Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1532434
MD5:94eedad5efd6b4130b472b769b0a5c35
SHA1:db9d4f3b42ce62fae1ddcdea627390f1705f0fd9
SHA256:2b87095a88843574715151c409bc2d2f86431f50c6692247b77d3c3a7afd75cd
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to detect virtual machines (SIDT)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 3668 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 94EEDAD5EFD6B4130B472B769B0A5C35)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: file.exeAvira: detected
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A04867 CryptVerifySignatureA,0_2_00A04867
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1669447399.0000000004D90000.00000004.00001000.00020000.00000000.sdmp

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099B19B0_2_0099B19B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099F2E40_2_0099F2E4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009FE2250_2_009FE225
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A036F0_2_009A036F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009336040_2_00933604
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099967E0_2_0099967E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008BA7FA0_2_008BA7FA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009948F30_2_009948F3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A399E0_2_009A399E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00997BE80_2_00997BE8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E7B120_2_008E7B12
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099CC150_2_0099CC15
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00966C650_2_00966C65
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00949DD80_2_00949DD8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A1DE50_2_009A1DE5
Source: C:\Users\user\Desktop\file.exeCode function: String function: 009FF85C appears 35 times
Source: file.exe, 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeStatic PE information: Section: xnyyorma ZLIB complexity 0.9947547969448585
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 1743360 > 1048576
Source: file.exeStatic PE information: Raw size of xnyyorma is bigger than: 0x100000 < 0x1a3600
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1669447399.0000000004D90000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.820000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xnyyorma:EW;coaxywia:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x1b2350 should be: 0x1ac2bd
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: xnyyorma
Source: file.exeStatic PE information: section name: coaxywia
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B609B push 4BC17F26h; mov dword ptr [esp], ebx0_2_009B9255
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C0091 push eax; mov dword ptr [esp], 3AFE1AD6h0_2_009C01F6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009BE095 push eax; ret 0_2_009BE0A4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B7094 push 47433A0Ah; mov dword ptr [esp], edx0_2_009B70A4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A250B0 push 55A9231Dh; mov dword ptr [esp], eax0_2_00A25107
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A250B0 push ebx; mov dword ptr [esp], eax0_2_00A2512F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A70083 push edx; mov dword ptr [esp], eax0_2_00A700D4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A70083 push edi; mov dword ptr [esp], ecx0_2_00A700DD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A70083 push 3B7B35BAh; mov dword ptr [esp], edx0_2_00A701D0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A70083 push esi; mov dword ptr [esp], ebp0_2_00A702B0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B80BC push eax; mov dword ptr [esp], esi0_2_009B83B0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3508D push ebp; mov dword ptr [esp], edx0_2_00A3512B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A59090 push esi; mov dword ptr [esp], 330B3EE5h0_2_00A59123
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A59090 push 50883D78h; mov dword ptr [esp], eax0_2_00A59133
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B70D8 push eax; mov dword ptr [esp], 15E4EF5Eh0_2_009B70DA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090A0D6 push 03746967h; mov dword ptr [esp], edi0_2_0090A0F9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090A0D6 push edx; mov dword ptr [esp], eax0_2_0090A137
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C60D4 push 32768A93h; mov dword ptr [esp], ecx0_2_009C6183
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A570EF push ebp; mov dword ptr [esp], esi0_2_00A57115
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A570EF push 2C7DD340h; mov dword ptr [esp], esi0_2_00A5713B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B60C1 push 7E7327DBh; mov dword ptr [esp], edi0_2_009B67E3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009BD0FF push ecx; mov dword ptr [esp], ebp0_2_009BD1F9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C00F9 push ebp; mov dword ptr [esp], 4FF35B1Eh0_2_009C015D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C00F9 push ebp; mov dword ptr [esp], edi0_2_009C026C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009BE0E6 push esi; ret 0_2_009BE0F5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B501F push eax; mov dword ptr [esp], esp0_2_009B8E49
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B1015 push 7C97F055h; mov dword ptr [esp], eax0_2_009B101D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C600E push esi; mov dword ptr [esp], edx0_2_009C6292
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C600E push 73D910F2h; mov dword ptr [esp], esi0_2_009C629F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009BE007 push ecx; ret 0_2_009BE016
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094F031 push ecx; mov dword ptr [esp], eax0_2_0094F042
Source: file.exeStatic PE information: section name: entropy: 7.804495319048474
Source: file.exeStatic PE information: section name: xnyyorma entropy: 7.952908636162783

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82DA2E second address: 82DA34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82DA34 second address: 82DA38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 82DA38 second address: 82DA3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 999164 second address: 999168 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 999168 second address: 999172 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 999172 second address: 999176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A7D51 second address: 9A7D68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F20D8D0D9FDh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A7D68 second address: 9A7D6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A7FF4 second address: 9A7FFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A7FFE second address: 9A8006 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9ABF00 second address: 9ABF0A instructions: 0x00000000 rdtsc 0x00000002 jns 00007F20D8D0D9FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9ABF0A second address: 9ABF1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push edx 0x0000000b jp 00007F20D92506CCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9ABF1D second address: 82DA2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov