10913D7 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0E1CD84CA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F0E1CD84CB3h 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1066D3A second address: 1066D6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F0E1D238F86h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d popad 0x0000000e push edx 0x0000000f jo 00007F0E1D238F88h 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F0E1D238F99h 0x0000001e push edx 0x0000001f pop edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E9CC4 second address: 10E9CCE instructions: 0x00000000 rdtsc 0x00000002 js 00007F0E1CD84CB2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E9E4B second address: 10E9E59 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0E1D238F86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E9E59 second address: 10E9E5F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E9E5F second address: 10E9E6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EA2DF second address: 10EA2E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EA477 second address: 10EA47B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EA47B second address: 10EA4FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E1CD84CB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F0E1CD84CB5h 0x00000011 jmp 00007F0E1CD84CB7h 0x00000016 jmp 00007F0E1CD84CB9h 0x0000001b popad 0x0000001c jmp 00007F0E1CD84CB8h 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EA4FB second address: 10EA4FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EA66B second address: 10EA676 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EA676 second address: 10EA691 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E1D238F91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EA691 second address: 10EA6A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E1CD84CAFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EF4B5 second address: 10EF4C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F0E1D238F86h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EF4C4 second address: 10EF4F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0E1CD84CB4h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0E1CD84CB5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EF97C second address: 10EF982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EEF34 second address: 10EEF56 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 jmp 00007F0E1CD84CB5h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EFC30 second address: 10EFC36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EFC36 second address: 10EFC3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EFC3F second address: 10EFC43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EFC43 second address: 10EFC49 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EFEED second address: 10EFEF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10EFEF1 second address: 10EFEFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F3989 second address: 10F3990 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F3990 second address: 10F399C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F0E1CD84CA6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F950A second address: 10F950F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F8105 second address: 10F8121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E1CD84CB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F8121 second address: 10F8127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F8535 second address: 10F853C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F853C second address: 10F8556 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0E1D238F91h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F86AA second address: 10F86BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F0E1CD84CAEh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F89C3 second address: 10F89CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jno 00007F0E1D238F86h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F8B73 second address: 10F8B93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push edi 0x00000007 jmp 00007F0E1CD84CB5h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F8E4F second address: 10F8E87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E1D238F91h 0x00000007 jmp 00007F0E1D238F98h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 jne 00007F0E1D238F86h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F8E87 second address: 10F8E9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jmp 00007F0E1CD84CADh 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F9369 second address: 10F936F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F936F second address: 10F9383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E1CD84CB0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F9383 second address: 10F9387 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10F9387 second address: 10F939F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jc 00007F0E1CD84CACh 0x0000000f ja 00007F0E1CD84CA6h 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FF4D2 second address: 10FF4EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F0E1D238F92h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FF4EA second address: 10FF501 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F0E1CD84CAAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FF0B0 second address: 10FF0B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FF0B4 second address: 10FF0BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FF201 second address: 10FF205 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1101694 second address: 1101698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1101698 second address: 110169C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110169C second address: 11016A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11016A6 second address: 11016D0 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0E1D238F86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007F0E1D238F95h 0x00000012 jg 00007F0E1D238F86h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11068ED second address: 11068F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1106E38 second address: 1106E3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1106E3C second address: 1106E48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1106E48 second address: 1106E65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jo 00007F0E1D238F98h 0x0000000b jmp 00007F0E1D238F90h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1106FB7 second address: 1106FBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1106FBB second address: 1106FCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0E1D238F8Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1106FCD second address: 1106FD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110712D second address: 1107144 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007F0E1D238F86h 0x0000000d jns 00007F0E1D238F86h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1107144 second address: 1107152 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jo 00007F0E1CD84CA6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110BB90 second address: 110BBA9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0E1D238F86h 0x00000008 jmp 00007F0E1D238F8Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110BBA9 second address: 110BBAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110B2E0 second address: 110B2E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110B2E4 second address: 110B315 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E1CD84CB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0E1CD84CABh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007F0E1CD84CB2h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110B315 second address: 110B31B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110B31B second address: 110B31F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110B468 second address: 110B495 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E1D238F98h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007F0E1D238F92h 0x00000012 jns 00007F0E1D238F86h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110B495 second address: 110B4A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0E1CD84CACh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110B4A1 second address: 110B4A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110B91E second address: 110B922 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110B922 second address: 110B932 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E1D238F8Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110B932 second address: 110B938 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110B938 second address: 110B943 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jo 00007F0E1D238F86h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111012B second address: 111013A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0E1CD84CA6h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111013A second address: 1110140 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1110291 second address: 11102A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0E1CD84CB0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11102A6 second address: 11102EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0E1D238F86h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F0E1D238F96h 0x00000015 pushad 0x00000016 popad 0x00000017 jnc 00007F0E1D238F86h 0x0000001d popad 0x0000001e pushad 0x0000001f jl 00007F0E1D238F86h 0x00000025 push esi 0x00000026 pop esi 0x00000027 jns 00007F0E1D238F86h 0x0000002d jmp 00007F0E1D238F8Ah 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11102EF second address: 1110321 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E1CD84CB5h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F0E1CD84CB7h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111072E second address: 1110737 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1110737 second address: 1110752 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E1CD84CB5h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11108B7 second address: 11108BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11108BB second address: 11108C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A8EDA second address: 10A8EDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A8EDE second address: 10A8F1F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a mov edi, edx 0x0000000c push 00000004h 0x0000000e or di, 4EB3h 0x00000013 nop 0x00000014 jc 00007F0E1CD84CC3h 0x0000001a pushad 0x0000001b jg 00007F0E1CD84CA6h 0x00000021 jmp 00007F0E1CD84CB5h 0x00000026 popad 0x00000027 push eax 0x00000028 jp 00007F0E1CD84CAEh 0x0000002e push ebx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11109D1 second address: 11109DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11109DA second address: 11109E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0E1CD84CA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1110B5A second address: 1110B68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0E1D238F86h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1110B68 second address: 1110B6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1116FA9 second address: 1116FB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1116FB1 second address: 1116FB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1116FB5 second address: 1116FDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E1D238F90h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F0E1D238F8Dh 0x00000011 push eax 0x00000012 pop eax 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1116FDF second address: 1116FEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1118369 second address: 1118390 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E1D238F93h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007F0E1D238F86h 0x00000013 jns 00007F0E1D238F86h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1118390 second address: 11183B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E1CD84CB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0E1CD84CAEh 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1118C33 second address: 1118C3C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111CC54 second address: 111CC61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111CC61 second address: 111CC7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E1D238F93h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111D0C5 second address: 111D0CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111D218 second address: 111D21D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111D21D second address: 111D235 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E1CD84CB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111D235 second address: 111D23B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111D648 second address: 111D64C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111D64C second address: 111D658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 111D658 second address: 111D69C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007F0E1CD84CB2h 0x0000000f pushad 0x00000010 jno 00007F0E1CD84CA6h 0x00000016 jmp 00007F0E1CD84CADh 