Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
VlY57c5AF4.exe

Overview

General Information

Sample name:VlY57c5AF4.exe
renamed because original name is a hash value
Original sample name:31869d1b842579150ac9a383507f5c67.exe
Analysis ID:1589505
MD5:31869d1b842579150ac9a383507f5c67
SHA1:11c9911c58c43b6887ac2ac28020eb3897728784
SHA256:cc9a040ffd273753db7c02c29d779427f3e9d9a76a87827cc8fe722ab6a410c0
Tags:exeuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to detect virtual machines (SIDT)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • VlY57c5AF4.exe (PID: 7444 cmdline: "C:\Users\user\Desktop\VlY57c5AF4.exe" MD5: 31869D1B842579150AC9A383507F5C67)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: VlY57c5AF4.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: VlY57c5AF4.exeVirustotal: Detection: 54%Perma Link
Source: VlY57c5AF4.exeReversingLabs: Detection: 52%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: VlY57c5AF4.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_00715D30 CryptVerifySignatureA,0_2_00715D30
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: VlY57c5AF4.exe, 00000000.00000003.1338383477.0000000004CF0000.00000004.00001000.00020000.00000000.sdmp, VlY57c5AF4.exe, 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmp

System Summary

barindex
PE file contains section with special chars
Source: VlY57c5AF4.exeStatic PE information: section name:
Source: VlY57c5AF4.exeStatic PE information: section name: .idata
Source: VlY57c5AF4.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_006AD1600_2_006AD160
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_0064A15E0_2_0064A15E
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_006A81270_2_006A8127
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_007952740_2_00795274
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_005EF5510_2_005EF551
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_006A65AF0_2_006A65AF
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_006B06D50_2_006B06D5
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_0057A8280_2_0057A828
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_005AFAD00_2_005AFAD0
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_0069FAAE0_2_0069FAAE
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_006AEB6D0_2_006AEB6D
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_0068AB030_2_0068AB03
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_005B8C9B0_2_005B8C9B
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_0069DFAC0_2_0069DFAC
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: String function: 00710D25 appears 35 times
Source: VlY57c5AF4.exe, 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs VlY57c5AF4.exe
Source: VlY57c5AF4.exe, 00000000.00000002.1477364679.000000000100E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs VlY57c5AF4.exe
Source: VlY57c5AF4.exeBinary or memory string: OriginalFilenamedefOff.exe. vs VlY57c5AF4.exe
Source: VlY57c5AF4.exeStatic PE information: Section: nhpvdyal ZLIB complexity 0.9947837615640358
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\VlY57c5AF4.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VlY57c5AF4.exe.logJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeMutant created: NULL
Source: C:\Users\user\Desktop\VlY57c5AF4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: VlY57c5AF4.exeVirustotal: Detection: 54%
Source: VlY57c5AF4.exeReversingLabs: Detection: 52%
Source: VlY57c5AF4.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: VlY57c5AF4.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: C:\Users\user\Desktop\VlY57c5AF4.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeSection loaded: sspicli.dllJump to behavior
Source: VlY57c5AF4.exeStatic file information: File size 1796608 > 1048576
Source: VlY57c5AF4.exeStatic PE information: Raw size of nhpvdyal is bigger than: 0x100000 < 0x1b0600
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: VlY57c5AF4.exe, 00000000.00000003.1338383477.0000000004CF0000.00000004.00001000.00020000.00000000.sdmp, VlY57c5AF4.exe, 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\VlY57c5AF4.exeUnpacked PE file: 0.2.VlY57c5AF4.exe.520000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nhpvdyal:EW;aqbmmtnh:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: VlY57c5AF4.exeStatic PE information: real checksum: 0x1c001b should be: 0x1c24cd
Source: VlY57c5AF4.exeStatic PE information: section name:
Source: VlY57c5AF4.exeStatic PE information: section name: .idata
Source: VlY57c5AF4.exeStatic PE information: section name:
Source: VlY57c5AF4.exeStatic PE information: section name: nhpvdyal
Source: VlY57c5AF4.exeStatic PE information: section name: aqbmmtnh
Source: VlY57c5AF4.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_006C120E push 22DF2257h; mov dword ptr [esp], ecx0_2_006C171D
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_006C120E push 097C142Fh; mov dword ptr [esp], esi0_2_006C1787
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_006C7061 push 66BAA9A3h; mov dword ptr [esp], edx0_2_006C748F
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_006C2071 push 6A6DC1FDh; mov dword ptr [esp], ecx0_2_006C292B
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_006C2050 push 6A6DC1FDh; mov dword ptr [esp], ecx0_2_006C292B
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_006CC02E push ebp; mov dword ptr [esp], 772E6C80h0_2_006CC053
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_006CC02E push edi; mov dword ptr [esp], ecx0_2_006CC087
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_006CC02E push ebx; mov dword ptr [esp], eax0_2_006CC146
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_006D0027 push ecx; ret 0_2_006D002C
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_006CC022 push ebp; mov dword ptr [esp], 772E6C80h0_2_006CC053
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_006CC022 push edi; mov dword ptr [esp], ecx0_2_006CC087
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_006CC022 push ebx; mov dword ptr [esp], eax0_2_006CC146
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_007650F6 push eax; mov dword ptr [esp], edi0_2_0076511D
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_007650F6 push 7F1A270Fh; mov dword ptr [esp], eax0_2_00765161
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_006C10E8 push edx; mov dword ptr [esp], 3B243804h0_2_006C1C84
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_006C10E8 push 3066B6D2h; mov dword ptr [esp], ebp0_2_006C1C93
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_006C10CD push 14E3EDB3h; mov dword ptr [esp], ecx0_2_006C1D7B
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_006C40C6 push esi; mov dword ptr [esp], edx0_2_006C40D8
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_006D80DC push 03FB6276h; mov dword ptr [esp], esi0_2_006D8125
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_006200D6 push 60D10C4Dh; mov dword ptr [esp], ecx0_2_006200F8
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_006C20AD push 532DDEFAh; mov dword ptr [esp], ebp0_2_006C599E
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_006CC0BE push ebx; mov dword ptr [esp], eax0_2_006CC146
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_006C80B7 push ecx; mov dword ptr [esp], ebp0_2_006C83DC
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_006C80B7 push ecx; mov dword ptr [esp], 4081C1D8h0_2_006C90C5
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_0076B097 push ebp; mov dword ptr [esp], edi0_2_0076B115
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_00639099 push ebp; mov dword ptr [esp], ecx0_2_006390BA
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_00639099 push esi; mov dword ptr [esp], edi0_2_006390C0
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_006C3092 push ecx; mov dword ptr [esp], eax0_2_006C4EB2
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_006C216B push edx; mov dword ptr [esp], eax0_2_006C2C0C
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_006C216B push ebx; mov dword ptr [esp], eax0_2_006C2C21
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_006C216B push ecx; mov dword ptr [esp], ebx0_2_006C46BB
Source: VlY57c5AF4.exeStatic PE information: section name: entropy: 7.799370812493314
Source: VlY57c5AF4.exeStatic PE information: section name: nhpvdyal entropy: 7.95313801274188