eax, dword ptr [eax] 0x00000007 jne 00007F20D8D0D9FEh 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 jmp 00007F20D8D0D9FBh 0x00000016 pop eax 0x00000017 jbe 00007F20D8D0D9F9h 0x0000001d movsx ecx, di 0x00000020 push dword ptr [ebp+122D0239h] 0x00000026 sub dword ptr [ebp+122D2C50h], edi 0x0000002c call dword ptr [ebp+122D17BEh] 0x00000032 pushad 0x00000033 jp 00007F20D8D0DA03h 0x00000039 xor eax, eax 0x0000003b stc 0x0000003c mov edx, dword ptr [esp+28h] 0x00000040 xor dword ptr [ebp+122D311Ch], eax 0x00000046 mov dword ptr [ebp+122D37B9h], eax 0x0000004c sub dword ptr [ebp+122D1A6Ch], esi 0x00000052 mov esi, 0000003Ch 0x00000057 mov dword ptr [ebp+122D2B76h], edx 0x0000005d add esi, dword ptr [esp+24h] 0x00000061 stc 0x00000062 jmp 00007F20D8D0DA05h 0x00000067 lodsw 0x00000069 pushad 0x0000006a pushad 0x0000006b mov esi, eax 0x0000006d popad 0x0000006e mov dl, cl 0x00000070 popad 0x00000071 sub dword ptr [ebp+122D1A6Ch], ecx 0x00000077 add eax, dword ptr [esp+24h] 0x0000007b mov dword ptr [ebp+122D2B76h], esi 0x00000081 mov ebx, dword ptr [esp+24h] 0x00000085 cld 0x00000086 nop 0x00000087 push eax 0x00000088 push edx 0x00000089 push edx 0x0000008a pushad 0x0000008b popad 0x0000008c pop edx 0x0000008d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AC0B0 second address: 9AC0B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AC0B4 second address: 9AC0B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AC16A second address: 9AC170 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AC170 second address: 9AC174 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AC174 second address: 9AC1EE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 4A6D9363h 0x0000000f mov ecx, dword ptr [ebp+122D3841h] 0x00000015 mov edx, edi 0x00000017 push 00000003h 0x00000019 pushad 0x0000001a mov edx, dword ptr [ebp+122D3761h] 0x00000020 mov edx, dword ptr [ebp+122D30DBh] 0x00000026 popad 0x00000027 push 00000000h 0x00000029 sub dword ptr [ebp+122D1BFBh], esi 0x0000002f push 00000003h 0x00000031 push 00000000h 0x00000033 push eax 0x00000034 call 00007F20D92506C8h 0x00000039 pop eax 0x0000003a mov dword ptr [esp+04h], eax 0x0000003e add dword ptr [esp+04h], 0000001Bh 0x00000046 inc eax 0x00000047 push eax 0x00000048 ret 0x00000049 pop eax 0x0000004a ret 0x0000004b mov ecx, dword ptr [ebp+122D3651h] 0x00000051 jmp 00007F20D92506D7h 0x00000056 push C971FAA1h 0x0000005b push edx 0x0000005c push edi 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CAF5A second address: 9CAF5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CAF5E second address: 9CAF73 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F20D92506C6h 0x00000008 jg 00007F20D92506C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CAF73 second address: 9CAF78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CAF78 second address: 9CAF8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20D92506CFh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CAF8D second address: 9CAF91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CB100 second address: 9CB12B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F20D92506C6h 0x00000008 jmp 00007F20D92506CCh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F20D92506CEh 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CB12B second address: 9CB143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20D8D0DA04h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CB143 second address: 9CB15A instructions: 0x00000000 rdtsc 0x00000002 jl 00007F20D92506C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F20D92506CDh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC668 second address: 9CC682 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20D8D0DA06h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC682 second address: 9CC68B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC68B second address: 9CC696 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F20D8D0D9F6h 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC905 second address: 9CC90B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC90B second address: 9CC92A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F20D8D0DA09h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC92A second address: 9CC92F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CF0AA second address: 9CF0AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CF242 second address: 9CF27D instructions: 0x00000000 rdtsc 0x00000002 jp 00007F20D92506D4h 0x00000008 jmp 00007F20D92506CEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jno 00007F20D92506C6h 0x00000019 jmp 00007F20D92506D8h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CF27D second address: 9CF2CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20D8D0DA03h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007F20D8D0DA04h 0x00000012 mov eax, dword ptr [eax] 0x00000014 pushad 0x00000015 jns 00007F20D8D0DA0Bh 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CF2CE second address: 9CF2E2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c jl 00007F20D92506CCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CDACD second address: 9CDAD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CDAD1 second address: 9CDADB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CDADB second address: 9CDADF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D0670 second address: 9D0679 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D7AC3 second address: 9D7ACF instructions: 0x00000000 rdtsc 0x00000002 js 00007F20D8D0D9F6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D7C45 second address: 9D7C4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D7C4B second address: 9D7C5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F20D8D0D9F6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D7C5C second address: 9D7C60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D7C60 second address: 9D7C6A instructions: 0x00000000 rdtsc 0x00000002 jno 00007F20D8D0D9F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D7DAD second address: 9D7DB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D7DB3 second address: 9D7DD0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20D8D0D9FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D835D second address: 9D8362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D8D50 second address: 9D8D54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D8D54 second address: 9D8D78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F20D92506CBh 0x0000000c jns 00007F20D92506C6h 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 jnp 00007F20D92506C6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D8D78 second address: 9D8D7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D8D7C second address: 9D8DB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jnc 00007F20D92506D9h 0x00000011 mov eax, dword ptr [eax] 0x00000013 pushad 0x00000014 jmp 00007F20D92506CEh 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D8DB5 second address: 9D8DB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D8DB9 second address: 9D8DBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D8DBD second address: 9D8DCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D8DCC second address: 9D8DDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jo 00007F20D92506CCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D8DDB second address: 