0x0000001b jmp 00007F0E1CD84CB2h 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112BE4B second address: 112BE55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112A1AC second address: 112A1B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edi 0x00000007 pop edi 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112A1B8 second address: 112A1D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F0E1D238F86h 0x0000000a pop ecx 0x0000000b popad 0x0000000c jo 00007F0E1D238F92h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112A977 second address: 112A9AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E1CD84CB5h 0x00000009 push edi 0x0000000a pop edi 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e jmp 00007F0E1CD84CB9h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112A9AE second address: 112A9B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112B498 second address: 112B49E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112B49E second address: 112B4A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 112BCED second address: 112BCF6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1129C01 second address: 1129C05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1132C0E second address: 1132C1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1132C1E second address: 1132C44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0E1D238F97h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007F0E1D238F86h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113F194 second address: 113F1AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007F0E1CD84CA6h 0x00000011 jmp 00007F0E1CD84CAAh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1142CB7 second address: 1142CBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1142CBD second address: 1142CC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11491C5 second address: 11491C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1147D68 second address: 1147D70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1147EB4 second address: 1147EE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E1D238F96h 0x00000007 jp 00007F0E1D238F86h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F0E1D238F8Fh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115882A second address: 115884D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jmp 00007F0E1CD84CB7h 0x0000000d popad 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1158965 second address: 1158976 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 je 00007F0E1D238F8Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1158E92 second address: 1158EAD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E1CD84CAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnl 00007F0E1CD84CCAh 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1158EAD second address: 1158EC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E1D238F94h 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1159020 second address: 1159024 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1159A8B second address: 1159A8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1161799 second address: 116179D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 116179D second address: 11617A9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11617A9 second address: 11617AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11617AD second address: 11617D9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F0E1D238F8Ch 0x00000011 jmp 00007F0E1D238F93h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1177437 second address: 117744D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E1CD84CB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117744D second address: 1177455 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1177455 second address: 1177459 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1176FC1 second address: 1176FD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0E1D238F8Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1176FD0 second address: 1176FEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0E1CD84CB4h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117E650 second address: 117E665 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jc 00007F0E1D238F9Ah 0x0000000c pushad 0x0000000d jno 00007F0E1D238F86h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11806CC second address: 11806D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11806D2 second address: 11806DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11806DA second address: 11806F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F0E1CD84CAEh 0x00000012 jl 00007F0E1CD84CA6h 0x00000018 push edx 0x00000019 pop edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11806F4 second address: 1180701 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jng 00007F0E1D238F86h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1183CB1 second address: 1183CB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1183CB5 second address: 1183CB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1183CB9 second address: 1183CDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0E1CD84CA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jc 00007F0E1CD84CA6h 0x00000013 push eax 0x00000014 pop eax 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007F0E1CD84CAEh 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118A3CA second address: 118A3DC instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0E1D238F88h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118A3DC second address: 118A3E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118C06A second address: 118C06E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118C06E second address: 118C074 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118C074 second address: 118C098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0E1D238F97h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118C098 second address: 118C09C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118C09C second address: 118C0BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0E1D238F98h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11839CB second address: 11839D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11839D1 second address: 11839D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1184B75 second address: 1184B88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F0E1CD84CAAh 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1184B88 second address: 1184B8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: EFDC0C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 109BEA5 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 10A83C2 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1134435 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: F00E4E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4B80000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4E50000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4CA0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010760A4 rdtsc 0_2_010760A4
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6636Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D8026 GetSystemInfo,VirtualAlloc,0_2_010D8026
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.1368699969.000000000107D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1368699969.000000000107D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010760A4 rdtsc 0_2_010760A4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EFB7CA LdrInitializeThunk,0_2_00EFB7CA
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, 00000000.00000002.1368852385.00000000010C6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: (Program Manager
Source: file.exeBinary or memory string: tA(Program Manager

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping641
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		41
Disable or Modify Tools		LSASS Memory2
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Bypass User Account Control		261
Virtualization/Sandbox Evasion		Security Account Manager261
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS23
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
Software Packing		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
Bypass User Account Control		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe47%ReversingLabsWin32.Infostealer.Tinba
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1565522
Start date and time:2024-11-30 04:12:05 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 3m 58s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:12
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.evad.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, ctldl.windowsupdate.com, time.windows.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • VT rate limit hit for: file.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File
Process:C:\Users\user\Desktop\file.exe
File Type:CSV text
Category:dropped
Size (bytes):226
Entropy (8bit):5.360398796477698
Encrypted:false
SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:3A8957C6382192B71471BD14359D0B12
SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:true
Reputation:high, very likely benign file
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.472329089980284
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:2'765'824 bytes
MD5:47aa764406ba64383ac50e4101f34474
SHA1:48c14e56cc54ee0095c52a680d41b20e76dd3d2b
SHA256:0bb190f23ae3739409ed5fc96d03728cbb385a58fd544f4fb8a74af959b2f72e
SHA512:d5d133cc90a1cd47255e6db9487ae1fd8afb7264dd084094d2dc3b782c9d0ffd783de94fc650bae49b20c0b1f5bc52df5a777a99ad9d502dc0cc5700c82ff6d7
SSDEEP:49152:m7sNQnouAeEI0+206WUmc17WSlt3fcgJRZc2Vbf:IGQouAeEXX03UTwSz3f22Vbf
TLSH:00D518A6B908B2CBD49B2A74B56BCE82595E03F9471048C3DC6D747B7F63CC125BAC24
File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............*.. ...`....@.. ........................*......:*...`................................

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x6aa000
Entrypoint Section:.taggant
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F0E1CD693EAh
movlps xmm5, qword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [ecx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x20000x40000x12006d34e661414acfcd492678ec168db853False0.9303385416666666data7.764448278674302IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
xbmfzvhb0xa0000x29e0000x29d2003be6f13fec6c433b5cdf4ccfb518c81eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ztggrlpz0x2a80000x20000x6009ca9719573ab06ab7a7b943a1ca3d4f4False0.5494791666666666data4.8806179499797215IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant0x2aa0000x40000x220062de776735d32cae87021039ec09828cFalse0.06158088235294118DOS executable (COM)0.7799123764073105IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x60900x30cdata0.42948717948717946
RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

Imports

DLLImport
kernel32.dlllstrcpy

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:22:12:56
Start date:29/11/2024
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\file.exe"
Imagebase:0xef0000
File size:2'765'824 bytes
MD5 hash:47AA764406BA64383AC50E4101F34474
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:5%
    Dynamic/Decrypted Code Coverage:8.9%
    Signature Coverage:16.8%
    Total number of Nodes:101
    Total number of Limit Nodes:14
    execution_graph 5446 f00493 5448 f02ab5 5446->5448 5447 f048b4 5448->5447 5450 10d81c7 5448->5450 5451 10d81d5 5450->5451 5452 10d81f5 5451->5452 5454 10d8497 5451->5454 5452->5447 5455 10d84ca 5454->5455 5456 10d84a7 5454->5456 5455->5451 5456->5455 5458 10d8891 5456->5458 5461 10d8898 5458->5461 5460 10d88e2 5460->5455 5461->5460 5463 10d879f 5461->5463 5467 10d8a52 5461->5467 5464 10d87b4 5463->5464 5465 10d883e GetModuleFileNameA 5464->5465 5466 10d8874 5464->5466 5465->5464 5466->5461 5470 10d8a66 5467->5470 5468 10d8a7e 5468->5461 5469 10d8ba1 VirtualProtect 5469->5470 5470->5468 5470->5469 5471 efb7ca 5472 efb7cf 5471->5472 5473 efb93a LdrInitializeThunk 5472->5473 5474 10d902a 5476 10d9036 5474->5476 5477 10d9048 5476->5477 5478 10d9070 5477->5478 5480 10d8be7 5477->5480 5481 10d8bf8 5480->5481 5482 10d8c7b 5480->5482 5481->5482 5483 10d8891 2 API calls 5481->5483 5484 10d8a52 VirtualProtect 5481->5484 5482->5478 5483->5481 5484->5481 5485 4b81510 5486 4b81558 ControlService 5485->5486 5487 4b8158f 5486->5487 5488 efe886 5491 efe80a 5488->5491 5489 efe94b 5490 eff3f7 VirtualAlloc 5491->5489 5491->5490 5492 1075eee LoadLibraryA 5493 1075efc 5492->5493 5494 10d8026 GetSystemInfo 5495 10d8084 VirtualAlloc 5494->5495 5496 10d8046 5494->5496 5509 10d8372 5495->5509 5496->5495 5498 10d80cb 5499 10d8372 VirtualAlloc GetModuleFileNameA VirtualProtect 5498->5499 5508 10d81a0 5498->5508 5501 10d80f5 5499->5501 5500 10d81bc GetModuleFileNameA VirtualProtect 5502 10d8164 5500->5502 5503 10d8372 VirtualAlloc GetModuleFileNameA VirtualProtect 5501->5503 5501->5508 5504 10d811f 5503->5504 5505 10d8372 VirtualAlloc GetModuleFileNameA VirtualProtect 5504->5505 5504->5508 5506 10d8149 5505->5506 5506->5502 5507 10d8372 VirtualAlloc GetModuleFileNameA VirtualProtect 5506->5507 5506->5508 5507->5508 5508->5500 5508->5502 5511 10d837a 5509->5511 5512 10d838e 5511->5512 5513 10d83a6 5511->5513 5519 10d823e 5512->5519 5515 10d823e 2 API calls 5513->5515 5516 10d83b7 5515->5516 5521 10d83c9 5516->5521 5524 10d8246 5519->5524 5522 10d83da VirtualAlloc 5521->5522 5523 10d83c5 5521->5523 5522->5523 5525 10d8259 5524->5525 5526 10d8891 2 API calls 5525->5526 5527 10d829c 5525->5527 5526->5527 5528 10d8fc0 5530 10d8fcc 5528->5530 5531 10d8fde 5530->5531 5532 10d8be7 2 API calls 5531->5532 5533 10d8ff0 5532->5533 5534 4b81308 5535 4b81349 ImpersonateLoggedOnUser 5534->5535 5536 4b81376 5535->5536 5537 4b80d48 5538 4b80d93 OpenSCManagerW 5537->5538 5540 4b80ddc 5538->5540 5541 10ced98 5542 10cedb6 5541->5542 5543 10cedcd 5542->5543 5545 10ced15 5542->5545 5546 10ced40 5545->5546 5547 10ced72 lstrcmpiA 5546->5547 5548 10ced88 5546->5548 5547->5548 5548->5543 5549 10d9076 5551 10d9082 5549->5551 5553 10d9094 5551->5553 5552 10d90bc 5553->5552 5554 10d8be7 2 API calls 5553->5554 5554->5552 5555 1079819 5556 107981e CreateFileA 5555->5556 5557 10797a8 5555->5557 5558 1079834 5556->5558 5557->5555 5559 1079619 5560 1079622 CreateFileA 5559->5560 5562 1079656 5560->5562 5563 efe710 VirtualAlloc 5564 efe74b 5563->5564