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\VlY57c5AF4.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\VlY57c5AF4.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 52E285 second address: 52E2A2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FAE28DABD45h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6B5461 second address: 6B548F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d jno 00007FAE28F0DE76h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 jne 00007FAE28F0DE76h 0x0000001b popad 0x0000001c push eax 0x0000001d push eax 0x0000001e pop eax 0x0000001f jmp 00007FAE28F0DE7Eh 0x00000024 pop eax 0x00000025 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6B548F second address: 6B5495 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6B5495 second address: 6B5499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6A977F second address: 6A9797 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FAE28DABD36h 0x00000008 jmp 00007FAE28DABD3Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6B467E second address: 6B4687 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6B4687 second address: 6B468B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6B4D47 second address: 6B4D4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6B7439 second address: 6B7444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FAE28DABD36h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6B7444 second address: 6B7449 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6B750E second address: 6B7560 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 48E63583h 0x0000000e jmp 00007FAE28DABD3Dh 0x00000013 lea ebx, dword ptr [ebp+1245D393h] 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007FAE28DABD38h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 0000001Dh 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 mov edx, dword ptr [ebp+122D21D4h] 0x00000039 push eax 0x0000003a push eax 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6B7560 second address: 6B7564 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6B7612 second address: 6B7616 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6B7616 second address: 6B7620 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAE28F0DE76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6B7620 second address: 6B76B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE28DABD44h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FAE28DABD41h 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007FAE28DABD38h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 0000001Ah 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a mov dword ptr [ebp+122D22E1h], ebx 0x00000030 mov dh, ch 0x00000032 push 00000000h 0x00000034 mov edx, 3C6DE5D2h 0x00000039 push B43A04D0h 0x0000003e push ebx 0x0000003f push edx 0x00000040 jno 00007FAE28DABD36h 0x00000046 pop edx 0x00000047 pop ebx 0x00000048 add dword ptr [esp], 4BC5FBB0h 0x0000004f or edi, dword ptr [ebp+122D19D1h] 0x00000055 push 00000003h 0x00000057 push eax 0x00000058 mov dword ptr [ebp+122D1870h], edi 0x0000005e pop edx 0x0000005f push 00000000h 0x00000061 sub dword ptr [ebp+122D2214h], edx 0x00000067 push 00000003h 0x00000069 cmc 0x0000006a push 978DB3D1h 0x0000006f pushad 0x00000070 push eax 0x00000071 push edx 0x00000072 push eax 0x00000073 push edx 0x00000074 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6B76B7 second address: 6B76BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6B76BB second address: 6B76C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6B76C5 second address: 6B76C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6B7765 second address: 6B77DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 xor dword ptr [esp], 0CB4B43Fh 0x0000000d jmp 00007FAE28DABD3Dh 0x00000012 call 00007FAE28DABD48h 0x00000017 pop edx 0x00000018 push 00000003h 0x0000001a mov edi, ecx 0x0000001c push 00000000h 0x0000001e mov cx, 3F80h 0x00000022 push 00000003h 0x00000024 push eax 0x00000025 mov si, di 0x00000028 pop ecx 0x00000029 call 00007FAE28DABD39h 0x0000002e pushad 0x0000002f jmp 00007FAE28DABD40h 0x00000034 jnl 00007FAE28DABD3Ch 0x0000003a popad 0x0000003b push eax 0x0000003c je 00007FAE28DABD3Eh 0x00000042 push esi 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6B77DA second address: 6B7808 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 pushad 0x0000000a je 00007FAE28F0DE7Ch 0x00000010 jng 00007FAE28F0DE76h 0x00000016 jmp 00007FAE28F0DE81h 0x0000001b popad 0x0000001c mov eax, dword ptr [eax] 0x0000001e push edi 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6B7808 second address: 6B7869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAE28DABD45h 0x00000009 popad 0x0000000a pop edi 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 pushad 0x00000011 jmp 00007FAE28DABD41h 0x00000016 push esi 0x00000017 pop esi 0x00000018 popad 0x00000019 pushad 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c push eax 0x0000001d pop eax 0x0000001e popad 0x0000001f popad 0x00000020 pop eax 0x00000021 mov edx, dword ptr [ebp+122D2360h] 0x00000027 lea ebx, dword ptr [ebp+1245D3A7h] 0x0000002d mov dword ptr [ebp+122D202Dh], edi 0x00000033 xchg eax, ebx 0x00000034 pushad 0x00000035 js 00007FAE28DABD3Ch 0x0000003b jo 00007FAE28DABD36h 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6B7869 second address: 6B786D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6D6F2B second address: 6D6F4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FAE28DABD44h 0x0000000c jng 00007FAE28DABD36h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6D70C2 second address: 6D70DC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jng 00007FAE28F0DE76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007FAE28F0DE7Eh 0x00000012 jc 00007FAE28F0DE76h 0x00000018 push esi 0x00000019 pop esi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6D70DC second address: 6D70EA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6D728E second address: 6D7294 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6D7294 second address: 6D729D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6D729D second address: 6D72A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6D73EF second address: 6D7405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAE28DABD3Dh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6D7405 second address: 6D7409 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6D7409 second address: 6D7411 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6D79E2 second address: 6D7A0A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jo 00007FAE28F0DE76h 0x00000009 jmp 00007FAE28F0DE86h 0x0000000e pop ecx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6D7A0A second address: 6D7A19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAE28DABD3Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6D7A19 second address: 6D7A1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6D7A1D second address: 6D7A23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6D7B81 second address: 6D7BB2 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FAE28F0DE76h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAE28F0DE7Ah 0x00000013 jmp 00007FAE28F0DE89h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6D7BB2 second address: 6D7BD4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FAE28DABD36h 0x00000008 ja 00007FAE28DABD36h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jng 00007FAE28DABD36h 0x00000019 popad 0x0000001a jo 00007FAE28DABD42h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6D7BD4 second address: 6D7BDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6D7D6B second address: 6D7D70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6D7D70 second address: 6D7D8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FAE28F0DE84h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6D7ED2 second address: 6D7ED8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6D7ED8 second address: 6D7F05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE28F0DE84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FAE28F0DE81h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 69BFB3 second address: 69BFB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 69BFB7 second address: 69BFC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 69BFC3 second address: 69BFD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 69BFD1 second address: 69BFD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6D82DB second address: 6D82F3 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FAE28DABD36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007FAE28DABD36h 0x00000012 jnp 00007FAE28DABD36h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6D82F3 second address: 6D82F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6D82F7 second address: 6D8314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007FAE28DABD42h 0x00000011 jc 00007FAE28DABD36h 0x00000017 jo 00007FAE28DABD36h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6D8314 second address: 6D831A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6D831A second address: 6D8320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6D8320 second address: 6D832E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6D88CB second address: 6D88E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE28DABD48h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6D8B97 second address: 6D8C15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FAE28F0DE7Dh 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 pop eax 0x00000013 popad 0x00000014 pushad 0x00000015 jmp 00007FAE28F0DE89h 0x0000001a jmp 00007FAE28F0DE83h 0x0000001f jmp 00007FAE28F0DE87h 0x00000024 popad 0x00000025 popad 0x00000026 pushad 0x00000027 jmp 00007FAE28F0DE88h 0x0000002c push ecx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6D8C15 second address: 6D8C1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6DD82F second address: 6DD835 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6DD835 second address: 6DD848 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FAE28DABD38h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6DD848 second address: 6DD84E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6DDCDD second address: 6DDCEE instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FAE28DABD36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6DDCEE second address: 6DDCF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6DDE6C second address: 6DDE76 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FAE28DABD36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6DDF65 second address: 6DDF95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jmp 00007FAE28F0DE85h 0x0000000b pop edi 0x0000000c popad 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 pushad 0x00000012 jmp 00007FAE28F0DE7Ah 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a pop eax 0x0000001b rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6E5376 second address: 6E537E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6E553D second address: 6E5565 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FAE28F0DE87h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6E5565 second address: 6E5569 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6E5569 second address: 6E556F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6E7C61 second address: 6E7C91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007FAE28DABD3Ch 0x0000000b popad 0x0000000c push eax 0x0000000d jo 00007FAE28DABD57h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FAE28DABD45h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6E7C91 second address: 6E7C95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6E8075 second address: 6E808C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jg 00007FAE28DABD36h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jbe 00007FAE28DABD44h 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6E88A9 second address: 6E88AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6E9D31 second address: 6E9D36 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6EAE36 second address: 6EAE82 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FAE28F0DE76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b nop 0x0000000c jmp 00007FAE28F0DE87h 0x00000011 or esi, 49EEAA08h 0x00000017 push 00000000h 0x00000019 mov edi, esi 0x0000001b push 00000000h 0x0000001d stc 0x0000001e xchg eax, ebx 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FAE28F0DE88h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6EAE82 second address: 6EAE86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6EC441 second address: 6EC456 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007FAE28F0DE7Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6EC456 second address: 6EC45F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6EC45F second address: 6EC4E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE28F0DE80h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007FAE28F0DE78h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 sub dword ptr [ebp+122D1CC4h], ecx 0x0000002b push 00000000h 0x0000002d mov edi, dword ptr [ebp+122D3973h] 0x00000033 and si, 6BCFh 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push ebp 0x0000003d call 00007FAE28F0DE78h 0x00000042 pop ebp 0x00000043 mov dword ptr [esp+04h], ebp 0x00000047 add dword ptr [esp+04h], 0000001Dh 0x0000004f inc ebp 0x00000050 push ebp 0x00000051 ret 0x00000052 pop ebp 0x00000053 ret 0x00000054 mov esi, dword ptr [ebp+122D375Bh] 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007FAE28F0DE7Bh 0x00000062 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6EDEDF second address: 6EDEF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE28DABD46h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6EDEF9 second address: 6EDEFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6EE5E7 second address: 6EE5F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FAE28DABD36h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6EE5F2 second address: 6EE615 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE28F0DE7Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b js 00007FAE28F0DE7Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6EE615 second address: 6EE619 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6EEFCF second address: 6EEFE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FAE28F0DE81h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6EEFE7 second address: 6EEFF9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b ja 00007FAE28DABD36h 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6F29F1 second address: 6F29F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6F29F7 second address: 6F29FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6F2AE4 second address: 6F2AE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6F483B second address: 6F483F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6F2AE8 second address: 6F2B95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FAE28F0DE7Ch 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 or bx, 7086h 0x00000015 push dword ptr fs:[00000000h] 0x0000001c push 00000000h 0x0000001e push edi 0x0000001f call 00007FAE28F0DE78h 0x00000024 pop edi 0x00000025 mov dword ptr [esp+04h], edi 0x00000029 add dword ptr [esp+04h], 00000018h 0x00000031 inc edi 0x00000032 push edi 0x00000033 ret 0x00000034 pop edi 0x00000035 ret 0x00000036 mov dword ptr [ebp+122D1C57h], esi 0x0000003c mov bh, EEh 0x0000003e mov dword ptr fs:[00000000h], esp 0x00000045 push 00000000h 0x00000047 push esi 0x00000048 call 00007FAE28F0DE78h 0x0000004d pop esi 0x0000004e mov dword ptr [esp+04h], esi 0x00000052 add dword ptr [esp+04h], 00000016h 0x0000005a inc esi 0x0000005b push esi 0x0000005c ret 0x0000005d pop esi 0x0000005e ret 0x0000005f sub dword ptr [ebp+1245E88Bh], esi 0x00000065 mov edi, dword ptr [ebp+122D3A1Bh] 0x0000006b mov eax, dword ptr [ebp+122D0D49h] 0x00000071 push FFFFFFFFh 0x00000073 or bx, AB00h 0x00000078 nop 0x00000079 jl 00007FAE28F0DE7Eh 0x0000007f push eax 0x00000080 push eax 0x00000081 push edx 0x00000082 jo 00007FAE28F0DE83h 0x00000088 jmp 00007FAE28F0DE7Dh 0x0000008d rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6F483F second address: 6F4860 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FAE28DABD47h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6F4860 second address: 6F486A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FAE28F0DE7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6F6B7A second address: 6F6B7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6F7B4B second address: 6F7BDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE28F0DE80h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FAE28F0DE85h 0x0000000f nop 0x00000010 mov dword ptr [ebp+122D1868h], ecx 0x00000016 add ebx, dword ptr [ebp+1245E31Dh] 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ecx 0x00000021 call 00007FAE28F0DE78h 0x00000026 pop ecx 0x00000027 mov dword ptr [esp+04h], ecx 0x0000002b add dword ptr [esp+04h], 00000018h 0x00000033 inc ecx 0x00000034 push ecx 0x00000035 ret 0x00000036 pop ecx 0x00000037 ret 0x00000038 movsx edi, bx 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push edx 0x00000040 call 00007FAE28F0DE78h 0x00000045 pop edx 0x00000046 mov dword ptr [esp+04h], edx 0x0000004a add dword ptr [esp+04h], 0000001Bh 0x00000052 inc edx 0x00000053 push edx 0x00000054 ret 0x00000055 pop edx 0x00000056 ret 0x00000057 xor edi, 482DD9D4h 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 pushad 0x00000062 popad 0x00000063 jns 00007FAE28F0DE76h 0x00000069 popad 0x0000006a rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6F8A88 second address: 6F8B10 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007FAE28DABD38h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 jp 00007FAE28DABD3Bh 0x0000002a and di, AE65h 0x0000002f jmp 00007FAE28DABD46h 0x00000034 push 00000000h 0x00000036 jmp 00007FAE28DABD3Dh 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push esi 0x00000040 call 00007FAE28DABD38h 0x00000045 pop esi 0x00000046 mov dword ptr [esp+04h], esi 0x0000004a add dword ptr [esp+04h], 0000001Ah 0x00000052 inc esi 0x00000053 push esi 0x00000054 ret 0x00000055 pop esi 0x00000056 ret 0x00000057 mov bx, si 0x0000005a push eax 0x0000005b pushad 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6F7D5E second address: 6F7DDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 mov dword ptr [esp], eax 0x00000009 xor ebx, 15FC8493h 0x0000000f mov dword ptr [ebp+122D1A29h], edx 0x00000015 push dword ptr fs:[00000000h] 0x0000001c mov dword ptr [ebp+122D22DCh], eax 0x00000022 stc 0x00000023 mov dword ptr fs:[00000000h], esp 0x0000002a push 00000000h 0x0000002c push ecx 0x0000002d call 00007FAE28F0DE78h 0x00000032 pop ecx 0x00000033 mov dword ptr [esp+04h], ecx 0x00000037 add dword ptr [esp+04h], 00000019h 0x0000003f inc ecx 0x00000040 push ecx 0x00000041 ret 0x00000042 pop ecx 0x00000043 ret 0x00000044 jmp 00007FAE28F0DE87h 0x00000049 mov eax, dword ptr [ebp+122D0E6Dh] 0x0000004f sub dword ptr [ebp+12465B82h], edi 0x00000055 push FFFFFFFFh 0x00000057 add dword ptr [ebp+122D1F9Ch], edi 0x0000005d nop 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 jo 00007FAE28F0DE76h 0x00000068 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6F8B10 second address: 6F8B14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6F7DDF second address: 6F7DE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6F8B14 second address: 6F8B18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6F7DE3 second address: 6F7DE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6F7DE9 second address: 6F7E1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE28DABD43h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007FAE28DABD49h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6F7E1E second address: 6F7E34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FAE28F0DE7Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6FAA6F second address: 6FAA8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAE28DABD47h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6FAA8A second address: 6FAA8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6F9C3B second address: 6F9C4C instructions: 0x00000000 rdtsc 0x00000002 jp 00007FAE28DABD36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6F9C4C second address: 6F9C50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6FB8C4 second address: 6FB8CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FAE28DABD36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6FB8CE second address: 6FB8D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6FB8D2 second address: 6FB8E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 js 00007FAE28DABD3Eh 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6FB985 second address: 6FB98A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6FB98A second address: 6FB98F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6FBAC6 second address: 6FBACC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6FAC81 second address: 6FAC86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6FAC86 second address: 6FAC8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6FAC8D second address: 6FACA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jc 00007FAE28DABD38h 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6FACA2 second address: 6FACA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6FEF37 second address: 6FEF51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE28DABD46h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6FEF51 second address: 6FEF6D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FAE28F0DE7Fh 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6FEF6D second address: 6FEF77 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAE28DABD36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6FEF77 second address: 6FEF7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 701D80 second address: 701DF9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FAE28DABD36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d ja 00007FAE28DABD36h 0x00000013 jmp 00007FAE28DABD3Fh 0x00000018 popad 0x00000019 jns 00007FAE28DABD38h 0x0000001f popad 0x00000020 nop 0x00000021 push 00000000h 0x00000023 push esi 0x00000024 call 00007FAE28DABD38h 0x00000029 pop esi 0x0000002a mov dword ptr [esp+04h], esi 0x0000002e add dword ptr [esp+04h], 00000014h 0x00000036 inc esi 0x00000037 push esi 0x00000038 ret 0x00000039 pop esi 0x0000003a ret 0x0000003b sub dword ptr [ebp+1245E4B9h], ebx 0x00000041 push 00000000h 0x00000043 mov ebx, dword ptr [ebp+122D20C5h] 0x00000049 mov edi, 4881944Fh 0x0000004e push 00000000h 0x00000050 or bh, 00000042h 0x00000053 xchg eax, esi 0x00000054 pushad 0x00000055 jmp 00007FAE28DABD42h 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 701054 second address: 70107E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE28F0DE86h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007FAE28F0DE7Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 701DF9 second address: 701DFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 70107E second address: 701084 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 702F62 second address: 702F67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 705DC5 second address: 705DE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE28F0DE7Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007FAE28F0DE7Eh 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 71E2A3 second address: 71E2D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FAE28DABD36h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jmp 00007FAE28DABD45h 0x00000017 mov eax, dword ptr [eax] 0x00000019 push eax 0x0000001a push edx 0x0000001b push ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 71E2D1 second address: 71E2D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 71E2D6 second address: 71E2DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 71E2DC second address: 71E2E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 72447A second address: 7244A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 jmp 00007FAE28DABD45h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f jc 00007FAE28DABD3Eh 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 723150 second address: 72316D instructions: 0x00000000 rdtsc 0x00000002 jg 00007FAE28F0DE87h 0x00000008 push eax 0x00000009 pop eax 0x0000000a jmp 00007FAE28F0DE7Fh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 72316D second address: 723185 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE28DABD3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 723185 second address: 7231A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FAE28F0DE7Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jo 00007FAE28F0DE7Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7231A0 second address: 7231BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FAE28DABD47h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7231BD second address: 7231CF instructions: 0x00000000 rdtsc 0x00000002 jc 00007FAE28F0DE76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007FAE28F0DE76h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 723719 second address: 723720 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 723720 second address: 723757 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FAE28F0DE7Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FAE28F0DE87h 0x0000000f jmp 00007FAE28F0DE82h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7238A6 second address: 7238AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7238AA second address: 7238B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7238B5 second address: 7238C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 ja 00007FAE28DABD36h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7238C3 second address: 7238C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 723A27 second address: 723A2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 723A2B second address: 723A3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jnp 00007FAE28F0DE76h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 723A3E second address: 723A44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 723A44 second address: 723A4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 723A4A second address: 723A68 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007FAE28DABD44h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 723BE2 second address: 723BE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 723D54 second address: 723D6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FAE28DABD40h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 723D6B second address: 723D78 instructions: 0x00000000 rdtsc 0x00000002 je 00007FAE28F0DE76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 723D78 second address: 723D80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 72402F second address: 724049 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FAE28F0DE76h 0x00000008 jp 00007FAE28F0DE76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jl 00007FAE28F0DE7Eh 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 724049 second address: 72404D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7242C9 second address: 7242CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7242CD second address: 7242D7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FAE28DABD36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7242D7 second address: 7242DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7242DC second address: 7242FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAE28DABD41h 0x00000009 jp 00007FAE28DABD36h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 72B979 second address: 72B9A1 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FAE28F0DE7Ch 0x00000008 ja 00007FAE28F0DE8Eh 0x0000000e jmp 00007FAE28F0DE82h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6E6648 second address: 6E6654 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6E6654 second address: 6E6659 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6E6CAD second address: 6E6CB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6E6CB1 second address: 6E6CB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6E6CB5 second address: 6E6CBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6E6CBB second address: 6E6CF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [esp], 13E52028h 0x00000011 pushad 0x00000012 jmp 00007FAE28F0DE86h 0x00000017 mov eax, 295FA076h 0x0000001c popad 0x0000001d call 00007FAE28F0DE79h 0x00000022 push esi 0x00000023 push eax 0x00000024 push edx 0x00000025 push edi 0x00000026 pop edi 0x00000027 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6E6CF7 second address: 6E6D2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE28DABD49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e jmp 00007FAE28DABD42h 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6E6D2C second address: 6E6D6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007FAE28F0DE7Bh 0x00000013 mov eax, dword ptr [eax] 0x00000015 jno 00007FAE28F0DE7Eh 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f pushad 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 jmp 00007FAE28F0DE7Dh 0x00000028 popad 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6E6FD6 second address: 6E6FE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6E6FE5 second address: 6E6FEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6E7140 second address: 6E714A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FAE28DABD36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6E740C second address: 6E7411 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6E7411 second address: 6E741C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FAE28DABD36h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6E78B7 second address: 6E78BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6E78BB second address: 6E78C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6E78C1 second address: 6E78C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6E78C7 second address: 6E78F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE28DABD43h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAE28DABD43h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6E78F6 second address: 6E78FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6E78FC second address: 6E7900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6E7900 second address: 6E7960 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE28F0DE82h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007FAE28F0DE78h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 movzx edx, dx 0x00000029 lea eax, dword ptr [ebp+1248C40Fh] 0x0000002f movsx ecx, ax 0x00000032 nop 0x00000033 