9D8E8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push 00000000h 0x00000008 push eax 0x00000009 call 00007F20D8D0D9F8h 0x0000000e pop eax 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 add dword ptr [esp+04h], 0000001Ch 0x0000001b inc eax 0x0000001c push eax 0x0000001d ret 0x0000001e pop eax 0x0000001f ret 0x00000020 call 00007F20D8D0DA02h 0x00000025 mov edi, dword ptr [ebp+122D1BBBh] 0x0000002b pop edi 0x0000002c mov dword ptr [ebp+122D2E2Dh], edi 0x00000032 add dword ptr [ebp+122D1BD9h], ebx 0x00000038 call 00007F20D8D0D9F9h 0x0000003d jmp 00007F20D8D0D9FBh 0x00000042 push eax 0x00000043 push esi 0x00000044 jmp 00007F20D8D0D9FCh 0x00000049 pop esi 0x0000004a mov eax, dword ptr [esp+04h] 0x0000004e jns 00007F20D8D0DA0Eh 0x00000054 mov eax, dword ptr [eax] 0x00000056 jmp 00007F20D8D0D9FBh 0x0000005b mov dword ptr [esp+04h], eax 0x0000005f jng 00007F20D8D0DA04h 0x00000065 push eax 0x00000066 push edx 0x00000067 pushad 0x00000068 popad 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D8E8A second address: 9D8E8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D8F99 second address: 9D8F9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D91EC second address: 9D91F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D91F0 second address: 9D91FA instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F20D8D0D9F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D9A62 second address: 9D9A67 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D9C1D second address: 9D9C23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DBD14 second address: 9DBD1E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F20D92506C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DC5D1 second address: 9DC5DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DD171 second address: 9DD189 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20D92506CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push esi 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pop esi 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DC5DF second address: 9DC5EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F20D8D0D9F6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DD432 second address: 9DD438 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DD189 second address: 9DD18F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DD438 second address: 9DD43D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DDF49 second address: 9DDF4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DDF4D second address: 9DDF51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DDF51 second address: 9DDF5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DDF5A second address: 9DDF60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DEB6C second address: 9DEB72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DEB72 second address: 9DEB76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DE878 second address: 9DE8AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F20D8D0D9F6h 0x00000009 jmp 00007F20D8D0D9FEh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F20D8D0DA08h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E5245 second address: 9E52CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20D92506CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F20D92506C8h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 mov edi, ecx 0x00000026 mov ebx, dword ptr [ebp+122D2A30h] 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ebp 0x00000031 call 00007F20D92506C8h 0x00000036 pop ebp 0x00000037 mov dword ptr [esp+04h], ebp 0x0000003b add dword ptr [esp+04h], 00000019h 0x00000043 inc ebp 0x00000044 push ebp 0x00000045 ret 0x00000046 pop ebp 0x00000047 ret 0x00000048 mov bl, 30h 0x0000004a push 00000000h 0x0000004c push 00000000h 0x0000004e push edx 0x0000004f call 00007F20D92506C8h 0x00000054 pop edx 0x00000055 mov dword ptr [esp+04h], edx 0x00000059 add dword ptr [esp+04h], 00000014h 0x00000061 inc edx 0x00000062 push edx 0x00000063 ret 0x00000064 pop edx 0x00000065 ret 0x00000066 sub dword ptr [ebp+122D2B52h], edx 0x0000006c push eax 0x0000006d push ecx 0x0000006e push eax 0x0000006f push edx 0x00000070 jng 00007F20D92506C6h 0x00000076 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E755F second address: 9E7565 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E6658 second address: 9E665D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E7565 second address: 9E756D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E756D second address: 9E7585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F20D92506C6h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d jp 00007F20D92506D0h 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E677C second address: 9E6786 instructions: 0x00000000 rdtsc 0x00000002 je 00007F20D8D0D9FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E7585 second address: 9E75C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 mov edi, dword ptr [ebp+122D2BABh] 0x0000000c jmp 00007F20D92506D0h 0x00000011 push 00000000h 0x00000013 mov ebx, dword ptr [ebp+122D1C00h] 0x00000019 jnc 00007F20D92506CCh 0x0000001f push 00000000h 0x00000021 mov bh, 2Bh 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push ebx 0x00000029 pop ebx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E75C0 second address: 9E75D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20D8D0D9FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E7737 second address: 9E7741 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F20D92506C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E95A2 second address: 9E95AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E95AA second address: 9E95AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EB294 second address: 9EB29A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E95AE second address: 9E95C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F20D92506C6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EB29A second address: 9EB29E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E95C0 second address: 9E95CA instructions: 0x00000000 rdtsc 0x00000002 jno 00007F20D92506C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EB29E second address: 9EB2BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20D8D0DA03h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E95CA second address: 9E95E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F20D92506D9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EB2BD second address: 9EB2C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E95E7 second address: 9E9685 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20D92506CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov ebx, 139A39BCh 0x00000011 push dword ptr fs:[00000000h] 0x00000018 call 00007F20D92506D2h 0x0000001d jmp 00007F20D92506CBh 0x00000022 pop ebx 0x00000023 mov dword ptr fs:[00000000h], esp 0x0000002a push 00000000h 0x0000002c push esi 0x0000002d call 00007F20D92506C8h 0x00000032 pop esi 0x00000033 mov dword ptr [esp+04h], esi 0x00000037 add dword ptr [esp+04h], 00000017h 0x0000003f inc esi 0x00000040 push esi 0x00000041 ret 0x00000042 pop esi 0x00000043 ret 0x00000044 jns 00007F20D92506C9h 0x0000004a mov eax, dword ptr [ebp+122D04E1h] 0x00000050 jmp 00007F20D92506CCh 0x00000055 mov dword ptr [ebp+1246B110h], esi 0x0000005b push FFFFFFFFh 0x0000005d mov di, ax 0x00000060 mov di, cx 0x00000063 push eax 0x00000064 push eax 0x00000065 push edx 