    Executed Functions

    Function 010D8026 Relevance: 3.1, APIs: 2, Instructions: 107memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetSystemInfo.KERNELBASE(?,-113D5FEC), ref: 010D8032
    • VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 010D8093
    Memory Dump Source
    • Source File: 00000000.00000002.1368881531.00000000010D6000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
    • Associated: 00000000.00000002.1368477812.0000000000EF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368498250.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368524698.0000000000EF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368546632.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368563617.0000000000F06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368668145.0000000001062000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368683905.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368699969.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368699969.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368734313.0000000001093000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368748759.0000000001094000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368774224.0000000001095000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368789678.0000000001099000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368810004.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368825623.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368839043.00000000010C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368852385.00000000010C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368867393.00000000010CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368900987.00000000010EE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368915369.00000000010F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368930772.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368945047.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368958661.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368975150.0000000001102000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368990795.000000000110A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369004340.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369017914.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369031351.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369046941.0000000001113000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369088605.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369103534.0000000001121000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369116728.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369131589.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369144718.000000000112D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369168812.0000000001148000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369182647.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.0000000001182000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369242398.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369257142.000000000119A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ef0000_file.jbxd
    Similarity
    • API ID: AllocInfoSystemVirtual
    • String ID:
    • API String ID: 3440192736-0
    • Opcode ID: 93bc393196f1177e393717945d84b9a2cf8c7805c0040231845dd875c9bb342a
    • Instruction ID: a0ea04a45fd91cc25da6fefd22cb4afc783239fbbe3efad821ba2d896efa1ec0
    • Opcode Fuzzy Hash: 93bc393196f1177e393717945d84b9a2cf8c7805c0040231845dd875c9bb342a
    • Instruction Fuzzy Hash: 46412CB1901206EFE769CF648C45F96B7ECBB48740F0040A7E287DA885DB70D5D48BE0
    Function 010760A4 Relevance: 1.6, APIs: 1, Instructions: 126libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 79 10760a4-10760a6 LoadLibraryA 80 10760ac-10760b9 79->80 81 10760ba-1076207 79->81 80->81
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1368699969.0000000001072000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
    • Associated: 00000000.00000002.1368477812.0000000000EF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368498250.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368524698.0000000000EF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368546632.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368563617.0000000000F06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368668145.0000000001062000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368683905.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368699969.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368734313.0000000001093000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368748759.0000000001094000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368774224.0000000001095000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368789678.0000000001099000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368810004.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368825623.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368839043.00000000010C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368852385.00000000010C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368867393.00000000010CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368881531.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368900987.00000000010EE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368915369.00000000010F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368930772.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368945047.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368958661.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368975150.0000000001102000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368990795.000000000110A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369004340.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369017914.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369031351.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369046941.0000000001113000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369088605.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369103534.0000000001121000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369116728.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369131589.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369144718.000000000112D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369168812.0000000001148000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369182647.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.0000000001182000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369242398.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369257142.000000000119A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ef0000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: baccc7f26b549592ce3229fd086034d3d3793c1a37bceba78a02fb2b5b4f7f3b
    • Instruction ID: 2a254425785b3c7b700789b472e80ba1c03143f896764f69dce15c4c9ed8286c
    • Opcode Fuzzy Hash: baccc7f26b549592ce3229fd086034d3d3793c1a37bceba78a02fb2b5b4f7f3b
    • Instruction Fuzzy Hash: 004132F250C610AFE716AF19D845A7EF7E9EF94721F12482DE7C482640D6350440CBA7
    Function 00EFB7CA Relevance: 1.3, Strings: 1, Instructions: 18COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1368546632.0000000000EFA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
    • Associated: 00000000.00000002.1368477812.0000000000EF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368498250.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368524698.0000000000EF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368563617.0000000000F06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368668145.0000000001062000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368683905.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368699969.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368699969.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368734313.0000000001093000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368748759.0000000001094000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368774224.0000000001095000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368789678.0000000001099000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368810004.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368825623.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368839043.00000000010C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368852385.00000000010C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368867393.00000000010CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368881531.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368900987.00000000010EE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368915369.00000000010F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368930772.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368945047.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368958661.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368975150.0000000001102000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368990795.000000000110A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369004340.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369017914.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369031351.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369046941.0000000001113000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369088605.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369103534.0000000001121000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369116728.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369131589.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369144718.000000000112D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369168812.0000000001148000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369182647.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.0000000001182000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369242398.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369257142.000000000119A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ef0000_file.jbxd
    Similarity
    • API ID:
    • String ID: !!iH
    • API String ID: 0-3430752988
    • Opcode ID: df3ae69ccf7ae0124f1aa74b5fe2dc97d6d8fd7263b1ac06e900ca541f3256e3
    • Instruction ID: 2711aa4b05aa7f1b21c1695f41a8f9ba91a6acf9426bb3a8e1bd15266d89d350
    • Opcode Fuzzy Hash: df3ae69ccf7ae0124f1aa74b5fe2dc97d6d8fd7263b1ac06e900ca541f3256e3
    • Instruction Fuzzy Hash: 5DE08C311049CDAECB1AAF64C8027B9364EDB80700F602525EB01AAE4ACB6D09118795
    Function 010797E5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 116fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 10797e5-1079802 1 1079812-107982e CreateFileA 0->1 2 1079808 0->2 4 1079834-1079897 1->4 5 1079a5b-1079a73 1->5 2->1 7 1079a7e-1079a80 5->7 8 1079a79 call 1079a82 5->8 9 1079a42-1079a4c 7->9 10 1079a82-1079a84 7->10 8->7 11 1079a90-1079ab1 10->11 12 1079a8a-1079a8f 10->12 14 1079ab7 11->14 15 1079acc-1079afd 11->15 12->11 14->15 17 1079b03-1079b8b 15->17 18 1079afe call 1079b06 15->18 18->17
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1368699969.0000000001072000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