jmp 00007FAE28F0DE84h 0x00000038 push eax 0x00000039 js 00007FAE28F0DE7Eh 0x0000003f push edi 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6D0040 second address: 6D0046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6D0046 second address: 6D005E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 pushad 0x00000007 jmp 00007FAE28F0DE7Dh 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6A1011 second address: 6A1015 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6A1015 second address: 6A1023 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FAE28F0DE78h 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6A1023 second address: 6A1072 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FAE28DABD38h 0x00000008 pushad 0x00000009 jo 00007FAE28DABD36h 0x0000000f pushad 0x00000010 popad 0x00000011 jng 00007FAE28DABD36h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d push esi 0x0000001e pop esi 0x0000001f push edi 0x00000020 pop edi 0x00000021 jmp 00007FAE28DABD44h 0x00000026 popad 0x00000027 jmp 00007FAE28DABD47h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 72BC7A second address: 72BC7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 72BC7E second address: 72BC92 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAE28DABD36h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnl 00007FAE28DABD38h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 72C0D2 second address: 72C0D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 72C0D6 second address: 72C0DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 72C0DC second address: 72C0F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAE28F0DE80h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 72C252 second address: 72C262 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FAE28DABD38h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 72C3C1 second address: 72C3CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 72C3CA second address: 72C3D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 72C3D0 second address: 72C3D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 72C3D4 second address: 72C3D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 72C3D8 second address: 72C3E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 72C540 second address: 72C54B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FAE28DABD36h 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 72C54B second address: 72C552 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 733039 second address: 733062 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE28DABD48h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FAE28DABD3Ah 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 69F608 second address: 69F60E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 731B5C second address: 731B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 731B60 second address: 731B70 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE28F0DE7Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 731B70 second address: 731B75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 731B75 second address: 731B7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 731B7D second address: 731B89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7320C3 second address: 7320C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7320C9 second address: 7320CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 73222F second address: 732235 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 732235 second address: 73223B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 73223B second address: 732260 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE28F0DE7Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FAE28F0DE84h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 732376 second address: 73237D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 73237D second address: 732397 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FAE28F0DE81h 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 732666 second address: 73267B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAE28DABD41h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 738AED second address: 738AFD instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FAE28F0DE76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 737960 second address: 737966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 737D61 second address: 737DA1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FAE28F0DE85h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FAE28F0DE7Ah 0x00000015 jmp 00007FAE28F0DE7Dh 0x0000001a popad 0x0000001b jc 00007FAE28F0DE7Ch 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 737DA1 second address: 737DA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 737DA5 second address: 737DB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FAE28F0DE7Dh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 737F2F second address: 737F6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 jmp 00007FAE28DABD40h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jp 00007FAE28DABD42h 0x00000017 jmp 00007FAE28DABD41h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 738326 second address: 73832A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 73832A second address: 738336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FAE28DABD36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7384C7 second address: 73850D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FAE28F0DE91h 0x0000000c push ebx 0x0000000d jmp 00007FAE28F0DE81h 0x00000012 pop ebx 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 jbe 00007FAE28F0DE76h 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 73850D second address: 73852F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE28DABD45h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jl 00007FAE28DABD36h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 73B680 second address: 73B6A8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 pop esi 0x00000008 pushad 0x00000009 jmp 00007FAE28F0DE85h 0x0000000e jg 00007FAE28F0DE76h 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 73D9FC second address: 73DA0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FAE28DABD36h 0x0000000a jne 00007FAE28DABD36h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7491FA second address: 7491FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7491FE second address: 749204 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 749204 second address: 749222 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jmp 00007FAE28F0DE7Eh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 749222 second address: 749228 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 747CD1 second address: 747CF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FAE28F0DE76h 0x0000000a pop ebx 0x0000000b pushad 0x0000000c jmp 00007FAE28F0DE88h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6E72E3 second address: 6E731A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a sub dword ptr [ebp+122D1E07h], ebx 0x00000010 mov ebx, dword ptr [ebp+1248C40Ah] 0x00000016 mov edx, dword ptr [ebp+122D3767h] 0x0000001c mov ecx, dword ptr [ebp+122D38ABh] 0x00000022 add eax, ebx 0x00000024 pushad 0x00000025 mov eax, 79C07AEBh 0x0000002a mov ecx, dword ptr [ebp+122D1915h] 0x00000030 popad 0x00000031 push eax 0x00000032 push ecx 0x00000033 push eax 0x00000034 push edx 0x00000035 push ecx 0x00000036 pop ecx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 748329 second address: 748343 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FAE28F0DE7Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FAE28F0DE7Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 748343 second address: 74836D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FAE28DABD47h 0x0000000b jc 00007FAE28DABD38h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pushad 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 74836D second address: 74837C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007FAE28F0DE76h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 74837C second address: 748380 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 748F06 second address: 748F1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE28F0DE7Ch 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 74BB07 second address: 74BB0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 74BB0B second address: 74BB11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 74BB11 second address: 74BB32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FAE28DABD3Dh 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jl 00007FAE28DABD36h 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 74BB32 second address: 74BB4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FAE28F0DE87h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7500DD second address: 7500E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7500E3 second address: 7500F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jnp 00007FAE28F0DE76h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7500F0 second address: 75011F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FAE28DABD3Ch 0x00000008 push esi 0x00000009 jmp 00007FAE28DABD47h 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop esi 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 74F36C second address: 74F37F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FAE28F0DE78h 0x00000008 pushad 0x00000009 jnc 00007FAE28F0DE76h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 74F37F second address: 74F385 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 74F650 second address: 74F655 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 74F655 second address: 74F667 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAE28DABD3Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 74F839 second address: 74F843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FAE28F0DE76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 74F843 second address: 74F847 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 74F847 second address: 74F852 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 74F9A0 second address: 74F9B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FAE28DABD36h 0x0000000a jno 00007FAE28DABD36h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 74F9B3 second address: 74F9BD instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FAE28F0DE94h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 74FCB3 second address: 74FCB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7553B4 second address: 7553BE instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAE28F0DE76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 755686 second address: 7556A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FAE28DABD42h 0x0000000b popad 0x0000000c jc 00007FAE28DABD3Ah 0x00000012 pushad 0x00000013 popad 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 75596B second address: 75597D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 75597D second address: 755981 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 755981 second address: 75599C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE28F0DE87h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 75599C second address: 7559C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FAE28DABD3Ch 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jng 00007FAE28DABD36h 0x00000017 pop eax 0x00000018 jmp 00007FAE28DABD3Ch 0x0000001d push ecx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 755F8F second address: 755F93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 755F93 second address: 755FB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAE28DABD49h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 756A95 second address: 756A9F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FAE28F0DE7Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 758789 second address: 7587B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FAE28DABD3Bh 0x0000000f popad 0x00000010 pushad 0x00000011 jg 00007FAE28DABD36h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a popad 0x0000001b jp 00007FAE28DABD60h 0x00000021 push eax 0x00000022 push edx 0x00000023 je 00007FAE28DABD36h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 75D18A second address: 75D1C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 pushad 0x0000000a pushad 0x0000000b jmp 00007FAE28F0DE83h 0x00000010 push edx 0x00000011 pop edx 0x00000012 popad 0x00000013 pushad 0x00000014 jmp 00007FAE28F0DE7Fh 0x00000019 push eax 0x0000001a pop eax 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e push edi 0x0000001f pop edi 0x00000020 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 75C3AF second address: 75C3E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FAE28DABD36h 0x00000009 jmp 00007FAE28DABD3Ah 0x0000000e jmp 00007FAE28DABD46h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FAE28DABD3Ch 0x0000001b rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 75C560 second address: 75C565 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 75C565 second address: 75C56B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 75C56B second address: 75C581 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAE28F0DE7Bh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 75C581 second address: 75C585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 75C585 second address: 75C5AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE28F0DE87h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c pushad 0x0000000d jg 00007FAE28F0DE76h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 75CB48 second address: 75CB57 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 jc 00007FAE28DABD36h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 75CC8C second address: 75CC90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 75CC90 second address: 75CCAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE28DABD45h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 75CCAC second address: 75CCC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAE28F0DE7Dh 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 75CE7A second address: 75CE97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE28DABD49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 75CE97 second address: 75CEB5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE28F0DE87h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 75CEB5 second address: 75CEC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FAE28DABD36h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7639C1 second address: 7639C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7639C7 second address: 7639CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7639CB second address: 7639CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7639CF second address: 7639E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop eax 0x0000000a pop esi 0x0000000b jbe 00007FAE28DABD52h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7650A5 second address: 7650AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 76AA29 second address: 76AA2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 76AA2F second address: 76AA33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 76AE11 second address: 76AE22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jns 00007FAE28DABD36h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 76AE22 second address: 76AE27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 76AE27 second address: 76AE42 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE28DABD45h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 76AE42 second address: 76AE48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 76AF85 second address: 76AF95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE28DABD3Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 76AF95 second address: 76AFAF instructions: 0x00000000 rdtsc 0x00000002 jne 00007FAE28F0DE83h 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 76AFAF second address: 76AFC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FAE28DABD36h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jbe 00007FAE28DABD36h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 76B2E1 second address: 76B2E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 76B2E7 second address: 76B2EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 76B2EB second address: 76B319 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FAE28F0DE76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007FAE28F0DE82h 0x00000013 ja 00007FAE28F0DE76h 0x00000019 js 00007FAE28F0DE76h 0x0000001f jmp 00007FAE28F0DE7Fh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 775D92 second address: 775DA0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FAE28DABD3Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 775DA0 second address: 775DCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 ja 00007FAE28F0DE76h 0x0000000e js 00007FAE28F0DE76h 0x00000014 jne 00007FAE28F0DE76h 0x0000001a jg 00007FAE28F0DE76h 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 jno 00007FAE28F0DE76h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 775DCB second address: 775DCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 775DCF second address: 775DD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 783565 second address: 78358B instructions: 0x00000000 rdtsc 0x00000002 jc 00007FAE28DABD36h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007FAE28DABD45h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7830F0 second address: 78312C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FAE28F0DE76h 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007FAE28F0DE88h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007FAE28F0DE81h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 78826A second address: 788271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 787E3B second address: 787E43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 787E43 second address: 787E47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 78C483 second address: 78C488 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 78C488 second address: 78C4AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAE28DABD44h 0x00000009 jne 00007FAE28DABD36h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 78C4AE second address: 78C4C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007FAE28F0DE7Bh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 78C4C1 second address: 78C4D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAE28DABD43h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 78C4D9 second address: 78C4DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 78C4DE second address: 78C4E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 794FA8 second address: 794FB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FAE28F0DE76h 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 794FB3 second address: 794FBA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 794FBA second address: 794FCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 js 00007FAE28F0DE76h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 79733E second address: 797344 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 797344 second address: 79734E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FAE28F0DE76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 79734E second address: 797364 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jns 00007FAE28DABD36h 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007FAE28DABD36h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 798B25 second address: 798B2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 798B2B second address: 798B45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAE28DABD45h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 79FC08 second address: 79FC1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE28F0DE7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 79FC1E second address: 79FC22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 79FC22 second address: 79FC4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE28F0DE7Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007FAE28F0DE7Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 79FC4A second address: 79FC50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 79FC50 second address: 79FC54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 79E511 second address: 79E515 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 79E654 second address: 79E658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 79E658 second address: 79E65C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 79E65C second address: 79E662 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 79E662 second address: 79E669 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 79E669 second address: 79E6A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jmp 00007FAE28F0DE87h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jnp 00007FAE28F0DE8Eh 0x00000014 jns 00007FAE28F0DE7Ch 0x0000001a pushad 0x0000001b push esi 0x0000001c pop esi 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 79E7E2 second address: 79E7E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 79E7E8 second address: 79E7ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 79E7ED second address: 79E7F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FAE28DABD36h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 79E7F9 second address: 79E81E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push ecx 0x0000000a push edi 0x0000000b pop edi 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 jmp 00007FAE28F0DE82h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 79E95B second address: 79E973 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FAE28DABD42h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 79E973 second address: 79E977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 79EC25 second address: 79EC34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jl 00007FAE28DABD36h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 79EC34 second address: 79EC48 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FAE28F0DE76h 0x00000008 jnc 00007FAE28F0DE76h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 79EC48 second address: 79EC4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 79EE1D second address: 79EE32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 79EE32 second address: 79EE57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jc 00007FAE28DABD50h 0x0000000b push eax 0x0000000c pop eax 0x0000000d jmp 00007FAE28DABD48h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 79EE57 second address: 79EE5C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7A1F63 second address: 7A1F69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7A1F69 second address: 7A1F6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7A1F6D second address: 7A1F7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6A469C second address: 6A46A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6A46A0 second address: 6A46C2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FAE28DABD41h 0x0000000b pop edi 0x0000000c pushad 0x0000000d pushad 0x0000000e jng 00007FAE28DABD36h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 6A46C2 second address: 6A46D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7A5293 second address: 7A52C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE28DABD44h 0x00000007 jmp 00007FAE28DABD44h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7B29A2 second address: 7B29B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 pushad 0x00000007 jbe 00007FAE28F0DE76h 0x0000000d jno 00007FAE28F0DE76h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7BF3A8 second address: 7BF3AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7BEF39 second address: 7BEF6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAE28F0DE82h 0x00000009 pop ebx 0x0000000a pushad 0x0000000b jmp 00007FAE28F0DE89h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7BF0D7 second address: 7BF0DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7C631F second address: 7C637C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FAE28F0DE83h 0x0000000a pushad 0x0000000b jmp 00007FAE28F0DE83h 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007FAE28F0DE80h 0x00000017 popad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f jmp 00007FAE28F0DE87h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7C637C second address: 7C638A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE28DABD3Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7C638A second address: 7C6390 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7C6390 second address: 7C6397 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7C6397 second address: 7C63AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FAE28F0DE7Bh 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7CA3EE second address: 7CA3F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7C9DCE second address: 7C9DF2 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAE28F0DE7Eh 0x00000008 push esi 0x00000009 pop esi 0x0000000a jns 00007FAE28F0DE76h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push esi 0x00000013 jmp 00007FAE28F0DE7Dh 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b pop eax 0x0000001c rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7D09E7 second address: 7D09F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7D24D3 second address: 7D24D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7D24D7 second address: 7D24E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007FAE28DABD36h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7CB3DF second address: 7CB3E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7CA0A3 second address: 7CA0AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7CA0AC second address: 7CA0B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7CA226 second address: 7CA22A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7CA22A second address: 7CA248 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAE28F0DE84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7CA248 second address: 7CA24C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7CA24C second address: 7CA260 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAE28F0DE7Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7CA260 second address: 7CA266 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7CA266 second address: 7CA281 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007FAE28F0DE7Ah 0x00000010 pushad 0x00000011 push esi 0x00000012 pop esi 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7CA281 second address: 7CA286 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7CA286 second address: 7CA28B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7CA28B second address: 7CA291 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7CB1BF second address: 7CB1C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7CB1C3 second address: 7CB1D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jns 00007FAE28DABD36h 0x0000000d jbe 00007FAE28DABD36h 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7CB1D7 second address: 7CB1E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAE28F0DE7Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRDTSC instruction interceptor: First address: 7CB1E6 second address: 7CB245 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAE28DABD47h 0x00000009 jmp 00007FAE28DABD48h 0x0000000e popad 0x0000000f js 00007FAE28DABD4Bh 0x00000015 jmp 00007FAE28DABD43h 0x0000001a push eax 0x0000001b pop eax 0x0000001c pop edx 0x0000001d pop eax 0x0000001e pushad 0x0000001f jnp 00007FAE28DABD3Ah 0x00000025 push ebx 0x00000026 pop ebx 0x00000027 push edi 0x00000028 pop edi 0x00000029 push esi 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\VlY57c5AF4.exeSpecial instruction interceptor: First address: 52DAF9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\VlY57c5AF4.exeSpecial instruction interceptor: First address: 6DC54D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\VlY57c5AF4.exeSpecial instruction interceptor: First address: 6E67D5 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\VlY57c5AF4.exeSpecial instruction interceptor: First address: 778923 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\VlY57c5AF4.exeSpecial instruction interceptor: First address: 5349A1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\VlY57c5AF4.exeSpecial instruction interceptor: First address: 534DF3 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\VlY57c5AF4.exeMemory allocated: 4EF0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeMemory allocated: 50C0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeMemory allocated: 5010000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_006CC02E rdtsc 0_2_006CC02E
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_006C9440 sidt fword ptr [esp-02h]0_2_006C9440
Source: C:\Users\user\Desktop\VlY57c5AF4.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exe TID: 2676Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_0071AD11 GetSystemInfo,VirtualAlloc,0_2_0071AD11
Source: C:\Users\user\Desktop\VlY57c5AF4.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: VlY57c5AF4.exe, VlY57c5AF4.exe, 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: VlY57c5AF4.exe, 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\VlY57c5AF4.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\VlY57c5AF4.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\VlY57c5AF4.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\VlY57c5AF4.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\VlY57c5AF4.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\VlY57c5AF4.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\VlY57c5AF4.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\VlY57c5AF4.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\VlY57c5AF4.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\VlY57c5AF4.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\VlY57c5AF4.exeFile opened: NTICE
Source: C:\Users\user\Desktop\VlY57c5AF4.exeFile opened: SICE
Source: C:\Users\user\Desktop\VlY57c5AF4.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\VlY57c5AF4.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_006CC02E rdtsc 0_2_006CC02E
Source: C:\Users\user\Desktop\VlY57c5AF4.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeMemory allocated: page read and write | page guardJump to behavior
Source: VlY57c5AF4.exe, VlY57c5AF4.exe, 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: qoProgram Manager
Source: C:\Users\user\Desktop\VlY57c5AF4.exeCode function: 0_2_00714E72 GetSystemTime,GetFileTime,0_2_00714E72