0x00000066 jo 00007F20D92506CCh 0x0000006c ja 00007F20D92506C6h 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EB2C2 second address: 9EB2C7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EB2C7 second address: 9EB2FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 pushad 0x00000009 mov dl, cl 0x0000000b popad 0x0000000c push 00000000h 0x0000000e pushad 0x0000000f pushad 0x00000010 add dword ptr [ebp+122D295Bh], ebx 0x00000016 push ebx 0x00000017 pop edi 0x00000018 popad 0x00000019 mov ax, 819Ah 0x0000001d popad 0x0000001e push 00000000h 0x00000020 xchg eax, esi 0x00000021 jmp 00007F20D92506CAh 0x00000026 push eax 0x00000027 pushad 0x00000028 pushad 0x00000029 pushad 0x0000002a popad 0x0000002b push eax 0x0000002c pop eax 0x0000002d popad 0x0000002e push edi 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EC470 second address: 9EC474 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EC474 second address: 9EC47A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EB50F second address: 9EB515 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EB515 second address: 9EB519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EB519 second address: 9EB528 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EB528 second address: 9EB52E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EB52E second address: 9EB53D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F20D8D0D9FAh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99AC81 second address: 99AC85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EC644 second address: 9EC648 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99AC85 second address: 99AC89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99AC89 second address: 99AC8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EC648 second address: 9EC662 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007F20D92506D0h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99AC8F second address: 99AC9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jc 00007F20D8D0D9F6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EC71F second address: 9EC723 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EFB9A second address: 9EFBA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EFBA0 second address: 9EFBC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 mov edi, dword ptr [ebp+122D2935h] 0x0000000c mov dword ptr [ebp+122D2B48h], ecx 0x00000012 push 00000000h 0x00000014 and bx, 02CAh 0x00000019 push 00000000h 0x0000001b mov bx, si 0x0000001e xchg eax, esi 0x0000001f pushad 0x00000020 jng 00007F20D92506CCh 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EFBC8 second address: 9EFBE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F20D8D0D9FCh 0x0000000a je 00007F20D8D0D9F6h 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jnp 00007F20D8D0D9F6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EFBE4 second address: 9EFBEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EFBEA second address: 9EFBF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F20D8D0D9F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F0AFA second address: 9F0B8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20D92506D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007F20D92506C8h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 movsx ebx, dx 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ebp 0x0000002e call 00007F20D92506C8h 0x00000033 pop ebp 0x00000034 mov dword ptr [esp+04h], ebp 0x00000038 add dword ptr [esp+04h], 00000018h 0x00000040 inc ebp 0x00000041 push ebp 0x00000042 ret 0x00000043 pop ebp 0x00000044 ret 0x00000045 push 00000000h 0x00000047 push 00000000h 0x00000049 push ebx 0x0000004a call 00007F20D92506C8h 0x0000004f pop ebx 0x00000050 mov dword ptr [esp+04h], ebx 0x00000054 add dword ptr [esp+04h], 00000014h 0x0000005c inc ebx 0x0000005d push ebx 0x0000005e ret 0x0000005f pop ebx 0x00000060 ret 0x00000061 add dword ptr [ebp+122D2C2Bh], ebx 0x00000067 push eax 0x00000068 push eax 0x00000069 push edx 0x0000006a pushad 0x0000006b jbe 00007F20D92506C6h 0x00000071 push eax 0x00000072 push edx 0x00000073 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F0B8C second address: 9F0B91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EED51 second address: 9EED64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20D92506CEh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EED64 second address: 9EED69 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F1D93 second address: 9F1D97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F3BD4 second address: 9F3BD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F2CE0 second address: 9F2CE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F2CE6 second address: 9F2CEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F2CEA second address: 9F2D5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push dword ptr fs:[00000000h] 0x00000010 jmp 00007F20D92506CAh 0x00000015 mov dword ptr fs:[00000000h], esp 0x0000001c mov bl, F3h 0x0000001e mov bl, 68h 0x00000020 mov eax, dword ptr [ebp+122D05C1h] 0x00000026 jo 00007F20D92506C8h 0x0000002c mov bl, dl 0x0000002e mov edi, dword ptr [ebp+122D2D87h] 0x00000034 push FFFFFFFFh 0x00000036 push 00000000h 0x00000038 push ecx 0x00000039 call 00007F20D92506C8h 0x0000003e pop ecx 0x0000003f mov dword ptr [esp+04h], ecx 0x00000043 add dword ptr [esp+04h], 0000001Ch 0x0000004b inc ecx 0x0000004c push ecx 0x0000004d ret 0x0000004e pop ecx 0x0000004f ret 0x00000050 nop 0x00000051 pushad 0x00000052 pushad 0x00000053 jmp 00007F20D92506CFh 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F2D5D second address: 9F2D87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F20D8D0DA09h 0x0000000a popad 0x0000000b push eax 0x0000000c push edi 0x0000000d pushad 0x0000000e jl 00007F20D8D0D9F6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F5F62 second address: 9F5F68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F5F68 second address: 9F5FF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007F20D8D0D9F8h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 mov dword ptr [ebp+122D1BD9h], ecx 0x00000029 mov dword ptr [ebp+122D351Eh], ebx 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push eax 0x00000034 call 00007F20D8D0D9F8h 0x00000039 pop eax 0x0000003a mov dword ptr [esp+04h], eax 0x0000003e add dword ptr [esp+04h], 0000001Dh 0x00000046 inc eax 0x00000047 push eax 0x00000048 ret 0x00000049 pop eax 0x0000004a ret 0x0000004b and di, 3BD4h 0x00000050 push 00000000h 0x00000052 mov edi, 0FA11684h 0x00000057 xchg eax, esi 0x00000058 push esi 0x00000059 push ebx 0x0000005a jmp 00007F20D8D0DA01h 0x0000005f pop ebx 0x00000060 pop esi 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 jns 00007F20D8D0D9FCh 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F4EE2 second address: 9F4FA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20D92506D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F20D92506C8h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 mov dword ptr [ebp+122D17DBh], ebx 0x0000002a push dword ptr fs:[00000000h] 0x00000031 xor di, 0276h 0x00000036 sbb bl, FFFFFF82h 0x00000039 mov dword ptr fs:[00000000h], esp 0x00000040 push 00000000h 0x00000042 push ecx 0x00000043 call 00007F20D92506C8h 0x00000048 pop ecx 0x00000049 mov dword ptr [esp+04h], ecx 0x0000004d add dword ptr [esp+04h], 0000001Ah 0x00000055 inc ecx 0x00000056 push ecx 0x00000057 ret 