    • Associated: 00000000.00000002.1368477812.0000000000EF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368498250.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368524698.0000000000EF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368546632.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368563617.0000000000F06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368668145.0000000001062000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368683905.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368699969.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368734313.0000000001093000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368748759.0000000001094000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368774224.0000000001095000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368789678.0000000001099000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368810004.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368825623.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368839043.00000000010C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368852385.00000000010C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368867393.00000000010CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368881531.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368900987.00000000010EE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368915369.00000000010F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368930772.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368945047.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368958661.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368975150.0000000001102000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368990795.000000000110A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369004340.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369017914.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369031351.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369046941.0000000001113000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369088605.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369103534.0000000001121000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369116728.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369131589.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369144718.000000000112D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369168812.0000000001148000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369182647.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.0000000001182000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369242398.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369257142.000000000119A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ef0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID: C
    • API String ID: 823142352-1037565863
    • Opcode ID: 26afb7b0a3107f13416cd28a860cf9fe3ca27ae22bbf8b8834c863b53811c99d
    • Instruction ID: c6d20954bfaa4c644b39e543ae3cf00f9f1c4b5a96c02b0d18778d9015b48c3e
    • Opcode Fuzzy Hash: 26afb7b0a3107f13416cd28a860cf9fe3ca27ae22bbf8b8834c863b53811c99d
    • Instruction Fuzzy Hash: 3C31467140E395BFD702CF244950AEB7FA8EB86234F2584AAE4C9CB052D2A94D09D775
    Function 01075EEE Relevance: 1.6, APIs: 1, Instructions: 141libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 67 1075eee-1075ef2 LoadLibraryA 68 1075efc-1075f47 67->68 73 1075f4d-1075f5b 68->73 74 1075f5c-107609c 68->74 73->74 78 107609f 74->78 78->78
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1368699969.0000000001072000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
    • Associated: 00000000.00000002.1368477812.0000000000EF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368498250.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368524698.0000000000EF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368546632.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368563617.0000000000F06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368668145.0000000001062000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368683905.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368699969.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368734313.0000000001093000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368748759.0000000001094000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368774224.0000000001095000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368789678.0000000001099000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368810004.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368825623.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368839043.00000000010C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368852385.00000000010C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368867393.00000000010CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368881531.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368900987.00000000010EE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368915369.00000000010F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368930772.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368945047.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368958661.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368975150.0000000001102000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368990795.000000000110A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369004340.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369017914.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369031351.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369046941.0000000001113000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369088605.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369103534.0000000001121000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369116728.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369131589.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369144718.000000000112D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369168812.0000000001148000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369182647.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.0000000001182000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369242398.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369257142.000000000119A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ef0000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: dda670c75af4dccb0eb30eefdc3557cbbffeef69da484bb59e582143b5b118fd
    • Instruction ID: 3384ee8c3bf4107ffe04dfc3663f3e90c225819274f14287012e106a522a804b
    • Opcode Fuzzy Hash: dda670c75af4dccb0eb30eefdc3557cbbffeef69da484bb59e582143b5b118fd
    • Instruction Fuzzy Hash: 7B4163F260C600AFF705AF59ED816BEB7E9EFC4720F11883DE7C582640E67449548AA7
    Function 010D8A52 Relevance: 1.6, APIs: 1, Instructions: 112COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 84 10d8a52-10d8a60 85 10d8a66-10d8a78 84->85 86 10d8a83-10d8a8d call 10d88e7 84->86 85->86 90 10d8a7e 85->90 91 10d8a98-10d8aa1 86->91 92 10d8a93 86->92 93 10d8be2-10d8be4 90->93 94 10d8ab9-10d8ac0 91->94 95 10d8aa7-10d8aae 91->95 92->93 97 10d8acb-10d8adb 94->97 98 10d8ac6 94->98 95->94 96 10d8ab4 95->96 96->93 97->93 99 10d8ae1-10d8aed call 10d89bc 97->99 98->93 102 10d8af0-10d8af4 99->102 102->93 103 10d8afa-10d8b04 102->103 104 10d8b2b-10d8b2e 103->104 105 10d8b0a-10d8b1d 103->105 106 10d8b31-10d8b34 104->106 105->104 112 10d8b23-10d8b25 105->112 107 10d8bda-10d8bdd 106->107 108 10d8b3a-10d8b41 106->108 107->102 110 10d8b6f-10d8b88 108->110 111 10d8b47-10d8b4d 108->111 118 10d8b8e-10d8b9c 110->118 119 10d8ba1-10d8ba9 VirtualProtect 110->119 113 10d8b6a 111->113 114 10d8b53-10d8b58 111->114 112->104 112->107 116 10d8bd2-10d8bd5 113->116 114->113 115 10d8b5e-10d8b64 114->115 115->110 115->113 116->106 120 10d8baf-10d8bb2 118->120 119->120 120->116 122 10d8bb8-10d8bd1 120->122 122->116
    Memory Dump Source
    • Source File: 00000000.00000002.1368881531.00000000010D6000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
    • Associated: 00000000.00000002.1368477812.0000000000EF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368498250.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368524698.0000000000EF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368546632.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368563617.0000000000F06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368668145.0000000001062000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368683905.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368699969.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368699969.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368734313.0000000001093000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368748759.0000000001094000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368774224.0000000001095000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368789678.0000000001099000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368810004.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368825623.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368839043.00000000010C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368852385.00000000010C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368867393.00000000010CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368900987.00000000010EE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368915369.00000000010F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368930772.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368945047.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368958661.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368975150.0000000001102000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368990795.000000000110A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369004340.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369017914.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369031351.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369046941.0000000001113000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369088605.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369103534.0000000001121000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369116728.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369131589.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369144718.000000000112D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369168812.0000000001148000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369182647.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.0000000001182000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369242398.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369257142.000000000119A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ef0000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 3b1a2da07032c4065689b8502b7ea4d23d843f08201b6dd417cf37297719f4bd
    • Instruction ID: b530eec4242eacc57b86ad2be1af4d1aed855c62efc87f594e314d8bfb945268
    • Opcode Fuzzy Hash: 3b1a2da07032c4065689b8502b7ea4d23d843f08201b6dd417cf37297719f4bd
    • Instruction Fuzzy Hash: CE417CB1904309EFEB66CF18D944BAE7BF5FF04320F14C096F982AA191D371A990CB55
    Function 01079819 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 124 1079819-107981c 125 107981e-107982e CreateFileA 124->125 126 10797a8-10797b4 124->126 129 1079834-1079897 125->129 130 1079a5b-1079a73 125->130 127 10797c0-10797d1 call 10797d4 126->127 128 10797ba-10797bf 126->128 127->124 128->127 133 1079a7e-1079a80 130->133 134 1079a79 call 1079a82 130->134 136 1079a42-1079a4c 133->136 137 1079a82-1079a84 133->137 134->133 138 1079a90-1079ab1 137->138 139 1079a8a-1079a8f 137->139 141 1079ab7 138->141 142 1079acc-1079afd 138->142 139->138 141->142 144 1079b03-1079b8b 142->144 145 1079afe call 1079b06 142->145 145->144
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1368699969.0000000001072000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
    • Associated: 00000000.00000002.1368477812.0000000000EF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368498250.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368524698.0000000000EF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368546632.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368563617.0000000000F06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368668145.0000000001062000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368683905.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368699969.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368734313.0000000001093000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368748759.0000000001094000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368774224.0000000001095000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368789678.0000000001099000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368810004.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368825623.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368839043.00000000010C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368852385.00000000010C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368867393.00000000010CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368881531.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368900987.00000000010EE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368915369.00000000010F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368930772.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368945047.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368958661.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368975150.0000000001102000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368990795.000000000110A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369004340.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369017914.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369031351.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369046941.0000000001113000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369088605.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369103534.0000000001121000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369116728.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369131589.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369144718.000000000112D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369168812.0000000001148000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369182647.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.0000000001182000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369242398.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369257142.000000000119A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ef0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 04b48d46e4a1b0980903ea5d753cde7e21ac67ea2420f4ee414172bfed46a03b