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\VlY57c5AF4.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\VlY57c5AF4.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\VlY57c5AF4.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		41
Disable or Modify Tools		LSASS Memory641
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Bypass User Account Control		271
Virtualization/Sandbox Evasion		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS271
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets24
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
Obfuscated Files or Information		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
Software Packing		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
Bypass User Account Control		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
VlY57c5AF4.exe54%VirustotalBrowse
VlY57c5AF4.exe53%ReversingLabsWin32.Infostealer.Tinba
VlY57c5AF4.exe100%AviraTR/Crypt.XPACK.Gen
VlY57c5AF4.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0017.t-0009.fb-t-msedge.net
13.107.253.45
truefalse
    		high

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:42.0.0 Malachite
    Analysis ID:1589505
    Start date and time:2025-01-12 17:37:20 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 2m 51s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:3
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:VlY57c5AF4.exe
    renamed because original name is a hash value
    Original Sample Name:31869d1b842579150ac9a383507f5c67.exe
    Detection:MAL
    Classification:mal100.evad.winEXE@1/1@0/0
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:Failed
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Stop behavior analysis, all processes terminated

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
    • Excluded IPs from analysis (whitelisted): 13.107.253.45
    • Excluded domains from analysis (whitelisted): azurefd-t-fb-prod.trafficmanager.net, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net
    • Report size getting too big, too many NtProtectVirtualMemory calls found.

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    s-part-0017.t-0009.fb-t-msedge.netwN7EPNiHSM.exeGet hashmaliciousFormBookBrowse
    • 13.107.253.45
    http://infarmbureau.comGet hashmaliciousUnknownBrowse
    • 13.107.253.45
    32474162872806629906.jsGet hashmaliciousStrela DownloaderBrowse
    • 13.107.253.45
    0Ie2kYdPTW.exeGet hashmaliciousFormBookBrowse
    • 13.107.253.45
    97q26I8OtN.exeGet hashmaliciousFormBookBrowse
    • 13.107.253.45
    nkCBRtd25H.exeGet hashmaliciousUnknownBrowse
    • 13.107.253.45
    https://www.filemail.com/d/rxythqchkhluipl?skipreg=trueGet hashmaliciousUnknownBrowse
    • 13.107.253.45
    https://eu.jotform.com/app/250092704521347Get hashmaliciousUnknownBrowse
    • 13.107.253.45
    http://loginmicrosoftonline.Bdo.scoremasters.gr/cache/cdn?email=christian.wernli@bdo.chGet hashmaliciousUnknownBrowse
    • 13.107.253.45
    fghj.exeGet hashmaliciousLummaCBrowse
    • 13.107.253.45

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VlY57c5AF4.exe.log

    Download File
    Process:C:\Users\user\Desktop\VlY57c5AF4.exe
    File Type:CSV text
    Category:dropped
    Size (bytes):226
    Entropy (8bit):5.360398796477698
    Encrypted:false
    SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
    MD5:3A8957C6382192B71471BD14359D0B12
    SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
    SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
    SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
    Malicious:true
    Reputation:high, very likely benign file
    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):7.93442303185315
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.96%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:VlY57c5AF4.exe
    File size:1'796'608 bytes
    MD5:31869d1b842579150ac9a383507f5c67
    SHA1:11c9911c58c43b6887ac2ac28020eb3897728784
    SHA256:cc9a040ffd273753db7c02c29d779427f3e9d9a76a87827cc8fe722ab6a410c0
    SHA512:cf2d4751bf8b3a165c600902303b7330764731db043a1310ab16cb50f13edf8d4b6ab1611d30cca874d12e536a26a7e472943d88cbed5f19e296677976201867
    SSDEEP:24576:DuQ9fZyTRJj0auvahWUsRhnurHvrMVNuMN9WoSdqHSxUhtGQqZl:xJcRyjaRsRhnurHTQWoSdqyxUhtGQ
    TLSH:968533A8709794FFC625ECF19783BB9339701DD1DCC12D185A1A18F9DC1B23A9206AB7
    File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$........... G.. ...`....@.. .......................`G...........`................................

    File Icon

    Icon Hash:90cececece8e8eb0

    Static PE Info

    General

    Entrypoint:0x872000
    Entrypoint Section:.taggant
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
    Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:2eabe9054cad5152567f0699947a2c5b

    Entrypoint Preview

    Instruction
    jmp 00007FAE2889776Ah
    cmovs ebx, dword ptr [ebx]
    add byte ptr [eax], al
    add byte ptr [eax], al
    add cl, ch
    add byte ptr [eax], ah
    add byte ptr [eax], al
    add byte ptr [0000000Ah], al
    add byte ptr [eax], al
    add byte ptr [eax], dh
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], ah
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [ecx], ah
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [0000000Ah], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [ecx], cl
    add byte ptr [eax], 00000000h
    add byte ptr [eax], al
    add byte ptr [eax], al
    adc byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add eax, 0000000Ah
    add byte ptr [eax], al

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x668.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    0x20000x40000x1200cebaacbde3d3816dce22e5c56da240d5False0.9340277777777778data7.799370812493314IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .rsrc0x60000x6680x8009b75d09ccc423d1d725cffc943ee7423False0.35888671875data4.826847184006519IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    0xa0000x2b40000x2006eda491eae344388a4706969d616737bunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    nhpvdyal0x2be0000x1b20000x1b06000986a76fda99b71d0f4a5dc5e6548075False0.9947837615640358data7.95313801274188IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    aqbmmtnh0x4700000x20000x400afbd024d77752078996ba2d05f02149eFalse0.76953125data6.148806784651842IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .taggant0x4720000x40000x220068ee55d5e0a6d2d7fd93836d9144fefeFalse0.06456801470588236DOS executable (COM)0.7975506092801732IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

    Resources

    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_VERSION0x60a00x30cdata0.42948717948717946
    RT_MANIFEST0x63ac0x2bbXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.4978540772532189

    Imports

    DLLImport
    kernel32.dlllstrcpy

    Network Behavior

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Jan 12, 2025 17:38:16.912163973 CET1.1.1.1192.168.2.100xcb28No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.netazurefd-t-fb-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
    Jan 12, 2025 17:38:16.912163973 CET1.1.1.1192.168.2.100xcb28No error (0)dual.s-part-0017.t-0009.fb-t-msedge.nets-part-0017.t-0009.fb-t-msedge.netCNAME (Canonical name)IN (0x0001)false
    Jan 12, 2025 17:38:16.912163973 CET1.1.1.1192.168.2.100xcb28No error (0)s-part-0017.t-0009.fb-t-msedge.net13.107.253.45A (IP address)IN (0x0001)false

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    System Behavior

    General

    Target ID:0
    Start time:11:38:20
    Start date:12/01/2025
    Path:C:\Users\user\Desktop\VlY57c5AF4.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\VlY57c5AF4.exe"
    Imagebase:0x520000
    File size:1'796'608 bytes
    MD5 hash:31869D1B842579150AC9A383507F5C67
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:true