0x00000058 pop ecx 0x00000059 ret 0x0000005a add dword ptr [ebp+122D1B15h], edi 0x00000060 mov eax, dword ptr [ebp+122D103Dh] 0x00000066 call 00007F20D92506D2h 0x0000006b sbb di, AE2Dh 0x00000070 pop ebx 0x00000071 push FFFFFFFFh 0x00000073 jmp 00007F20D92506D7h 0x00000078 sub ebx, dword ptr [ebp+122D311Ch] 0x0000007e nop 0x0000007f pushad 0x00000080 push ebx 0x00000081 push eax 0x00000082 push edx 0x00000083 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F4FA2 second address: 9F4FAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F4FAB second address: 9F4FAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F4FAF second address: 9F4FCF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F20D8D0DA03h 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F6122 second address: 9F6126 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F6126 second address: 9F612A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F6267 second address: 9F626B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FDE9A second address: 9FDEB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F20D8D0DA01h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FDEB0 second address: 9FDECE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F20D92506D7h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0BE46 second address: A0BE4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0BE4A second address: A0BE50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0BE50 second address: A0BE54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A11DC8 second address: A11DD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F20D92506C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A11DD2 second address: A11DE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20D8D0D9FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12300 second address: A12319 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20D92506D5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12319 second address: A1231D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1231D second address: A12328 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12328 second address: A1232E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1232E second address: A1234E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F20D92506D7h 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12464 second address: A1246E instructions: 0x00000000 rdtsc 0x00000002 jne 00007F20D8D0D9F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A125DC second address: A125EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20D92506CAh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A126FF second address: A12705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12705 second address: A12718 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F20D92506CDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12718 second address: A1272C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20D8D0D9FFh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1272C second address: A12732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12886 second address: A1289B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 ja 00007F20D8D0D9F6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007F20D8D0D9F6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12E9D second address: A12EA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12EA1 second address: A12EAC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12EAC second address: A12EB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12EB3 second address: A12EBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E1E89 second address: 9E1EB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jnp 00007F20D92506DCh 0x0000000d popad 0x0000000e push eax 0x0000000f pushad 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E1EB2 second address: 9BF47E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jg 00007F20D8D0D9FCh 0x0000000b popad 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D1F0Eh], ecx 0x00000013 mov dword ptr [ebp+122D2C50h], edi 0x00000019 lea eax, dword ptr [ebp+12487C00h] 0x0000001f sub ecx, 1E5970C5h 0x00000025 push eax 0x00000026 pushad 0x00000027 pushad 0x00000028 ja 00007F20D8D0D9F6h 0x0000002e push edi 0x0000002f pop edi 0x00000030 popad 0x00000031 push edi 0x00000032 jnc 00007F20D8D0D9F6h 0x00000038 pop edi 0x00000039 popad 0x0000003a mov dword ptr [esp], eax 0x0000003d mov ch, 43h 0x0000003f call dword ptr [ebp+122D1B9Ah] 0x00000045 pushad 0x00000046 pushad 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E26DE second address: 9E26E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E26E2 second address: 9E26E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E28D6 second address: 9E2903 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20D92506D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b pushad 0x0000000c je 00007F20D92506C8h 0x00000012 push eax 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jbe 00007F20D92506C6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E2A4E second address: 9E2A67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jc 00007F20D8D0D9F6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 pushad 0x00000011 jng 00007F20D8D0D9F6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E2DBF second address: 9E2E01 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jg 00007F20D92506D1h 0x0000000e jmp 00007F20D92506CBh 0x00000013 nop 0x00000014 add di, BD20h 0x00000019 push 0000001Eh 0x0000001b push eax 0x0000001c mov dword ptr [ebp+12477D60h], edi 0x00000022 pop edi 0x00000023 nop 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F20D92506D6h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E2E01 second address: 9E2E2C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F20D8D0DA04h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F20D8D0D9FEh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E2E2C second address: 9E2E42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F20D92506D2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E2F9F second address: 9E2FA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E2FA3 second address: 9E2FCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F20D92506D1h 0x0000000c jne 00007F20D92506C6h 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push ecx 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1688F second address: A16895 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A16895 second address: A16899 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A16899 second address: A168A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a js 00007F20D8D0D9F6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A16A3C second address: A16A40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A16EBE second address: A16EC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A16EC4 second address: A16ECA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A16ECA second address: A16ECF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A16ECF second address: A16F09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F20D92506D6h 0x00000008 ja 00007F20D92506C6h 0x0000000e jmp 00007F20D92506D1h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push edi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A16F09 second address: A16F14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A16F14 second address: A16F1A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A16F1A second address: A16F20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A16F20 second address: A16F26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A16F26 second address: A16F31 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A171F5 second address: A171F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1FC8A second address: A1FC90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A263E4 second address: A263EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A263EC second address: A263F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A252A8 second address: A252D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F20D92506C6h 0x0000000a popad 0x0000000b jns 00007F20D92506CEh 0x00000011 jo 00007F20D92506C8h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a push esi 0x0000001b push eax 0x0000001c push edx 0x0000001d jp 00007F20D92506C6h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A25557 second address: A2555D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2555D second address: A25563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A25563 second address: A25588 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F20D8D0DA0Dh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A256B4 second address: A256BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A256BC second address: A256C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A256C0 second address: A256F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20D92506D1h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007F20D92506EAh 0x00000011 push edx 0x00000012 jmp 00007F20D92506CCh 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A256F1 second address: A256F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A259BB second address: A259C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A259C1 second address: A259C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A259C5 second address: A259E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20D92506D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A25DFD second address: A25E05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A25E05 second address: A25E16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20D92506CCh 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2CC35 second address: A2CC43 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F20D8D0D9F8h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2CC43 second address: A2CC4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F20D92506C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 995B84 second address: 995B8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2C969 second address: A2C96F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2C96F second address: A2C99C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20D8D0DA02h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F20D8D0DA03h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2F673 second address: A2F677 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2F677 second address: A2F67D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3643B second address: A3644F instructions: 0x00000000 rdtsc 0x00000002 jne 00007F20D92506C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007F20D92506CEh 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3644F second address: A36453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A36453 second address: A3646A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20D92506CCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A34D9F second address: A34DCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20D8D0DA01h 0x00000009 popad 0x0000000a jmp 00007F20D8D0DA07h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A34DCC second address: A34DD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A34DD2 second address: A34DD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A34DD8 second address: A34DDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A34DDC second address: A34DE6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F20D8D0D9F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A35314 second address: A3531E instructions: 0x00000000 rdtsc 0x00000002 jne 00007F20D92506C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3572C second address: A35732 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A361F2 second address: A361F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A393DE second address: A39405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 jmp 00007F20D8D0DA03h 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 jp 00007F20D8D0D9F8h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A39405 second address: A3940B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A38B38 second address: A38B4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F20D8D0D9F6h 0x0000000a popad 0x0000000b pushad 0x0000000c jc 00007F20D8D0D9F6h 0x00000012 push edi 0x00000013 pop edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A38B4E second address: A38B69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20D92506D3h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A38DF9 second address: A38E19 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F20D8D0D9FBh 0x00000008 pop esi 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F20D8D0D9FCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A38E19 second address: A38E30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F20D92506C8h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A38E30 second address: A38E34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A38E34 second address: A38E52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20D92506D8h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A38E52 second address: A38E5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F20D8D0D9F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A38E5E second address: A38E62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A38E62 second address: A38E66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A390F9 second address: A390FE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A390FE second address: A39111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F20D8D0D9F6h 0x0000000a pop edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3C48D second address: A3C493 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3CA42 second address: A3CA46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3CA46 second address: A3CA4C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3CA4C second address: A3CA5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F20D8D0D9FAh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3CA5C second address: A3CA60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3CA60 second address: A3CA7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jne 00007F20D8D0D9F6h 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3CA7A second address: A3CA80 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3CA80 second address: A3CA85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3CD15 second address: A3CD33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20D92506D9h 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3CD33 second address: A3CD39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3CD39 second address: A3CD3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3CD3D second