    • Instruction ID: f299b8f8fab7108563fa0fe285e88156b1d014251f3c2a54c12b765a7eaebbc0
    • Opcode Fuzzy Hash: 04b48d46e4a1b0980903ea5d753cde7e21ac67ea2420f4ee414172bfed46a03b
    • Instruction Fuzzy Hash: D611E27544E3C16FD3068F708C65AAA7FB4EF43220F25849EE8C1CB493C2A9485AD735
    Function 010D879F Relevance: 1.6, APIs: 1, Instructions: 65COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 150 10d879f-10d87ae 151 10d87ba-10d87ce 150->151 152 10d87b4 150->152 154 10d888c-10d888e 151->154 155 10d87d4-10d87de 151->155 152->151 156 10d887b-10d8887 155->156 157 10d87e4-10d87ee 155->157 156->151 157->156 158 10d87f4-10d87fe 157->158 158->156 159 10d8804-10d8813 158->159 161 10d881e-10d8823 159->161 162 10d8819 159->162 161->156 163 10d8829-10d8838 161->163 162->156 163->156 164 10d883e-10d8855 GetModuleFileNameA 163->164 164->156 165 10d885b-10d8869 call 10d86fb 164->165 168 10d886f 165->168 169 10d8874-10d8876 165->169 168->156 169->154
    APIs
    • GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,00000000), ref: 010D884C
    Memory Dump Source
    • Source File: 00000000.00000002.1368881531.00000000010D6000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
    • Associated: 00000000.00000002.1368477812.0000000000EF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368498250.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368524698.0000000000EF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368546632.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368563617.0000000000F06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368668145.0000000001062000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368683905.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368699969.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368699969.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368734313.0000000001093000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368748759.0000000001094000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368774224.0000000001095000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368789678.0000000001099000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368810004.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368825623.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368839043.00000000010C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368852385.00000000010C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368867393.00000000010CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368900987.00000000010EE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368915369.00000000010F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368930772.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368945047.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368958661.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368975150.0000000001102000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368990795.000000000110A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369004340.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369017914.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369031351.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369046941.0000000001113000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369088605.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369103534.0000000001121000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369116728.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369131589.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369144718.000000000112D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369168812.0000000001148000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369182647.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.0000000001182000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369242398.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369257142.000000000119A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ef0000_file.jbxd
    Similarity
    • API ID: FileModuleName
    • String ID:
    • API String ID: 514040917-0
    • Opcode ID: 1f36e0896d7548dfc3021426d6d991d1457de9bc45db1fe427585cc895bbe507
    • Instruction ID: b38d81667d0b77e8fc8f0a34c935a2f8e144834219e74ad77d71c2f561d47e94
    • Opcode Fuzzy Hash: 1f36e0896d7548dfc3021426d6d991d1457de9bc45db1fe427585cc895bbe507
    • Instruction Fuzzy Hash: 2C11D371E01329EBEB715A18AC4ABEA77BDEF04750F21C0D7E985A7081D770DD808AE1
    Function 04B80D42 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 170 4b80d42-4b80d97 172 4b80d99-4b80d9c 170->172 173 4b80d9f-4b80da3 170->173 172->173 174 4b80dab-4b80dda OpenSCManagerW 173->174 175 4b80da5-4b80da8 173->175 176 4b80ddc-4b80de2 174->176 177 4b80de3-4b80df7 174->177 175->174 176->177
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04B80DCD
    Memory Dump Source
    • Source File: 00000000.00000002.1370465508.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4b80000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: a4e16c930a79dcc6b1467bf4870fe32e1bdd28c60a863fe6656bbc2af1aa10d8
    • Instruction ID: edf90b6f7c4cdad08ad23fbd96759756580fb9f3a6b9511dcaaf202894d1e587
    • Opcode Fuzzy Hash: a4e16c930a79dcc6b1467bf4870fe32e1bdd28c60a863fe6656bbc2af1aa10d8
    • Instruction Fuzzy Hash: 4B2127B6C012189FDB10DFA9D885BDEFBF0FB88320F15815AE808AB344D775A545CBA5
    Function 04B80D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 179 4b80d48-4b80d97 181 4b80d99-4b80d9c 179->181 182 4b80d9f-4b80da3 179->182 181->182 183 4b80dab-4b80dda OpenSCManagerW 182->183 184 4b80da5-4b80da8 182->184 185 4b80ddc-4b80de2 183->185 186 4b80de3-4b80df7 183->186 184->183 185->186
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04B80DCD
    Memory Dump Source
    • Source File: 00000000.00000002.1370465508.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4b80000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 452a232b113ae5e2c471cf8c98534689295a8720e9b5967cbd075568f88f49b5
    • Instruction ID: 52e7c896a1dbd0657dda8dbddf9ab3dbce457b8e123a91dda4e67bbed34ea1c6
    • Opcode Fuzzy Hash: 452a232b113ae5e2c471cf8c98534689295a8720e9b5967cbd075568f88f49b5
    • Instruction Fuzzy Hash: C42124B6C012189FCB10DFAAD884BDEFBF4FB88310F15815AE808AB344D734A544CBA5
    Function 04B81509 Relevance: 1.6, APIs: 1, Instructions: 56serviceCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 188 4b81509-4b81550 189 4b81558-4b8158d ControlService 188->189 190 4b8158f-4b81595 189->190 191 4b81596-4b815b7 189->191 190->191
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 04B81580
    Memory Dump Source
    • Source File: 00000000.00000002.1370465508.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4b80000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: e75f0938bf35f69f0a37963d800aca9f2eb212f7d71d1212cd0b8feb555e6c73
    • Instruction ID: 8974ccad715d7ed55621aa4c5122df5b17abfd2196b4e748848bbdc4465c9343
    • Opcode Fuzzy Hash: e75f0938bf35f69f0a37963d800aca9f2eb212f7d71d1212cd0b8feb555e6c73
    • Instruction Fuzzy Hash: 612117B6D002499FDB10CFAAD584BDEFBF4FB48320F10802AE559A7240D378A645CFA5
    Function 04B81510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 193 4b81510-4b8158d ControlService 195 4b8158f-4b81595 193->195 196 4b81596-4b815b7 193->196 195->196
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 04B81580
    Memory Dump Source
    • Source File: 00000000.00000002.1370465508.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4b80000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 71864a4b40a76be87db55facfa9f44e6ad3b571f1c7d39f8b4019f617e3a74ba
    • Instruction ID: f88965726533499d72d368c2d56044954b6014a1ed733133993f970708ba9ce0
    • Opcode Fuzzy Hash: 71864a4b40a76be87db55facfa9f44e6ad3b571f1c7d39f8b4019f617e3a74ba
    • Instruction Fuzzy Hash: F211D3B6D002499FDB10DFAAD584BDEFBF4EB48324F10802AE559A7250D378A644CFA5
    Function 04B81301 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 220 4b81301-4b81341 221 4b81349-4b81374 ImpersonateLoggedOnUser 220->221 222 4b8137d-4b8139e 221->222 223 4b81376-4b8137c 221->223 223->222
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 04B81367
    Memory Dump Source
    • Source File: 00000000.00000002.1370465508.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4b80000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 5eac8dbb8542c6e9b8f46354ea994a6c9bc1d163e21c07e75ced00d84b6c845f
    • Instruction ID: 59e3132c0d56387b723492878b487a657a166abc5211c3c39e5f83d30104a474
    • Opcode Fuzzy Hash: 5eac8dbb8542c6e9b8f46354ea994a6c9bc1d163e21c07e75ced00d84b6c845f
    • Instruction Fuzzy Hash: 6E1113B2800249CFDB20DFAAC545BDEFBF4EB48324F20846AD558A3640D779A584CFA5
    Function 0107980D Relevance: 1.5, APIs: 1, Instructions: 48fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 198 107980d-1079811 199 1079813-107982e CreateFileA 198->199 200 107986b-1079897 198->200 202 1079834-107986a 199->202 203 1079a5b-1079a73 199->203 202->200 204 1079a7e-1079a80 203->204 205 1079a79 call 1079a82 203->205 206 1079a42-1079a4c 204->206 207 1079a82-1079a84 204->207 205->204 208 1079a90-1079ab1 207->208 209 1079a8a-1079a8f 207->209 211 1079ab7 208->211 212 1079acc-1079afd 208->212 209->208 211->212 214 1079b03-1079b8b 212->214 215 1079afe call 1079b06 212->215 215->214
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1368699969.0000000001072000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
    • Associated: 00000000.00000002.1368477812.0000000000EF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368498250.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368524698.0000000000EF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368546632.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368563617.0000000000F06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368668145.0000000001062000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368683905.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368699969.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368734313.0000000001093000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368748759.0000000001094000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368774224.0000000001095000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368789678.0000000001099000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368810004.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368825623.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368839043.00000000010C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368852385.00000000010C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368867393.00000000010CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368881531.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368900987.00000000010EE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368915369.00000000010F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368930772.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368945047.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368958661.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368975150.0000000001102000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368990795.000000000110A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369004340.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369017914.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369031351.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369046941.0000000001113000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369088605.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369103534.0000000001121000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369116728.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369131589.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369144718.000000000112D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369168812.0000000001148000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369182647.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.0000000001182000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369242398.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369257142.000000000119A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ef0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 6ed2a10323127a6dc29f27e16e9a8c75e6672bf007452688b88c6896acd2456a
    • Instruction ID: efbe385909889e53cb47d2acd5ee48e70002c643f3d8f36bfb3517aee6188a7a
    • Opcode Fuzzy Hash: 6ed2a10323127a6dc29f27e16e9a8c75e6672bf007452688b88c6896acd2456a
    • Instruction Fuzzy Hash: 0601927044E3D29FC7478F748C6569A7FB0EF43210B1A85DBE4C5CB0A3C2A8485AD765
    Function 04B81308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 04B81367
    Memory Dump Source
    • Source File: 00000000.00000002.1370465508.0000000004B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4b80000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: d313e0e3850201a2c1a314b7b41bc116fc134e95c04e45b10f288f866c5b3840
    • Instruction ID: 74b829f385d4623e9c54151415dad6975214c88aa50fa8f6d6d26ab495580e3a
    • Opcode Fuzzy Hash: d313e0e3850201a2c1a314b7b41bc116fc134e95c04e45b10f288f866c5b3840
    • Instruction Fuzzy Hash: 5C1125B2800249CFDB10DFAAC545BDEBBF4EB48324F20846AD558A3640C778A544CBA5