    Disassembly

    Reset < >

      Execution Graph

      Execution Coverage:4.8%
      Dynamic/Decrypted Code Coverage:3.5%
      Signature Coverage:4%
      Total number of Nodes:347
      Total number of Limit Nodes:14
      execution_graph 6951 71ad11 GetSystemInfo 6952 71ad31 6951->6952 6953 71ad6f VirtualAlloc 6951->6953 6952->6953 6966 71b05d 6953->6966 6955 71adb6 6956 71ae8b 6955->6956 6957 71b05d VirtualAlloc GetModuleFileNameA VirtualProtect 6955->6957 6958 71aea7 GetModuleFileNameA VirtualProtect 6956->6958 6960 71ae4f 6956->6960 6959 71ade0 6957->6959 6958->6960 6959->6956 6961 71b05d VirtualAlloc GetModuleFileNameA VirtualProtect 6959->6961 6962 71ae0a 6961->6962 6962->6956 6963 71b05d VirtualAlloc GetModuleFileNameA VirtualProtect 6962->6963 6964 71ae34 6963->6964 6964->6956 6964->6960 6965 71b05d VirtualAlloc GetModuleFileNameA VirtualProtect 6964->6965 6965->6956 6968 71b065 6966->6968 6969 71b091 6968->6969 6970 71b079 6968->6970 6972 71af29 2 API calls 6969->6972 6976 71af29 6970->6976 6973 71b0a2 6972->6973 6978 71b0b4 6973->6978 6981 71af31 6976->6981 6979 71b0c5 VirtualAlloc 6978->6979 6980 71b0b0 6978->6980 6979->6980 6982 71af44 6981->6982 6984 71af87 6982->6984 6985 71b57c 6982->6985 6988 71b583 6985->6988 6987 71b5cd 6987->6984 6988->6987 6990 71b48a 6988->6990 6994 71b73d 6988->6994 6991 71b49f 6990->6991 6992 71b529 GetModuleFileNameA 6991->6992 6993 71b55f 6991->6993 6992->6991 6993->6988 6997 71b751 6994->6997 6995 71b769 6995->6988 6996 71b88c VirtualProtect 6996->6997 6997->6995 6997->6996 6998 6c120e 6999 6c1706 LoadLibraryA 6998->6999 7001 6c29d6 6999->7001 7002 71bd15 7004 71bd21 7002->7004 7005 71bd33 7004->7005 7010 712384 7005->7010 7008 71bd5b 7018 7123eb 7010->7018 7012 712399 7012->7008 7013 71b8d2 7012->7013 7014 71b8e3 7013->7014 7016 71b966 7013->7016 7015 71b57c 2 API calls 7014->7015 7014->7016 7017 71b73d VirtualProtect 7014->7017 7015->7014 7016->7008 7017->7014 7020 7123f8 7018->7020 7022 71240e 7020->7022 7021 712433 7037 710d25 GetCurrentThreadId 7021->7037 7022->7021 7032 712416 7022->7032 7045 71bf84 7022->7045 7025 7124e3 7067 712223 7025->7067 7026 7124f6 7029 712500 LoadLibraryExW 7026->7029 7030 712514 LoadLibraryExA 7026->7030 7027 712438 7041 711437 7027->7041 7036 7124ba 7029->7036 7030->7036 7032->7025 7032->7026 7034 712477 7047 711d63 7034->7047 7040 710d3d 7037->7040 7038 710d84 7038->7027 7039 710d73 Sleep 7039->7040 7040->7038 7040->7039 7042 711485 7041->7042 7043 711448 7041->7043 7042->7032 7042->7034 7043->7042 7071 7112d8 7043->7071 7091 71bf93 7045->7091 7048 711d7f 7047->7048 7049 711d89 7047->7049 7048->7036 7099 7115b6 7049->7099 7056 711dd9 7057 711e06 7056->7057 7064 711e83 7056->7064 7109 711794 7056->7109 7113 711a2f 7057->7113 7060 711e11 7060->7064 7118 7119a6 7060->7118 7063 711e66 7063->7064 7066 71b8d2 2 API calls 7063->7066 7064->7048 7126 712575 7064->7126 7066->7064 7068 71222e 7067->7068 7069 71224f LoadLibraryExA 7068->7069 7070 71223e 7068->7070 7069->7070 7070->7036 7073 711305 7071->7073 7072 71140b 7072->7043 7073->7072 7074 711333 PathAddExtensionA 7073->7074 7075 71134e 7073->7075 7074->7075 7079 711370 7075->7079 7083 710f79 7075->7083 7077 7113b9 7077->7072 7078 7113e2 7077->7078 7081 710f79 lstrcmpiA 7077->7081 7078->7072 7082 710f79 lstrcmpiA 7078->7082 7079->7072 7079->7077 7080 710f79 lstrcmpiA 7079->7080 7080->7077 7081->7078 7082->7072 7084 710f97 7083->7084 7085 710fae 7084->7085 7087 710ef6 7084->7087 7085->7079 7088 710f21 7087->7088 7089 710f53 lstrcmpiA 7088->7089 7090 710f69 7088->7090 7089->7090 7090->7085 7092 71bfa3 7091->7092 7093 710d25 2 API calls 7092->7093 7097 71bff5 7092->7097 7094 71c00b 7093->7094 7095 711437 2 API calls 7094->7095 7096 71c01d 7095->7096 7096->7097 7098 711437 2 API calls 7096->7098 7098->7097 7100 7115d2 7099->7100 7101 71162b 7099->7101 7100->7101 7102 711602 VirtualAlloc 7100->7102 7101->7048 7103 71165c VirtualAlloc 7101->7103 7102->7101 7104 7116a1 7103->7104 7104->7064 7105 7116d9 7104->7105 7106 711701 7105->7106 7107 711778 7106->7107 7108 71171a VirtualAlloc 7106->7108 7107->7056 7108->7106 7108->7107 7111 7117af 7109->7111 7112 7117b4 7109->7112 7110 7117e7 lstrcmpiA 7110->7111 7110->7112 7111->7057 7112->7110 7112->7111 7114 711b3b 7113->7114 7116 711a5c 7113->7116 7114->7060 7116->7114 7128 711541 7116->7128 7136 712652 7116->7136 7119 7119cf 7118->7119 7120 711a10 7119->7120 7121 7119e7 VirtualProtect 7119->7121 7120->7063 7120->7064 7122 71bbd9 7120->7122 7121->7119 7121->7120 7123 71bca6 7122->7123 7124 71bbf5 7122->7124 7123->7063 7124->7123 7125 71b73d VirtualProtect 7124->7125 7125->7124 7162 712581 7126->7162 7129 712384 18 API calls 7128->7129 7130 711554 7129->7130 7131 71159a 7130->7131 7132 7115a6 7130->7132 7134 71157d 7130->7134 7131->7116 7133 712575 3 API calls 7132->7133 7133->7131 7134->7131 7135 712575 3 API calls 7134->7135 7135->7131 7138 71265b 7136->7138 7139 71266a 7138->7139 7140 712672 7139->7140 7142 710d25 2 API calls 7139->7142 7141 71269f GetProcAddress 7140->7141 7147 712695 7141->7147 7143 71267c 7142->7143 7144 71269a 7143->7144 7145 71268c 7143->7145 7144->7141 7148 7120b3 7145->7148 7149 7120d2 7148->7149 7153 71219f 7148->7153 7150 71210f lstrcmpiA 7149->7150 7151 712139 7149->7151 7149->7153 7150->7149 7150->7151 7151->7153 7154 711ffc 7151->7154 7153->7147 7155 71200d 7154->7155 7156 71203d lstrcpyn 7155->7156 7157 712098 7155->7157 7156->7157 7159 712059 7156->7159 7157->7153 7158 711541 17 API calls 7160 712087 7158->7160 7159->7157 7159->7158 7160->7157 7161 712652 17 API calls 7160->7161 7161->7157 7163 712590 7162->7163 7164 710d25 2 API calls 7163->7164 7167 712598 7163->7167 7166 7125a2 7164->7166 7165 7125e6 FreeLibrary 7170 7125cd 7165->7170 7166->7167 7168 7125b2 7166->7168 7167->7165 7171 711f63 7168->7171 7172 711f86 7171->7172 7174 711fc6 7171->7174 7172->7174 7175 710b1f 7172->7175 7174->7170 7176 710b28 7175->7176 7177 710b40 7176->7177 7179 710b06 7176->7179 7177->7174 7180 712575 GetCurrentThreadId Sleep FreeLibrary 7179->7180 7181 710b13 7180->7181 7181->7176 7182 7152f5 7184 715301 7182->7184 7185 710d25 2 API calls 7184->7185 7186 71530d 7185->7186 7188 71532d 7186->7188 7189 71524c 7186->7189 7191 715258 7189->7191 7192 71526c 7191->7192 7193 710d25 2 API calls 7192->7193 7194 715284 7193->7194 7202 711489 7194->7202 7197 7152af 7198 711437 2 API calls 7199 7152a7 7198->7199 7199->7197 7200 7152cb GetFileAttributesW 7199->7200 7201 7152dc GetFileAttributesA 7199->7201 7200->7197 7201->7197 7203 71153d 7202->7203 7204 71149d 7202->7204 7203->7197 7203->7198 7204->7203 7205 7112d8 2 API calls 7204->7205 7205->7204 7206 712894 7208 7128a0 7206->7208 7209 7128b4 7208->7209 7211 7128dc 7209->7211 7212 7128f5 7209->7212 7214 7128fe 7212->7214 7215 71290d 7214->7215 7216 710d25 2 API calls 7215->7216 7223 712915 7215->7223 7219 71291f 7216->7219 7217 7129c6 GetModuleHandleA 7220 71294d 7217->7220 7218 7129b8 GetModuleHandleW 7218->7220 7221 71293a 7219->7221 7222 711437 2 API calls 7219->7222 7221->7220 7221->7223 7222->7221 7223->7217 7223->7218 7224 4ef0d48 7225 4ef0d93 OpenSCManagerW 7224->7225 7227 4ef0ddc 7225->7227 7228 4ef1308 7229 4ef1349 ImpersonateLoggedOnUser 7228->7229 7230 4ef1376 7229->7230 7231 71555c 7233 715568 7231->7233 7234 710d25 2 API calls 7233->7234 7235 715574 7234->7235 7237 715594 7235->7237 7238 715468 7235->7238 7240 715474 7238->7240 7241 715488 7240->7241 7242 710d25 2 API calls 7241->7242 7243 7154a0 7242->7243 7246 7154b5 7243->7246 7264 715381 7243->7264 7248 7154bd 7246->7248 7256 715426 IsBadWritePtr 7246->7256 7251 715531 CreateFileA 7248->7251 7252 71550e CreateFileW 7248->7252 7249 711437 2 API calls 7250 7154f0 7249->7250 7250->7248 7253 7154f8 7250->7253 7255 7154fe 7251->7255 7252->7255 7258 712c7b 7253->7258 7257 715448 7256->7257 7257->7248 7257->7249 7260 712c88 7258->7260 7259 712cc1 CreateFileA 7262 712d0d 7259->7262 7260->7259 7261 712d83 7260->7261 7261->7255 7262->7261 7266 712b3e CloseHandle 7262->7266 7268 715390 GetWindowsDirectoryA 7264->7268 7267 712b52 7266->7267 7267->7261 7269 7153ba 7268->7269 7270 71253c 7271 712384 18 API calls 7270->7271 7272 71254f 7271->7272 7273 71bd61 7275 71bd6d 7273->7275 7276 71bd7f 7275->7276 7281 71239d 7276->7281 7278 71bd8e 7279 71bda7 7278->7279 7280 71b8d2 GetModuleFileNameA VirtualProtect 7278->7280 7280->7279 7283 7123a9 7281->7283 7285 7123be 7283->7285 7284 7123dc 7285->7284 7286 7123eb 18 API calls 7285->7286 7286->7284 7287 714de0 7288 710d25 2 API calls 7287->7288 7289 714dec GetCurrentProcess 7288->7289 7290 714e38 7289->7290 7293 714dfc 7289->7293 7291 714e3d DuplicateHandle 7290->7291 7292 714e33 7291->7292 7293->7290 7294 714e27 7293->7294 7296 712b7d 7294->7296 7299 712ba7 7296->7299 7297 712c3a 7297->7292 7299->7297 7300 712b65 7299->7300 7303 710bd0 7300->7303 7304 710be6 7303->7304 7305 710c00 7304->7305 7307 710bb4 7304->7307 7305->7297 7308 712b3e CloseHandle 7307->7308 7309 710bc4 7308->7309 7309->7305 7310 7129e7 7311 710d25 2 API calls 7310->7311 7312 7129f3 7311->7312 7313 711437 2 API calls 7312->7313 7314 712a11 7312->7314 7313->7314 7315 712a42 GetModuleHandleExA 7314->7315 7316 712a19 7314->7316 7315->7316 7317 71bcab 7319 71bcb7 7317->7319 7320 71bcc9 7319->7320 7321 71b8d2 2 API calls 7320->7321 7322 71bcdb 7321->7322 7323 71bdad 7325 71bdb9 7323->7325 7326 71bdd6 7325->7326 7327 712652 18 API calls 7326->7327 7328 71be09 7327->7328 7329 715fac 7330 710d25 2 API calls 7329->7330 7331 715fb8 7330->7331 7332 716020 MapViewOfFileEx 7331->7332 7333 715fd1 7331->7333 7332->7333 7334 71566f 7336 715678 7334->7336 7337 710d25 2 API calls 7336->7337 7339 715684 7337->7339 7338 71569d 7339->7338 7340 7156d4 ReadFile 7339->7340 7340->7338 7341 4ef10f0 7342 4ef1131 7341->7342 7345 713a79 7342->7345 7343 4ef1151 7346 710d25 2 API calls 7345->7346 7347 713a85 7346->7347 7348 713aae 7347->7348 7349 713a9e 7347->7349 7351 713ab3 CloseHandle 7348->7351 7350 712b65 CloseHandle 7349->7350 7352 713aa4 7350->7352 7351->7352 7352->7343 7353 715e4e 7355 715e5a 7353->7355 7357 715e72 7355->7357 7358 715e9c 7357->7358 7359 715d88 7357->7359 7361 715d94 7359->7361 7362 710d25 2 API calls 7361->7362 7363 715da7 7362->7363 7364 715e20 7363->7364 7365 715de5 7363->7365 7366 715dc1 7363->7366 7367 715e25 CreateFileMappingA 7364->7367 7365->7366 7369 71345f 7365->7369 7367->7366 7370 713476 7369->7370 7371 7134df CreateFileA 7370->7371 7372 713573 7370->7372 7373 713524 7371->7373 7372->7366 7373->7372 7374 712b3e CloseHandle 7373->7374 7374->7372 7375 4ef1510 7376 4ef1558 ControlService 7375->7376 7377 4ef158f 7376->7377