address: A3CD6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F20D8D0D9FDh 0x00000011 jmp 00007F20D8D0DA09h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A434FD second address: A43524 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007F20D92506DFh 0x0000000e jmp 00007F20D92506D3h 0x00000013 js 00007F20D92506C6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A43524 second address: A43539 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20D8D0D9FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A439C5 second address: A439CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A439CC second address: A439EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c jmp 00007F20D8D0DA01h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A439EF second address: A43A04 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F20D92506C6h 0x00000008 jne 00007F20D92506C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A43CBD second address: A43CD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007F20D8D0D9FCh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A44554 second address: A44560 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007F20D92506C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A44560 second address: A4458D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F20D8D0D9FBh 0x00000008 jmp 00007F20D8D0DA01h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 pop eax 0x00000013 jl 00007F20D8D0D9F6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4484F second address: A4485C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jg 00007F20D92506C6h 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A44B5A second address: A44B7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F20D8D0D9F6h 0x0000000a jmp 00007F20D8D0DA01h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A44B7A second address: A44B7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A44E02 second address: A44E0C instructions: 0x00000000 rdtsc 0x00000002 jne 00007F20D8D0D9F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A450E5 second address: A450EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A450EB second address: A450F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F20D8D0D9F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A450F5 second address: A450F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4943C second address: A49440 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A49440 second address: A4945C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F20D92506D4h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4945C second address: A49466 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F20D8D0D9F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A49466 second address: A4946A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A495F0 second address: A4961B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F20D8D0DA06h 0x0000000d jmp 00007F20D8D0D9FDh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4961B second address: A4963F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20D92506D2h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jno 00007F20D92506C6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4963F second address: A49643 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A50210 second address: A50218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A57F62 second address: A57F68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5619F second address: A561B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jno 00007F20D92506CCh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A561B1 second address: A561BC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jl 00007F20D8D0D9F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A561BC second address: A561CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A561CC second address: A561D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A562EA second address: A562EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A568F3 second address: A568F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A56E88 second address: A56EB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20D92506D2h 0x00000009 pop edx 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d pop edi 0x0000000e jmp 00007F20D92506D0h 0x00000013 popad 0x00000014 push esi 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A55D0E second address: A55D27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20D8D0DA05h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9976E9 second address: 997702 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20D92506D5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 997702 second address: 99772C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F20D8D0DA06h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007F20D8D0D9FAh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A60292 second address: A602A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F20D92506D2h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A603CF second address: A603D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A60564 second address: A6056E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F20D92506C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6BFD6 second address: A6BFDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A76D6A second address: A76D6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A75BC3 second address: A75BC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A75BC7 second address: A75BD9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F20D92506C6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A75BD9 second address: A75BE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7AAC1 second address: A7AAC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7AAC5 second address: A7AAC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7AAC9 second address: A7AAD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7AAD1 second address: A7AAD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7AAD7 second address: A7AADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7AADD second address: A7AAE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7EAC9 second address: A7EACD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7EACD second address: A7EAE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F20D8D0D9FCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7EAE2 second address: A7EAED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7EAED second address: A7EAF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F20D8D0D9F6h 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A822C4 second address: A822C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8997A second address: A8997E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8997E second address: A89984 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A89984 second address: A899B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F20D8D0DA04h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F20D8D0DA01h 0x00000015 popad 0x00000016 push ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A899B8 second address: A899BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A88486 second address: A88493 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A88493 second address: A88497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A88497 second address: A884A1 