    Function 010795B2 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1368699969.0000000001072000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
    • Associated: 00000000.00000002.1368477812.0000000000EF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368498250.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368524698.0000000000EF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368546632.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368563617.0000000000F06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368668145.0000000001062000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368683905.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368699969.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368734313.0000000001093000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368748759.0000000001094000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368774224.0000000001095000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368789678.0000000001099000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368810004.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368825623.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368839043.00000000010C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368852385.00000000010C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368867393.00000000010CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368881531.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368900987.00000000010EE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368915369.00000000010F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368930772.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368945047.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368958661.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368975150.0000000001102000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368990795.000000000110A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369004340.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369017914.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369031351.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369046941.0000000001113000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369088605.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369103534.0000000001121000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369116728.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369131589.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369144718.000000000112D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369168812.0000000001148000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369182647.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.0000000001182000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369242398.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369257142.000000000119A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ef0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: e4137d45899f51c991e9964ded4c8068e40d8f6cd33274d849fbb15f9baf13ec
    • Instruction ID: f26f845c8e0613f3b949835f201025c3687201dd85121dec603a8c39bb88223c
    • Opcode Fuzzy Hash: e4137d45899f51c991e9964ded4c8068e40d8f6cd33274d849fbb15f9baf13ec
    • Instruction Fuzzy Hash: 14D02B77A0C213BDF311EF1A1D00BFE7655EFC5630F20813FE14986442D5984819D074
    Function 01079619 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1368699969.0000000001072000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
    • Associated: 00000000.00000002.1368477812.0000000000EF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368498250.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368524698.0000000000EF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368546632.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368563617.0000000000F06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368668145.0000000001062000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368683905.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368699969.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368734313.0000000001093000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368748759.0000000001094000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368774224.0000000001095000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368789678.0000000001099000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368810004.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368825623.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368839043.00000000010C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368852385.00000000010C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368867393.00000000010CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368881531.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368900987.00000000010EE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368915369.00000000010F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368930772.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368945047.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368958661.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368975150.0000000001102000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368990795.000000000110A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369004340.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369017914.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369031351.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369046941.0000000001113000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369088605.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369103534.0000000001121000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369116728.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369131589.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369144718.000000000112D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369168812.0000000001148000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369182647.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.0000000001182000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369242398.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369257142.000000000119A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ef0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 17d517d6ac38678e228152a3baf84e813209d8b5f0cb4a8eefd1ae5b0445f22e
    • Instruction ID: 4c638ca0d687c6a39b0a20aa143c1291f94f00dc2f23320ab5e5c5f74b4e96fd
    • Opcode Fuzzy Hash: 17d517d6ac38678e228152a3baf84e813209d8b5f0cb4a8eefd1ae5b0445f22e
    • Instruction Fuzzy Hash: F4D02EB770C2032EF310EA666E00FFEB618C7C6A30F10803EE808C1882D698082A8134
    Function 01079604 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1368699969.0000000001072000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
    • Associated: 00000000.00000002.1368477812.0000000000EF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368498250.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368524698.0000000000EF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368546632.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368563617.0000000000F06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368668145.0000000001062000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368683905.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368699969.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368734313.0000000001093000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368748759.0000000001094000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368774224.0000000001095000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368789678.0000000001099000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368810004.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368825623.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368839043.00000000010C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368852385.00000000010C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368867393.00000000010CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368881531.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368900987.00000000010EE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368915369.00000000010F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368930772.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368945047.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368958661.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368975150.0000000001102000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368990795.000000000110A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369004340.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369017914.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369031351.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369046941.0000000001113000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369088605.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369103534.0000000001121000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369116728.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369131589.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369144718.000000000112D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369168812.0000000001148000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369182647.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.0000000001182000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369242398.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369257142.000000000119A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ef0000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 79e11e43d6224c1fbc5a1dfb10820c86315bb0f98642cb9b8acd57d1aec11316
    • Instruction ID: 4ff030458e2bb05b096a6d184d8d8a72fdde58743254009a545112d45a9579a3
    • Opcode Fuzzy Hash: 79e11e43d6224c1fbc5a1dfb10820c86315bb0f98642cb9b8acd57d1aec11316
    • Instruction Fuzzy Hash: 8AE0C2B66081637CF7028B251D10BFE2A28EBC9A24F50413EEA44C6082C35848098174
    Function 00EFE886 Relevance: 1.3, APIs: 1, Instructions: 81memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 00EFF3F9
    Memory Dump Source
    • Source File: 00000000.00000002.1368546632.0000000000EFA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
    • Associated: 00000000.00000002.1368477812.0000000000EF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368498250.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368524698.0000000000EF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368563617.0000000000F06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368668145.0000000001062000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368683905.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368699969.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368699969.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368734313.0000000001093000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368748759.0000000001094000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368774224.0000000001095000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368789678.0000000001099000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368810004.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368825623.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368839043.00000000010C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368852385.00000000010C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368867393.00000000010CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368881531.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368900987.00000000010EE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368915369.00000000010F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368930772.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368945047.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368958661.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368975150.0000000001102000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368990795.000000000110A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369004340.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369017914.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369031351.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369046941.0000000001113000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369088605.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369103534.0000000001121000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369116728.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369131589.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369144718.000000000112D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369168812.0000000001148000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369182647.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.0000000001182000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369242398.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369257142.000000000119A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ef0000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: af1743da405fb1f4c2fd3efc2973fe3e7db54877c9999b571e1ad8cf80b03fb6
    • Instruction ID: fe20e068098bbc87c02b5cd4916bf430d84a7cd428ac8dae3204d7a1a3b10ec7
    • Opcode Fuzzy Hash: af1743da405fb1f4c2fd3efc2973fe3e7db54877c9999b571e1ad8cf80b03fb6
    • Instruction Fuzzy Hash: 092198B1108309DFD7456F28D8846BEBBE4EF49300F26082EE6C296660E6711C50DB1A