      Executed Functions

      Function 0071AD11 Relevance: 3.1, APIs: 2, Instructions: 107memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 138 71ad11-71ad2b GetSystemInfo 139 71ad31-71ad69 138->139 140 71ad6f-71adb8 VirtualAlloc call 71b05d 138->140 139->140 144 71ae9e call 71aea7 140->144 145 71adbe-71ade2 call 71b05d 140->145 150 71aea3 144->150 145->144 151 71ade8-71ae0c call 71b05d 145->151 152 71aea5-71aea6 150->152 151->144 155 71ae12-71ae36 call 71b05d 151->155 155->144 158 71ae3c-71ae49 155->158 159 71ae6f-71ae86 call 71b05d 158->159 160 71ae4f-71ae6a 158->160 162 71ae8b-71ae8d 159->162 164 71ae99 160->164 162->144 165 71ae93 162->165 164->152 165->164
      APIs
      • GetSystemInfo.KERNELBASE(?,-11DA5FEC), ref: 0071AD1D
      • VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 0071AD7E
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID: AllocInfoSystemVirtual
      • String ID:
      • API String ID: 3440192736-0
      • Opcode ID: 567c93cba42472d73eac841a2f166ae9d57cf7c9fce3487bdaeaf537d393607b
      • Instruction ID: 7e8084b7d84e33494d8537f888164f102c48f004f9c7cbf7258bda84ae35238b
      • Opcode Fuzzy Hash: 567c93cba42472d73eac841a2f166ae9d57cf7c9fce3487bdaeaf537d393607b
      • Instruction Fuzzy Hash: FE4101B1A40316AEE725DF68C845F9677ACBB49700F005562F607DA8C2D77495F48BA0
      Function 007123F8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83libraryCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • LoadLibraryExW.KERNEL32(?,?,?), ref: 00712509
      • LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 0071251D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID: .dll$.exe$1002
      • API String ID: 1029625771-847511843
      • Opcode ID: 858f8d7f1b8bdf94b18fdd6610cd0fc70f9798139cba33f062b44acf08dca675
      • Instruction ID: 88ed0c40e4f01364515f5ec422ddcacad9949f6a5f536c228ae4aecd8abc8ce7
      • Opcode Fuzzy Hash: 858f8d7f1b8bdf94b18fdd6610cd0fc70f9798139cba33f062b44acf08dca675
      • Instruction Fuzzy Hash: F0312571904149EFCF25AF98E908AED7B76FB08340F108059B806961E2C73999F2DBA1
      Function 007128FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 40 7128fe-71290f call 712262 43 712915 40->43 44 71291a-712923 call 710d25 40->44 45 7129ae-7129b2 43->45 51 712957-71295e 44->51 52 712929-712935 call 711437 44->52 47 7129c6-7129c9 GetModuleHandleA 45->47 48 7129b8-7129c1 GetModuleHandleW 45->48 50 7129cf 47->50 48->50 56 7129d9-7129db 50->56 53 712964-71296b 51->53 54 7129a9 call 710dd0 51->54 59 71293a-71293c 52->59 53->54 57 712971-712978 53->57 54->45 57->54 60 71297e-712985 57->60 59->54 61 712942-712947 59->61 60->54 63 71298b-71299f 60->63 61->54 62 71294d-7129d4 call 710dd0 61->62 62->56 63->54
      APIs
      • GetModuleHandleW.KERNEL32(?,?,?,?,00712890,?,00000000,00000000), ref: 007129BB
      • GetModuleHandleA.KERNEL32(00000000,?,?,?,00712890,?,00000000,00000000), ref: 007129C9
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID: HandleModule
      • String ID: .dll
      • API String ID: 4139908857-2738580789
      • Opcode ID: 059de42a0390617c3d474b523d5910116f3e41a3f84d8fb06ff4647f686bca7f
      • Instruction ID: e56e48a870a9709f49f1842860bcd962600ba7101dc204808c38d269c3612110
      • Opcode Fuzzy Hash: 059de42a0390617c3d474b523d5910116f3e41a3f84d8fb06ff4647f686bca7f
      • Instruction Fuzzy Hash: 9C112A31204709EFEB319F2CD80DBE9BAB0BF40741F104225A945644D6C7B9B9F6DA92
      Function 00715258 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 67 715258-715266 68 715278 67->68 69 71526c-715273 67->69 70 71527f-715295 call 710d25 call 711489 68->70 69->70 75 7152b4 70->75 76 71529b-7152a9 call 711437 70->76 78 7152b8-7152bb 75->78 81 7152c0-7152c5 76->81 82 7152af 76->82 80 7152eb-7152f2 call 710dd0 78->80 84 7152cb-7152d7 GetFileAttributesW 81->84 85 7152dc-7152df GetFileAttributesA 81->85 82->78 87 7152e5-7152e6 84->87 85->87 87->80
      APIs
      • GetFileAttributesW.KERNELBASE(01040694,-11DA5FEC), ref: 007152D1
      • GetFileAttributesA.KERNEL32(00000000,-11DA5FEC), ref: 007152DF
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID: AttributesFile
      • String ID: @
      • API String ID: 3188754299-2726393805
      • Opcode ID: ac7853c0a1a1739fa4be24723e00eece844269768544597edb4531cb8724dc88
      • Instruction ID: 79c9bcc7b635d0a601c543c6f8c59b790f91343d3621743461f4367a9b7c14b3
      • Opcode Fuzzy Hash: ac7853c0a1a1739fa4be24723e00eece844269768544597edb4531cb8724dc88
      • Instruction Fuzzy Hash: 07014BB2604904FADF299F9CD80D7DCBE71BF91344F604114A502694D1D7B89AD1A694
      Function 007112D8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 88 7112d8-711308 90 711433-711434 88->90 91 71130e-711323 88->91 91->90 93 711329-71132d 91->93 94 711333-711345 PathAddExtensionA 93->94 95 71134f-711356 93->95 98 71134e 94->98 96 711378-71137f 95->96 97 71135c-71136b call 710f79 95->97 100 7113c1-7113c8 96->100 101 711385-71138c 96->101 102 711370-711372 97->102 98->95 105 7113ea-7113f1 100->105 106 7113ce-7113e4 call 710f79 100->106 103 711392-71139b 101->103 104 7113a5-7113b4 call 710f79 101->104 102->90 102->96 103->104 109 7113a1 103->109 114 7113b9-7113bb 104->114 107 711413-71141a 105->107 108 7113f7-71140d call 710f79 105->108 106->90 106->105 107->90 113 711420-71142d call 710fb2 107->113 108->90 108->107 109->104 113->90 114->90 114->100
      APIs
      • PathAddExtensionA.KERNELBASE(?,00000000), ref: 0071133A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID: ExtensionPath
      • String ID: \\?\
      • API String ID: 158807944-4282027825
      • Opcode ID: 53d546752ad9c1af52c8928d4a4ce4810a5bb979447c04e06253c9dd683c7e19
      • Instruction ID: ec1b141504cb4892baeafc6470c41a4a0831cee6e9e626a88c080e4108287224
      • Opcode Fuzzy Hash: 53d546752ad9c1af52c8928d4a4ce4810a5bb979447c04e06253c9dd683c7e19
      • Instruction Fuzzy Hash: 44310A3690024ABFDF21DF99CD09BDEBA79BF44740F404065FA00A95A0D77A9AA1DB50
      Function 006C120E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41libraryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 119 6c120e-6c1791 LoadLibraryA 122 6c29d6-6c29f9 119->122
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID: LibraryLoad
      • String ID: QVt
      • API String ID: 1029625771-2271137033
      • Opcode ID: f016ed5dbc557964c4e29f35b3516fe83bd0a71a5e40facfb6d0358dade9d38e
      • Instruction ID: 6e386733872fe80b00903ee00d9ca7042aa6f731dad745ed41f3f3f43d615f6d
      • Opcode Fuzzy Hash: f016ed5dbc557964c4e29f35b3516fe83bd0a71a5e40facfb6d0358dade9d38e
      • Instruction Fuzzy Hash: F0018C7150D310DFC3449F29E48486EF7E6EF85B21F21882EE1D887200D3358985DB07
      Function 007129E7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 123 7129e7-7129fa call 710d25 126 712a00-712a0c call 711437 123->126 127 712a3d-712a51 call 710dd0 GetModuleHandleExA 123->127 130 712a11-712a13 126->130 132 712a5b-712a5d 127->132 130->127 133 712a19-712a20 130->133 134 712a26 133->134 135 712a29-712a56 call 710dd0 133->135 134->135 135->132
      APIs
        • Part of subcall function 00710D25: GetCurrentThreadId.KERNEL32 ref: 00710D34
        • Part of subcall function 00710D25: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00710D77
      • GetModuleHandleExA.KERNELBASE(?,?,?), ref: 00712A4B
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID: CurrentHandleModuleSleepThread
      • String ID: .dll
      • API String ID: 683542999-2738580789
      • Opcode ID: 2d34618336050d8b5f4184a4f385219ee65ff07ded3e9caf246b035d828f2449
      • Instruction ID: fee73c489f8ae2d5913b5dd9f630991f449e9351bb9d1fe846abf36ac67e84ab
      • Opcode Fuzzy Hash: 2d34618336050d8b5f4184a4f385219ee65ff07ded3e9caf246b035d828f2449
      • Instruction Fuzzy Hash: 0DF04971200205EFDF209FA8E849BEE7BA0BF18340F50C015FD01490D6C779D4E2AAA1
      Function 00715474 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 166 715474-715482 167 715494 166->167 168 715488-71548f 166->168 169 71549b-7154a7 call 710d25 167->169 168->169 172 7154c2-7154d2 call 715426 169->172 173 7154ad-7154b7 call 715381 169->173 178 7154e4-7154f2 call 711437 172->178 179 7154d8-7154df 172->179 173->172 180 7154bd 173->180 181 715503-715508 178->181 186 7154f8-7154f9 call 712c7b 178->186 179->181 180->181 184 715531-715546 CreateFileA 181->184 185 71550e-71552c CreateFileW 181->185 187 71554c-71554d 184->187 185->187 190 7154fe 186->190 189 715552-715559 call 710dd0 187->189 190->189
      APIs
      • CreateFileW.KERNELBASE(01040694,?,?,-11DA5FEC,?,?,?,-11DA5FEC,?), ref: 00715526
        • Part of subcall function 00715426: IsBadWritePtr.KERNEL32(?,00000004), ref: 00715434
      • CreateFileA.KERNEL32(?,?,?,-11DA5FEC,?,?,?,-11DA5FEC,?), ref: 00715546
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID: CreateFile$Write
      • String ID:
      • API String ID: 1125675974-0
      • Opcode ID: d900142abd3d39c2a6dd2d503a16e511755ca665a7899a6c611006a164f39624
      • Instruction ID: 868b0b370da85fd643bd35f91cecd24e6a522a015ca80e0143b66fc6f2c7d04c
      • Opcode Fuzzy Hash: d900142abd3d39c2a6dd2d503a16e511755ca665a7899a6c611006a164f39624
      • Instruction Fuzzy Hash: AE110331104A49FBCF169F98DC09BDE7A73BF88345F144015BA06240E1D37A8AF1EB91
      Function 00714DE0 Relevance: 3.0, APIs: 2, Instructions: 41COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 193 714de0-714df6 call 710d25 GetCurrentProcess 196 714e38-714e5a call 710dd0 DuplicateHandle 193->196 197 714dfc-714dff 193->197 202 714e64-714e66 196->202 197->196 198 714e05-714e08 197->198 198->196 200 714e0e-714e21 call 710b7f 198->200 200->196 205 714e27-714e5f call 712b7d call 710dd0 200->205 205->202
      APIs
        • Part of subcall function 00710D25: GetCurrentThreadId.KERNEL32 ref: 00710D34
        • Part of subcall function 00710D25: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00710D77
      • GetCurrentProcess.KERNEL32(-11DA5FEC), ref: 00714DED
      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00714E53
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID: Current$DuplicateHandleProcessSleepThread
      • String ID:
      • API String ID: 2846201637-0
      • Opcode ID: 71997270b2934d6ef43b5bbcd0e2a204bcae69c407ecc3df3127f7cf652adc13
      • Instruction ID: a65335390cad8cb90ffcdc4760fce5755c6e8879c03cf0e06debd3da34a0f61f
      • Opcode Fuzzy Hash: 71997270b2934d6ef43b5bbcd0e2a204bcae69c407ecc3df3127f7cf652adc13
      • Instruction Fuzzy Hash: 2B014B3320010AFB8F22AFACDC08CDE3B75BF98750B004515F90190091D739D0E5AB61
      Function 00710D25 Relevance: 3.0, APIs: 2, Instructions: 33sleepthreadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 210 710d25-710d3b GetCurrentThreadId 211 710d3d-710d49 210->211 212 710d84-710d91 call 717ba4 211->212 213 710d4f-710d51 211->213 213->212 215 710d57-710d5e 213->215 217 710d73-710d7f Sleep 215->217 218 710d64-710d6b 215->218 217->211 218->217 219 710d71 218->219 219->217
      APIs
      • GetCurrentThreadId.KERNEL32 ref: 00710D34
      • Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00710D77
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID: CurrentSleepThread
      • String ID:
      • API String ID: 1164918020-0
      • Opcode ID: 13c92501895a996289dc086f66b6dbe19090ba38008e4632cc1753e8e90a33fd
      • Instruction ID: 76b2b5a8ab1db1c52a6ae0575f3e41b58d009313287e7c3bce95b1b700ea167b
      • Opcode Fuzzy Hash: 13c92501895a996289dc086f66b6dbe19090ba38008e4632cc1753e8e90a33fd
      • Instruction Fuzzy Hash: B0F0BE71204605EBD7229F98E94E7AEB7B4FF40319F2001BAD10285191DBB828C6DAC5
      Function 00713A79 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 25COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 220 713a79-713a98 call 710d25 call 710b7f 225 713aae-713abe call 710dd0 CloseHandle 220->225 226 713a9e-713a9f call 712b65 220->226 232 713ac8-713aca 225->232 229 713aa4-713ac3 call 710dd0 226->229 229->232
      APIs
        • Part of subcall function 00710D25: GetCurrentThreadId.KERNEL32 ref: 00710D34
        • Part of subcall function 00710D25: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00710D77
      • CloseHandle.KERNELBASE(?,-11DA5FEC,?,?,0071343C,?), ref: 00713AB7
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID: CloseCurrentHandleSleepThread
      • String ID: <4q
      • API String ID: 4003616898-1310226363
      • Opcode ID: 9a03ed34ece7b31568a024a05ae8bc7711deebef963402a7b730688d5be11122
      • Instruction ID: 47c3e04687975323fe652c02ddbd40b5340ba90d1ec3117edf5d27efda76fdb5
      • Opcode Fuzzy Hash: 9a03ed34ece7b31568a024a05ae8bc7711deebef963402a7b730688d5be11122
      • Instruction Fuzzy Hash: 7DE04F72304446EACB207BBCE80DDCE6E2CAFE5784B004125B54A950D5DA7CD2D297A4
      Function 0071B73D Relevance: 1.6, APIs: 1, Instructions: 112COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 234 71b73d-71b74b 235 71b751-71b763 234->235 236 71b76e-71b778 call 71b5d2 234->236 235->236 242 71b769 235->242 240 71b783-71b78c 236->240 241 71b77e 236->241 244 71b792-71b799 240->244 245 71b7a4-71b7ab 240->245 243 71b8cd-71b8cf 241->243 242->243 244->245 246 71b79f 244->246 247 71b7b1 245->247 248 71b7b6-71b7c6 245->248 246->243 247->243 248->243 249 71b7cc-71b7d8 call 71b6a7 248->249 252 71b7db-71b7df 249->252 252->243 253 71b7e5-71b7ef 252->253 254 71b7f5-71b808 253->254 255 71b816-71b819 253->255 254->255 260 71b80e-71b810 254->260 256 71b81c-71b81f 255->256 258 71b8c5-71b8c8 256->258 259 71b825-71b82c 256->259 258->252 261 71b832-71b838 259->261 262 71b85a-71b873 259->262 260->255 260->258 263 71b855 261->263 264 71b83e-71b843 261->264 268 71b879-71b887 262->268 269 71b88c-71b894 VirtualProtect 262->269 266 71b8bd-71b8c0 263->266 264->263 265 71b849-71b84f 264->265 265->262 265->263 266->256 270 71b89a-71b89d 268->270 269->270 270->266 271 71b8a3-71b8bc 270->271 271->266
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e23ad44eb9b9f6154682258fd379b7bc5c5167263b1acd1d357a8b07d8e60e3c
      • Instruction ID: 35d430e037194376d5cfaaed75ae8f1a2e330d43b6650f3660c790d68f0a9591
      • Opcode Fuzzy Hash: e23ad44eb9b9f6154682258fd379b7bc5c5167263b1acd1d357a8b07d8e60e3c
      • Instruction Fuzzy Hash: 2E4159B1D00205EFDB21DF68C984BEAB7B9FF44B14F148495E512AA5D2C339ADE0CB91
      Function 0071345F Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 274 71345f-713470 275 713476-71348a call 710e03 274->275 276 71349f-7134a8 call 710e03 274->276 287 71358d 275->287 288 713490-71349e 275->288 280 713585-713588 call 710e28 276->280 281 7134ae-7134bf call 712c41 276->281 280->287 289 7134c5-7134c9 281->289 290 7134df-71351e CreateFileA 281->290 291 713594-713598 287->291 288->276 292 7134dc 289->292 293 7134cf-7134db call 717cc9 289->293 294 713542-713545 290->294 295 713524-713541 290->295 292->290 293->292 298 713578-713580 call 712ad0 294->298 299 71354b-713562 call 710b45 294->299 295->294 298->287 299->291 306 713568-713573 call 712b3e 299->306 306->287
      APIs
      • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 00713514
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: 80844c00e7d679cd3472ec0440a4bd5c9b3690cf4ab4efdce5e2f76b96a0c207
      • Instruction ID: 4478b6479596c9edbe1d18be3afb7543d2d208107791726bdbf0fd16f98c1e10
      • Opcode Fuzzy Hash: 80844c00e7d679cd3472ec0440a4bd5c9b3690cf4ab4efdce5e2f76b96a0c207
      • Instruction Fuzzy Hash: 53315B71A00204FFDB219F69DC49FEEBBB9FB04714F208169F905AA1D1C7799A91CB50
      Function 00712C7B Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 309 712c7b-712c8a call 710e03 312 712d90 309->312 313 712c90-712ca1 call 712c41 309->313 314 712d97-712d9b 312->314 317 712cc1-712d07 CreateFileA 313->317 318 712ca7-712cab 313->318 321 712d52-712d55 317->321 322 712d0d-712d2e 317->322 319 712cb1-712cbd call 717cc9 318->319 320 712cbe 318->320 319->320 320->317 324 712d88-712d8b call 712ad0 321->324 325 712d5b-712d72 call 710b45 321->325 322->321 330 712d34-712d51 322->330 324->312 325->314 332 712d78-712d83 call 712b3e 325->332 330->321 332->312
      APIs
      • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 00712CFD
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: 2468f605c361637912d42aeda1eb0f8a839c2c40c0727e0936ade4053056ccb3
      • Instruction ID: 42d889d446091a6d5b23d6de8e88bf74b70070b13a63d3465d7b67a0359f7a49
      • Opcode Fuzzy Hash: 2468f605c361637912d42aeda1eb0f8a839c2c40c0727e0936ade4053056ccb3
      • Instruction Fuzzy Hash: F4316471640204BBEB209F68EC49FDDB7B8EF04724F208265F615AA1D2C7B5A5928B94
      Function 0071B48A Relevance: 1.6, APIs: 1, Instructions: 65COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 336 71b48a-71b499 337 71b4a5-71b4b9 336->337 338 71b49f 336->338 340 71b577-71b579 337->340 341 71b4bf-71b4c9 337->341 338->337 342 71b566-71b572 341->342 343 71b4cf-71b4d9 341->343 342->337 343->342 344 71b4df-71b4e9 343->344 344->342 345 71b4ef-71b4fe 344->345 347 71b504 345->347 348 71b509-71b50e 345->348 347->342 348->342 349 71b514-71b523 348->349 349->342 350 71b529-71b540 GetModuleFileNameA 349->350 350->342 351 71b546-71b554 call 71b3e6 350->351 354 71b55a 351->354 355 71b55f-71b561 351->355 354->342 355->340
      APIs
      • GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,?), ref: 0071B537
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID: FileModuleName
      • String ID:
      • API String ID: 514040917-0
      • Opcode ID: d2d42506219de407abbe666aab685359d60ba8e247e96fab9a8769bc8b6eaae0
      • Instruction ID: aa60ec7e98c5e4f42a11ff1159c750d06f1bd7c192fda94dd574c2a07f0561f4
      • Opcode Fuzzy Hash: d2d42506219de407abbe666aab685359d60ba8e247e96fab9a8769bc8b6eaae0
      • Instruction Fuzzy Hash: 02118971E012259BEB309B1CCD88BFA777DEF58754F104095F905A60D1D7789ED08AB1
      Function 04EF0D41 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
      Download Yara Rule
      APIs
      • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04EF0DCD
      Memory Dump Source
      • Source File: 00000000.00000002.1478876683.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_4ef0000_VlY57c5AF4.jbxd
      Similarity
      • API ID: ManagerOpen
      • String ID:
      • API String ID: 1889721586-0
      • Opcode ID: 56b8899e367e7d74e119bfa730f0788ce5207b46cc3dee2e35ce00638ce686f2
      • Instruction ID: b2a476f627d1ef1f6a821d7abb49fc5cc9d21b7777d0c79798192783dee36919
      • Opcode Fuzzy Hash: 56b8899e367e7d74e119bfa730f0788ce5207b46cc3dee2e35ce00638ce686f2
      • Instruction Fuzzy Hash: 922138B6D012189FCB50DF99D885BDEFBF4EB88320F14862AD908AB205D775A541CBA4
      Function 04EF0D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
      Download Yara Rule
      APIs
      • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04EF0DCD
      Memory Dump Source
      • Source File: 00000000.00000002.1478876683.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_4ef0000_VlY57c5AF4.jbxd
      Similarity
      • API ID: ManagerOpen
      • String ID:
      • API String ID: 1889721586-0
      • Opcode ID: 23f0d476057cc4510a6980ebc6ed7d6a8b540bd54c676c813a1342a06850c0ac
      • Instruction ID: aeb3376322be32c1d656ea335bb34494a9979fca836549378cd7e708cb479fad
      • Opcode Fuzzy Hash: 23f0d476057cc4510a6980ebc6ed7d6a8b540bd54c676c813a1342a06850c0ac
      • Instruction Fuzzy Hash: 182133B6C012189FCB10CFA9D884BDEFBF4EB88310F14821AD908AB205D735A940CBA4
      Function 04EF1509 Relevance: 1.6, APIs: 1, Instructions: 56serviceCOMMON
      Download Yara Rule
      APIs
      • ControlService.ADVAPI32(?,?,?), ref: 04EF1580
      Memory Dump Source
      • Source File: 00000000.00000002.1478876683.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_4ef0000_VlY57c5AF4.jbxd
      Similarity
      • API ID: ControlService
      • String ID:
      • API String ID: 253159669-0
      • Opcode ID: 649530d4117c316a2156bdd20c82ba1999d415cebd7489ede34076c3db86898d
      • Instruction ID: d69355ba3a701101d7821f1fc2bd81fe34719d4064aac733805ebd816b70dabb
      • Opcode Fuzzy Hash: 649530d4117c316a2156bdd20c82ba1999d415cebd7489ede34076c3db86898d
      • Instruction Fuzzy Hash: 382106B1D00649DFDB20CF9AC885BDEFBF4EB48320F148429E558A7250D774AA44CFA5
      Function 04EF1510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
      Download Yara Rule
      APIs
      • ControlService.ADVAPI32(?,?,?), ref: 04EF1580
      Memory Dump Source
      • Source File: 00000000.00000002.1478876683.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_4ef0000_VlY57c5AF4.jbxd
      Similarity
      • API ID: ControlService
      • String ID:
      • API String ID: 253159669-0
      • Opcode ID: a7ebdf756713eb2314f4ba7d9f41d7674919afd93373ec30a607ede4ac9ea01b
      • Instruction ID: ee4c0251c44bbac1e5d65e17fce11836439cc902509e7939cf820b049ca4e761
      • Opcode Fuzzy Hash: a7ebdf756713eb2314f4ba7d9f41d7674919afd93373ec30a607ede4ac9ea01b
      • Instruction Fuzzy Hash: C91106B1D00249CFDB20CF9AC885BDEFBF4EB48320F148029E558A3250D374AA44CFA5
      Function 00715FAC Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00710D25: GetCurrentThreadId.KERNEL32 ref: 00710D34
        • Part of subcall function 00710D25: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00710D77
      • MapViewOfFileEx.KERNELBASE(?,?,?,?,?,?,-11DA5FEC), ref: 00716033
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID: CurrentFileSleepThreadView
      • String ID:
      • API String ID: 2270672837-0
      • Opcode ID: d94d9a225184d89370e43a4a5d1d03796a9a2ba9637071bb6b3939112c21ab45
      • Instruction ID: 4864e5fa5cf7114a862ca6c600567d4912e5fe77f39d8a963b1076ad3ef51530
      • Opcode Fuzzy Hash: d94d9a225184d89370e43a4a5d1d03796a9a2ba9637071bb6b3939112c21ab45
      • Instruction Fuzzy Hash: 1C11A57210410AEACF22AFA8DC09DDE7A76AF58340B004415FA11550A5D73AD4F2EBA1
      Function 04EF1301 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
      Download Yara Rule
      APIs
      • ImpersonateLoggedOnUser.KERNELBASE ref: 04EF1367
      Memory Dump Source
      • Source File: 00000000.00000002.1478876683.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_4ef0000_VlY57c5AF4.jbxd
      Similarity
      • API ID: ImpersonateLoggedUser
      • String ID:
      • API String ID: 2216092060-0
      • Opcode ID: 21ba60c512b0cd6b6721cc2c3137789ccac2c147a5aad9b70db4d01e163c8ef8
      • Instruction ID: 8d55f45f38ecd42efbb93c247f3373dd449227d10914fa0855a82a8b0ae88376
      • Opcode Fuzzy Hash: 21ba60c512b0cd6b6721cc2c3137789ccac2c147a5aad9b70db4d01e163c8ef8
      • Instruction Fuzzy Hash: 631128B1901249CFDB20CF9AD985BEEFBF4EF48320F148429D558A3250D778A945CFA5
      Function 00715D94 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID: CurrentSleepThread
      • String ID:
      • API String ID: 1164918020-0
      • Opcode ID: d2f411bfa08b0b3c42443832dd70aa27e67e2d978abe31db93aa37d603a57313
      • Instruction ID: 7ec6d1f762d9af1e63289157880fd3f171913fa647abafc9a0d8f7ffbde9d3b3
      • Opcode Fuzzy Hash: d2f411bfa08b0b3c42443832dd70aa27e67e2d978abe31db93aa37d603a57313
      • Instruction Fuzzy Hash: 5F113C3260060AEACF16AFACD80DADE7B75AF84344F004015F911990E1C77DCAE5EB90
      Function 04EF1308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
      Download Yara Rule
      APIs
      • ImpersonateLoggedOnUser.KERNELBASE ref: 04EF1367
      Memory Dump Source
      • Source File: 00000000.00000002.1478876683.0000000004EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EF0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_4ef0000_VlY57c5AF4.jbxd
      Similarity
      • API ID: ImpersonateLoggedUser
      • String ID:
      • API String ID: 2216092060-0
      • Opcode ID: 997f69ab94f944b01c34ec995ab5b1d89a7e1d5a3aaadf4145053023b29c0e60
      • Instruction ID: 0863c3ab37fb328ddcefa9a2516bb4dbbc2724956c4805360017dad60a0aaed3
      • Opcode Fuzzy Hash: 997f69ab94f944b01c34ec995ab5b1d89a7e1d5a3aaadf4145053023b29c0e60
      • Instruction Fuzzy Hash: 631106B1900349CFDB20CF9AD945BEEFBF4EB48324F24842AD558A3650D778A944CFA5
      Function 00715678 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00710D25: GetCurrentThreadId.KERNEL32 ref: 00710D34
        • Part of subcall function 00710D25: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00710D77
      • ReadFile.KERNELBASE(?,00000000,?,00000400,?,-11DA5FEC,?,?,007133A7,?,?,00000400,?,00000000,?,00000000), ref: 007156E4
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID: CurrentFileReadSleepThread
      • String ID:
      • API String ID: 1253362762-0
      • Opcode ID: 36e004bcc5167e5b4fe94519533ca780329eb9274337d447ad8c8f58f217a8f3
      • Instruction ID: bb6bf4429c37ecf27c7b9aae607726284f536f7d09fb810dbe5936ac5e40b26f
      • Opcode Fuzzy Hash: 36e004bcc5167e5b4fe94519533ca780329eb9274337d447ad8c8f58f217a8f3
      • Instruction Fuzzy Hash: 69F0C93260050AEBCF166FACD809EDE7F66EF94750F408015F912550A1C77AD4E1EBA1
      Function 0071265B Relevance: 1.5, APIs: 1, Instructions: 27libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetProcAddress.KERNEL32(00711E11,00711E11), ref: 007126A6
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID: AddressProc
      • String ID:
      • API String ID: 190572456-0
      • Opcode ID: 8a2f7a898e35e079ca77de561ff1f32604fff0a234c9486dd62d6070942bbdca
      • Instruction ID: f1c14d3fad589e873ec1d48d54d144a4d269c22f0853c63029140b2286ccdd78
      • Opcode Fuzzy Hash: 8a2f7a898e35e079ca77de561ff1f32604fff0a234c9486dd62d6070942bbdca
      • Instruction Fuzzy Hash: 90E06D36200104FA8F123BBCDD0D9DD3E65AE94380B108121B806584D7DB3DC6F3EA61
      Function 00710EF6 Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID: lstrcmpi
      • String ID:
      • API String ID: 1586166983-0
      • Opcode ID: f074df3a162e4683e2e32faa4c8698a2b04a8e63271863e52964be7d66a09911
      • Instruction ID: 45e5e48a55572d4f65fc4b1fe7fce1a984f827f463273c29061db2bb8d71a52d
      • Opcode Fuzzy Hash: f074df3a162e4683e2e32faa4c8698a2b04a8e63271863e52964be7d66a09911
      • Instruction Fuzzy Hash: D001AC35600149FFCF229F69CC09DDEBB79EF44740F004165F501A40A5D77696A2DFA1
      Function 0071B0B4 Relevance: 1.3, APIs: 1, Instructions: 37memoryCOMMON
      Download Yara Rule
      APIs
      • VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,?,0071B0B0,?,?,0071ADB6,?,?,0071ADB6,?,?,0071ADB6), ref: 0071B0D4
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 8ab2416be0f05eb51588ade6d63f12c55556331a13ac0766426cc55ed3374880
      • Instruction ID: 82c2b182401af573b84bb3dd7dce6bc6858aa8fe382ba883270eaef04618ba9e
      • Opcode Fuzzy Hash: 8ab2416be0f05eb51588ade6d63f12c55556331a13ac0766426cc55ed3374880
      • Instruction Fuzzy Hash: 0BF081B1A00209EFD7318F58CD09BA9BBE4FF89761F118064F54A9B591D3B598D09B50
      Function 00712B3E Relevance: 1.3, APIs: 1, Instructions: 8COMMON
      Download Yara Rule
      APIs
      • CloseHandle.KERNELBASE(?,?,00710BC4,?,?), ref: 00712B44
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID: CloseHandle
      • String ID:
      • API String ID: 2962429428-0
      • Opcode ID: 8ee7d436c7750ed301489388b918897200064c2a866a9133b5f9b54820843689
      • Instruction ID: ecd86e5a15e09fa1b6f5e0c0c2bacb966cc526174b915b1da43549912b99cc4a
      • Opcode Fuzzy Hash: 8ee7d436c7750ed301489388b918897200064c2a866a9133b5f9b54820843689
      • Instruction Fuzzy Hash: 50B0923100050CBBCB11BF55EC0E88DFF69FF25398B00C120B90A480628B76E9B19BE1