    Function 010CED15 Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1368852385.00000000010C6000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
    • Associated: 00000000.00000002.1368477812.0000000000EF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368498250.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368524698.0000000000EF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368546632.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368563617.0000000000F06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368668145.0000000001062000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368683905.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368699969.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368699969.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368734313.0000000001093000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368748759.0000000001094000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368774224.0000000001095000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368789678.0000000001099000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368810004.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368825623.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368839043.00000000010C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368867393.00000000010CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368881531.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368900987.00000000010EE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368915369.00000000010F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368930772.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368945047.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368958661.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368975150.0000000001102000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368990795.000000000110A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369004340.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369017914.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369031351.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369046941.0000000001113000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369088605.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369103534.0000000001121000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369116728.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369131589.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369144718.000000000112D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369168812.0000000001148000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369182647.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.0000000001182000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369242398.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369257142.000000000119A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ef0000_file.jbxd
    Similarity
    • API ID: lstrcmpi
    • String ID:
    • API String ID: 1586166983-0
    • Opcode ID: 25f3e389434ebfa8489f6a6c08f06376dc5e22b067a0556088dfe88d25d1e99c
    • Instruction ID: c558e8540fd4b10d88906db61f74ced3b638e783b11aa5914d1c35b649e2426d
    • Opcode Fuzzy Hash: 25f3e389434ebfa8489f6a6c08f06376dc5e22b067a0556088dfe88d25d1e99c
    • Instruction Fuzzy Hash: 9A01D635A0014EBFDF21AFA8CC04DDEBFB6EF44641F0051A9B505A5061E7728661DF61
    Function 010D83C9 Relevance: 1.3, APIs: 1, Instructions: 37memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,?,010D83C5,?,?,010D80CB,?,?,010D80CB,?,?,010D80CB), ref: 010D83E9
    Memory Dump Source
    • Source File: 00000000.00000002.1368881531.00000000010D6000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
    • Associated: 00000000.00000002.1368477812.0000000000EF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368498250.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368524698.0000000000EF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368546632.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368563617.0000000000F06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368668145.0000000001062000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368683905.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368699969.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368699969.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368734313.0000000001093000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368748759.0000000001094000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368774224.0000000001095000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368789678.0000000001099000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368810004.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368825623.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368839043.00000000010C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368852385.00000000010C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368867393.00000000010CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368900987.00000000010EE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368915369.00000000010F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368930772.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368945047.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368958661.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368975150.0000000001102000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368990795.000000000110A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369004340.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369017914.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369031351.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369046941.0000000001113000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369088605.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369103534.0000000001121000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369116728.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369131589.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369144718.000000000112D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369168812.0000000001148000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369182647.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.0000000001182000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369242398.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369257142.000000000119A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ef0000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 1723833c2316464e99dc1ce54eba672203eb983918de69c980fb541620948cfe
    • Instruction ID: 3af5ccd4b6b7ed0f8a5c564750096676f112d374322218eb6b3d335249ed5187
    • Opcode Fuzzy Hash: 1723833c2316464e99dc1ce54eba672203eb983918de69c980fb541620948cfe
    • Instruction Fuzzy Hash: 58F06DB1901306EFD7658F08C905B99BFE4FF45761F108069F58A9B1A5D7B194C08B54
    Function 00EFE710 Relevance: 1.3, APIs: 1, Instructions: 16memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 00EFE739
    Memory Dump Source
    • Source File: 00000000.00000002.1368546632.0000000000EFA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
    • Associated: 00000000.00000002.1368477812.0000000000EF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368498250.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368524698.0000000000EF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368563617.0000000000F06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368668145.0000000001062000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368683905.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368699969.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368699969.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368734313.0000000001093000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368748759.0000000001094000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368774224.0000000001095000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368789678.0000000001099000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368810004.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368825623.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368839043.00000000010C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368852385.00000000010C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368867393.00000000010CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368881531.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368900987.00000000010EE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368915369.00000000010F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368930772.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368945047.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368958661.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368975150.0000000001102000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368990795.000000000110A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369004340.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369017914.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369031351.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369046941.0000000001113000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369088605.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369103534.0000000001121000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369116728.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369131589.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369144718.000000000112D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369168812.0000000001148000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369182647.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.0000000001182000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369242398.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369257142.000000000119A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ef0000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 25b45255dbc6b6c1674a6fafe9a1456ae02531ee36b92caef350bece74561a8c
    • Instruction ID: d05a2e315ff2c8c494d5fcc67c97c34a5c9f863f2cdc738210007a678a102968
    • Opcode Fuzzy Hash: 25b45255dbc6b6c1674a6fafe9a1456ae02531ee36b92caef350bece74561a8c
    • Instruction Fuzzy Hash: AAE01AB1508708DBDB406F39C50C2AEBBF0EF90731F10861DE9A5866D0C3724C90DB0A

    Non-executed Functions

    Function 01072000 Relevance: 1.8, Strings: 1, Instructions: 540COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1368699969.0000000001072000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
    • Associated: 00000000.00000002.1368477812.0000000000EF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368498250.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368524698.0000000000EF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368546632.0000000000EFA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368563617.0000000000F06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368668145.0000000001062000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368683905.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368699969.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368734313.0000000001093000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368748759.0000000001094000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368774224.0000000001095000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368789678.0000000001099000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368810004.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368825623.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368839043.00000000010C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368852385.00000000010C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368867393.00000000010CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368881531.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368900987.00000000010EE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368915369.00000000010F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368930772.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368945047.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368958661.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368975150.0000000001102000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368990795.000000000110A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369004340.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369017914.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369031351.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369046941.0000000001113000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369088605.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369103534.0000000001121000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369116728.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369131589.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369144718.000000000112D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369168812.0000000001148000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369182647.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.0000000001182000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369242398.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369257142.000000000119A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ef0000_file.jbxd
    Similarity
    • API ID:
    • String ID: <V[?
    • API String ID: 0-480338853
    • Opcode ID: 51261c4a6b89ed6cc4c29e24b6946c1cca6fcee37145d87652d55fa4de444976
    • Instruction ID: 0ec45faf5dc801399b0696e1dd88d8fade481fb230f2a5a227d64421b3bd5ff8
    • Opcode Fuzzy Hash: 51261c4a6b89ed6cc4c29e24b6946c1cca6fcee37145d87652d55fa4de444976
    • Instruction Fuzzy Hash: AA02E1F39082009FE704AF2DEC8566ABBE4EB54720F164A3DEAC4C7344E63598458B87
    Function 00EFDE07 Relevance: 1.4, Strings: 1, Instructions: 179COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1368546632.0000000000EFA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
    • Associated: 00000000.00000002.1368477812.0000000000EF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368498250.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368524698.0000000000EF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368563617.0000000000F06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368668145.0000000001062000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368683905.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368699969.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368699969.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368734313.0000000001093000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368748759.0000000001094000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368774224.0000000001095000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368789678.0000000001099000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368810004.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368825623.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368839043.00000000010C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368852385.00000000010C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368867393.00000000010CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368881531.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368900987.00000000010EE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368915369.00000000010F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368930772.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368945047.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368958661.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368975150.0000000001102000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368990795.000000000110A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369004340.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369017914.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369031351.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369046941.0000000001113000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369088605.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369103534.0000000001121000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369116728.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369131589.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369144718.000000000112D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369168812.0000000001148000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369182647.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.0000000001182000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369242398.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369257142.000000000119A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ef0000_file.jbxd
    Similarity
    • API ID:
    • String ID: NTDL
    • API String ID: 0-3662016964
    • Opcode ID: 42f1a55d3eb2dbbe997b88aba564da580aa1502bae59cf54af95a198b7917d96
    • Instruction ID: 89506a9f1c0102fa3eaef86af344200f448be9dd18c31040b8abea0c299b0155
    • Opcode Fuzzy Hash: 42f1a55d3eb2dbbe997b88aba564da580aa1502bae59cf54af95a198b7917d96
    • Instruction Fuzzy Hash: 3551C172A0821E8FCB05CF24C8416FF7BA2FF56324F24612AD942A7A41D6F25D52DA49
    Function 00F0570A Relevance: .4, Instructions: 380COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1368546632.0000000000EFA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
    • Associated: 00000000.00000002.1368477812.0000000000EF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368498250.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368524698.0000000000EF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368563617.0000000000F06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368668145.0000000001062000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368683905.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368699969.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368699969.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368734313.0000000001093000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368748759.0000000001094000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368774224.0000000001095000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368789678.0000000001099000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368810004.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368825623.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368839043.00000000010C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368852385.00000000010C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368867393.00000000010CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368881531.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368900987.00000000010EE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368915369.00000000010F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368930772.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368945047.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368958661.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368975150.0000000001102000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368990795.000000000110A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369004340.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369017914.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369031351.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369046941.0000000001113000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369088605.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369103534.0000000001121000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369116728.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369131589.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369144718.000000000112D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369168812.0000000001148000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369182647.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.0000000001182000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369242398.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369257142.000000000119A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ef0000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c359748b652a8520d3ddc2cf8d4c1e2b032822adba6864447972746aa18158f5
    • Instruction ID: b024f470edbe545904400d3a0ab691e0532dc88d247682efb667c026b2e248d1
    • Opcode Fuzzy Hash: c359748b652a8520d3ddc2cf8d4c1e2b032822adba6864447972746aa18158f5
    • Instruction Fuzzy Hash: 6AC1D3B3F156614BF3510978CC943616BA39BD2314F2F42B98E88ABBC6D87E5C0A53C0
    Function 00F05C9B Relevance: .2, Instructions: 213COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1368546632.0000000000EFA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EF0000, based on PE: true
    • Associated: 00000000.00000002.1368477812.0000000000EF0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368498250.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368524698.0000000000EF6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368563617.0000000000F06000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368668145.0000000001062000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368683905.0000000001064000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368699969.0000000001072000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368699969.000000000107D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368734313.0000000001093000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368748759.0000000001094000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368774224.0000000001095000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368789678.0000000001099000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368810004.00000000010B9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368825623.00000000010C3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368839043.00000000010C4000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368852385.00000000010C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368867393.00000000010CF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368881531.00000000010D6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368900987.00000000010EE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368915369.00000000010F4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368930772.00000000010F5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368945047.00000000010FD000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368958661.00000000010FE000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368975150.0000000001102000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1368990795.000000000110A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369004340.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369017914.000000000110D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369031351.0000000001112000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369046941.0000000001113000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369088605.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369103534.0000000001121000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369116728.0000000001123000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369131589.000000000112B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369144718.000000000112D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369168812.0000000001148000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369182647.000000000114A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.0000000001182000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369210466.000000000118A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369242398.0000000001198000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1369257142.000000000119A000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_ef0000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 60db9ab2765ac1ff06e3deb7282e461eebfc9b79774f5b352cf2d8a189c549ce
    • Instruction ID: c37fc18f4939141c6341ddd71aeca93243e655d2a47e8be8516e887559482152
    • Opcode Fuzzy Hash: 60db9ab2765ac1ff06e3deb7282e461eebfc9b79774f5b352cf2d8a189c549ce
    • Instruction Fuzzy Hash: F971AFB3F2021687F3544E28CD583A27683DB91320F2F42788E985B7C5D9BFAD499384