      Non-executed Functions

      Function 006AD160 Relevance: 14.1, Strings: 10, Instructions: 1608COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID:
      • String ID: %R;~$)R;~$\0{m$]fY7$_}V$j!f$}i^$>!H$C?x$X|{
      • API String ID: 0-262422891
      • Opcode ID: f6ea3989c744e80e929668882af373cc0d5153842ab942ab069674cd603ab4c8
      • Instruction ID: f47ecbfb33742630c98b5b79bcedd688930db2af6e6c0f235c131cccc4deae35
      • Opcode Fuzzy Hash: f6ea3989c744e80e929668882af373cc0d5153842ab942ab069674cd603ab4c8
      • Instruction Fuzzy Hash: 42B207F3A0C210AFE7046E2DEC8567AFBEAEF94320F16453DEAC4C7344E67558058696
      Function 006A65AF Relevance: 12.8, Strings: 9, Instructions: 1597COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID:
      • String ID: %f25$%vks$5:j$>zx9$CMW{$F.~z$FB[_$LE}{$Ma7
      • API String ID: 0-4241217129
      • Opcode ID: fbb652fefafa1d57130801b3e399d6a25634e050aee2ae16d599940858de5b96
      • Instruction ID: c2e9e8d9dcc15a1987d20c23fd065503de26e81b56808cc40dc04746db2884be
      • Opcode Fuzzy Hash: fbb652fefafa1d57130801b3e399d6a25634e050aee2ae16d599940858de5b96
      • Instruction Fuzzy Hash: C2B208F3A0C2009FE304AE2DEC8577AFBE9EB94720F1A453DEAC4C7744E63558058696
      Function 006AEB6D Relevance: 11.6, Strings: 8, Instructions: 1639COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID:
      • String ID: 0$k_$i]B$mSm$p?S$p?S${wO$%w$dwo
      • API String ID: 0-2543100577
      • Opcode ID: e3a5df4b07c738a9e3bfd4f2aaae43e161bb231591ed6c62aa60b43207eea98c
      • Instruction ID: 3b7e756d54768188b365cf254e384c79dcf59e04ad2e334a392e52a0cedb8e0e
      • Opcode Fuzzy Hash: e3a5df4b07c738a9e3bfd4f2aaae43e161bb231591ed6c62aa60b43207eea98c
      • Instruction Fuzzy Hash: 58B2E8F360C204AFE308AE29EC8567AF7E9EF94720F16493DE6C5C3344EA7558058697
      Function 006B06D5 Relevance: 10.4, Strings: 7, Instructions: 1623COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID:
      • String ID: Ju}$&"M$&"M$;?GO$Aa_$EkRj$okrk
      • API String ID: 0-456397440
      • Opcode ID: 6c012deb1a6d4628a3b7a5b1d86c5795eb8f8217f37910bfbd6cf78f7143288e
      • Instruction ID: 9c8fba2922bd96fb78d014cf504bfde3b9781e07a57bf1eaa1116c1908cf3190
      • Opcode Fuzzy Hash: 6c012deb1a6d4628a3b7a5b1d86c5795eb8f8217f37910bfbd6cf78f7143288e
      • Instruction Fuzzy Hash: 36B2F5F350C204AFE304AE2DEC8566ABBE9EFD4760F1A892DE6C4C7744E63558018797
      Function 0069DFAC Relevance: 9.1, Strings: 6, Instructions: 1619COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID:
      • String ID: OG{[$[qv]$^lzm$m4?$|K=$+KV
      • API String ID: 0-2737632900
      • Opcode ID: cf54274feb105989a88ec435fcad8fb0e1d5f84856a0b6422f4a3f6405149dca
      • Instruction ID: b6c51fcdc9c9567c2a05faaffac0df65c1b504dd7d28e2eec08d6df04ff0fc48
      • Opcode Fuzzy Hash: cf54274feb105989a88ec435fcad8fb0e1d5f84856a0b6422f4a3f6405149dca
      • Instruction Fuzzy Hash: 50B209F3A0C2009FE704AE2DEC8577ABBE5EF98360F16893DE6C5C3744E63558058696
      Function 0069FAAE Relevance: 9.1, Strings: 6, Instructions: 1580COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID:
      • String ID: 9e$E _$Z]G$rB9/${+)$#3u
      • API String ID: 0-4277861423
      • Opcode ID: 40d3c48cb7e89f640635c3ec1a539e6ee27601b010d42face536fa95f428ffe0
      • Instruction ID: f3b194f0a55cfd527a8541a2256296d9265ea6e496840c0431e8a80ac23c56f1
      • Opcode Fuzzy Hash: 40d3c48cb7e89f640635c3ec1a539e6ee27601b010d42face536fa95f428ffe0
      • Instruction Fuzzy Hash: 5FA216F36082109FE304AE2DEC8567AFBEAEFD4720F1A453DEAC5C7744E93558058692
      Function 006A8127 Relevance: 6.6, Strings: 4, Instructions: 1631COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID:
      • String ID: 7v]o$?Sw7$EbK[$]UO~
      • API String ID: 0-1357607607
      • Opcode ID: 2140e7c6811a9a5dbed4704df0f96838c745596a5293607166d0c36f11bafe65
      • Instruction ID: 553048746bd3abd6c2a73953403696fe485cd772ddc891747cc9bfaec3e2760f
      • Opcode Fuzzy Hash: 2140e7c6811a9a5dbed4704df0f96838c745596a5293607166d0c36f11bafe65
      • Instruction Fuzzy Hash: 8EB2F6F3A0C2049FE704AE29EC8567ABBD5EF94320F1A463DEAC4C7744EA3558058697
      Function 00714E72 Relevance: 3.0, APIs: 2, Instructions: 43timeCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00710D25: GetCurrentThreadId.KERNEL32 ref: 00710D34
        • Part of subcall function 00710D25: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00710D77
      • GetSystemTime.KERNEL32(?,-11DA5FEC), ref: 00714EA7
      • GetFileTime.KERNEL32(?,?,?,?,-11DA5FEC), ref: 00714EEA
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID: Time$CurrentFileSleepSystemThread
      • String ID:
      • API String ID: 3818558864-0
      • Opcode ID: 4afa00a07336475dc75af38dc531e06f6b83d1bfa9299ead35d85a129a39f41f
      • Instruction ID: e70e86c1d62c3d51ea5e06626869e43efcf74079eb602368871f85dbecc1f5ae
      • Opcode Fuzzy Hash: 4afa00a07336475dc75af38dc531e06f6b83d1bfa9299ead35d85a129a39f41f
      • Instruction Fuzzy Hash: 3B01E23220414AEBCB219F6DE80CD8E7B65FF85310B404121B445954A1C77A98E1EAA0
      Function 0057A828 Relevance: 2.7, Strings: 2, Instructions: 152COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID:
      • String ID: `os$m9?
      • API String ID: 0-518822852
      • Opcode ID: 9aca8fb1817b3c9564d08283d9f637c5e90cc4347a27d9e6c673dbf82f5906ec
      • Instruction ID: bfae471f2ceac1777f5e476246fc0c651768a3c3a85e0e75b61315976dca6a98
      • Opcode Fuzzy Hash: 9aca8fb1817b3c9564d08283d9f637c5e90cc4347a27d9e6c673dbf82f5906ec
      • Instruction Fuzzy Hash: EB4129F37086045BF304AA2EDC4476BB6DBDBD4710F29C53DE384D3788E97898068296
      Function 00715D30 Relevance: 1.5, APIs: 1, Instructions: 24encryptionCOMMON
      Download Yara Rule
      APIs
      • CryptVerifySignatureA.ADVAPI32(?,?,?,?,?,?), ref: 00715D77
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID: CryptSignatureVerify
      • String ID:
      • API String ID: 1015439381-0
      • Opcode ID: 1b4a5f0f766906ce2622a71355f124b3d27c3e84569d7183589da8b100a0ba43
      • Instruction ID: d46313e682ef3ca1410b43a6f0442861a1d9363de08e89e3b233ace425ff5cc3
      • Opcode Fuzzy Hash: 1b4a5f0f766906ce2622a71355f124b3d27c3e84569d7183589da8b100a0ba43
      • Instruction Fuzzy Hash: 96F0583220060AEFCF11CF94D9489CC7BB2FF48304F508125F91196250D37A96A1EF40
      Function 005B8C9B Relevance: 1.5, Strings: 1, Instructions: 230COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID:
      • String ID: IVGb
      • API String ID: 0-3018670879
      • Opcode ID: b307e95b156cf6e774e44a0876c0c5ad2f185dc86dd955afb59a51fa4e8b12a0
      • Instruction ID: 790f7f35377d5ee2c04d77a2d6b74f1d317888c75947a9fa8c56952d8e2ef564
      • Opcode Fuzzy Hash: b307e95b156cf6e774e44a0876c0c5ad2f185dc86dd955afb59a51fa4e8b12a0
      • Instruction Fuzzy Hash: 8571A2F2A082049FF3046E2DDC857AAB7D5EB94720F0A453DEBC4C3784EA7968518796
      Function 005EF551 Relevance: 1.4, Strings: 1, Instructions: 165COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID:
      • String ID: !=Z"
      • API String ID: 0-2152568254
      • Opcode ID: 13af7728d0d59da816d0251ca0589fc3e432877d89d9fc2f5a0c6f25169ead20
      • Instruction ID: 21d1a359c359cd74877661db7580878c8e014d30b8c92710e494f12a2fcd0180
      • Opcode Fuzzy Hash: 13af7728d0d59da816d0251ca0589fc3e432877d89d9fc2f5a0c6f25169ead20
      • Instruction Fuzzy Hash: 1D416BF39082145FF3006E29DC8577AFBD6EB94324F1A4A3CDAD8C3744E9326D198686
      Function 0064A15E Relevance: 1.4, Strings: 1, Instructions: 122COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID:
      • String ID: [Es
      • API String ID: 0-2682361502
      • Opcode ID: 209a533cc66594ad1b8cbddf58d89d40045042c9bec7521d551845bb7967a5b2
      • Instruction ID: 4a05ee3a4109fe959ef470ee9e531e237ceab06babddaede348ba34ceb9bd951
      • Opcode Fuzzy Hash: 209a533cc66594ad1b8cbddf58d89d40045042c9bec7521d551845bb7967a5b2
      • Instruction Fuzzy Hash: 783101F3E282101BF718A93DED45776B6C6DB54324F2A463DEA59D3B84E8BD8C050289
      Function 006CC02E Relevance: 1.4, Strings: 1, Instructions: 109COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID:
      • String ID: m@n
      • API String ID: 0-3861156231
      • Opcode ID: 72a1236db06c3055b36fb21fb438cd5c0cf7e020086af0edff1f6b05dfb33ec6
      • Instruction ID: c187046fe41486281947f24323ddf6c992c61ff2c8e16d8ccabbcedeef29897e
      • Opcode Fuzzy Hash: 72a1236db06c3055b36fb21fb438cd5c0cf7e020086af0edff1f6b05dfb33ec6
      • Instruction Fuzzy Hash: 95318DB250C3109FE7566F28DC826BAFBE4EF44320F16492EEAD483250D7354854CB97
      Function 0068AB03 Relevance: .2, Instructions: 190COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 632bab5a370a548243c5586c655179524ed392419b1486076eda04de22dbb7ce
      • Instruction ID: 20d065dd4305d17cc52e76c038306c3732eb8acd7981c399a673c6ff7fb6b10a
      • Opcode Fuzzy Hash: 632bab5a370a548243c5586c655179524ed392419b1486076eda04de22dbb7ce
      • Instruction Fuzzy Hash: 00515AF3B082041BF308693DDD45B6A77DBDBD4310F2B863DEA85C7784E87999018256
      Function 00795274 Relevance: .2, Instructions: 175COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1869e1c071b28daf03c7a5bcf3b069c5d60b8cb0ad55e7b3825bf90390870aa5
      • Instruction ID: 49dd28e0da1e3a26ab55ba590c720a08991d4761dcd8a57584842ebe7c29f515
      • Opcode Fuzzy Hash: 1869e1c071b28daf03c7a5bcf3b069c5d60b8cb0ad55e7b3825bf90390870aa5
      • Instruction Fuzzy Hash: FC51E0F240CB28DFDB466E28FC8163AB7D4AB14305F25092DD7C286310F6795950E787
      Function 005AFAD0 Relevance: .2, Instructions: 153COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: eecb3a744e4d183e7dfc853bb92b64acbb0df543a8e51173842af3944e52e7c5
      • Instruction ID: 4cef103074bab5b2c9c1b48fd6be4e2529924292213813015ac0c0b6509e4ae4
      • Opcode Fuzzy Hash: eecb3a744e4d183e7dfc853bb92b64acbb0df543a8e51173842af3944e52e7c5
      • Instruction Fuzzy Hash: 66417CF3E083085BE318296DEC457BB7BCDD750660F2A413EEA85C3B44F97965084186
      Function 006C9440 Relevance: .0, Instructions: 21COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 3915fb69a5c433e5a697f2fbf10d9e0b39d7250c5c94ffba9ef0fb9a725e73e4
      • Instruction ID: 9d9909451a8604eb7ebeb0bf4c37360b04bce5823614cfe36267b70d4052ec71
      • Opcode Fuzzy Hash: 3915fb69a5c433e5a697f2fbf10d9e0b39d7250c5c94ffba9ef0fb9a725e73e4
      • Instruction Fuzzy Hash: 4AE04676004105AAD700AF94D849A9FFBF8FF19310F60984AE884CB722C2358D42CB2A
      Function 007143A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00710D25: GetCurrentThreadId.KERNEL32 ref: 00710D34
        • Part of subcall function 00710D25: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00710D77
        • Part of subcall function 00715426: IsBadWritePtr.KERNEL32(?,00000004), ref: 00715434
      • wsprintfA.USER32 ref: 007143EE
      • LoadImageA.USER32(?,?,?,?,?,?), ref: 007144B2
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID: CurrentImageLoadSleepThreadWritewsprintf
      • String ID: %8x$%8x
      • API String ID: 2375920415-2046107164
      • Opcode ID: 1c7b2df9e62fb534b0f72468d6c4ad7e3fcc4e368b56de7b4fadf8922e4f3295
      • Instruction ID: 62ae15793563499335bf5fdd88732019ef85a8a4be2d9ac357e771f7d55de1a1
      • Opcode Fuzzy Hash: 1c7b2df9e62fb534b0f72468d6c4ad7e3fcc4e368b56de7b4fadf8922e4f3295
      • Instruction Fuzzy Hash: E831F57190014AEFCF11DF98DD49EEEBB79FF88310F108125F911A61A1C7759AA1EBA0
      Function 00714F79 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
      Download Yara Rule
      APIs
      • GetFileAttributesExW.KERNEL32(01040694,00004020,00000000,-11DA5FEC), ref: 00715066
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID: AttributesFile
      • String ID: @
      • API String ID: 3188754299-2726393805
      • Opcode ID: 68e06a2b794dfd20a838075b6f6c676b6fa5b6471442418ed90dc987df41b939
      • Instruction ID: 360e92f5019883716eeb39a65f4223da546f12c4a1d6f48bcf0332f5d923fd40
      • Opcode Fuzzy Hash: 68e06a2b794dfd20a838075b6f6c676b6fa5b6471442418ed90dc987df41b939
      • Instruction Fuzzy Hash: DA3189B1500A05EFCB258F98D848BDABBB4FF48340F108619F95667690C3B8A6A5CBC0
      Function 007159D9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00710D25: GetCurrentThreadId.KERNEL32 ref: 00710D34
        • Part of subcall function 00710D25: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00710D77
      • GetFileSize.KERNEL32(?,+3q,-11DA5FEC,?,?,0071332B,?,00000000), ref: 00715A40
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1474620794.00000000006BC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00520000, based on PE: true
      • Associated: 00000000.00000002.1474388037.0000000000520000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474464177.0000000000522000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474490020.0000000000526000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1474620794.00000000007DE000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475531783.00000000007DF000.00000080.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475873211.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.1475949184.0000000000992000.00000080.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_520000_VlY57c5AF4.jbxd
      Similarity
      • API ID: CurrentFileSizeSleepThread
      • String ID: +3q$+3q
      • API String ID: 298963865-3735796630
      • Opcode ID: 626ff252b2aa4cc65c312c20e7a12989bdd116a81397c043ca948df730734552
      • Instruction ID: e0d1025871d34bb6df4676f0ec66b1f89f21b96ac945b29eada4ff032a0c27fa
      • Opcode Fuzzy Hash: 626ff252b2aa4cc65c312c20e7a12989bdd116a81397c043ca948df730734552
      • Instruction Fuzzy Hash: 42014832240906EBCB299F6CD88CF99BBA4BF85354F10C315F4019A4E0D739A4D1DBA0