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F20D8D0D9F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A88BBD second address: A88BD9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F20D92506C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007F20D92506C8h 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 jg 00007F20D92506C6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A88BD9 second address: A88BE3 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F20D8D0D9F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8D140 second address: A8D14C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F20D92506C6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9096D second address: A90982 instructions: 0x00000000 rdtsc 0x00000002 je 00007F20D8D0D9F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b jo 00007F20D8D0DA06h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A90982 second address: A90986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB5D20 second address: AB5D36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20D8D0D9FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB5D36 second address: AB5D3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB5D3D second address: AB5D4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F20D8D0D9FBh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB5D4E second address: AB5D6C instructions: 0x00000000 rdtsc 0x00000002 jc 00007F20D92506C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F20D92506CEh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB5D6C second address: AB5D7C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push esi 0x0000000a pop esi 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB5D7C second address: AB5D82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB5D82 second address: AB5D88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB562D second address: AB5631 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB5631 second address: AB5668 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20D8D0DA00h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f jns 00007F20D8D0D9F6h 0x00000015 pop ecx 0x00000016 pushad 0x00000017 jmp 00007F20D8D0DA03h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB5668 second address: AB566E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB566E second address: AB5693 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F20D8D0D9F6h 0x0000000a popad 0x0000000b jmp 00007F20D8D0D9FBh 0x00000010 pushad 0x00000011 js 00007F20D8D0D9F6h 0x00000017 jbe 00007F20D8D0D9F6h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB57B7 second address: AB57BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB57BB second address: AB57BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB57BF second address: AB57CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB91BA second address: AB91D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F20D8D0D9F6h 0x0000000a popad 0x0000000b push ebx 0x0000000c push eax 0x0000000d pop eax 0x0000000e pushad 0x0000000f popad 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB8C46 second address: AB8C68 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F20D92506D2h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007F20D92506DAh 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB8C68 second address: AB8C6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABD15D second address: ABD184 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F20D92506D3h 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007F20D92506C6h 0x00000013 jns 00007F20D92506C6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABD184 second address: ABD19E instructions: 0x00000000 rdtsc 0x00000002 jc 00007F20D8D0D9F6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pushad 0x00000012 popad 0x00000013 jp 00007F20D8D0D9F6h 0x00000019 pop eax 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC1531 second address: AC1579 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20D92506D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jno 00007F20D92506C6h 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F20D92506CDh 0x00000017 jmp 00007F20D92506D5h 0x0000001c popad 0x0000001d pop ecx 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC1579 second address: AC1583 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F20D8D0D9F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABA2EB second address: ABA30E instructions: 0x00000000 rdtsc 0x00000002 jne 00007F20D92506C6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F20D92506D5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABA30E second address: ABA312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB8F27 second address: AB8F2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB8F2D second address: AB8F36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB8F36 second address: AB8F40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F20D92506C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABA137 second address: ABA175 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F20D8D0D9F6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F20D8D0DA07h 0x00000011 push edi 0x00000012 jmp 00007F20D8D0DA08h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABA175 second address: ABA18F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 pop esi 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d jmp 00007F20D92506CAh 0x00000012 pushad 0x00000013 popad 0x00000014 pop ebx 0x00000015 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 82DA92 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 82D9D7 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 82B606 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: A61F2A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4E40000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 5100000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 7100000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A03011 rdtsc 0_2_00A03011
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009BE17F sidt fword ptr [esp-02h]0_2_009BE17F
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3288Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A07EF4 GetSystemInfo,VirtualAlloc,0_2_00A07EF4
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A03011 rdtsc 0_2_00A03011
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, file.exe, 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: &$Program Manager
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A039A9 GetSystemTime,GetFileTime,0_2_00A039A9

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		41
Disable or Modify Tools		LSASS Memory641
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Bypass User Account Control		271
Virtualization/Sandbox Evasion		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS271
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets24
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
Obfuscated Files or Information		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
Software Packing		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
Bypass User Account Control		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe100%AviraTR/Crypt.XPACK.Gen
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1532434
Start date and time:2024-10-13 07:18:08 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 33s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.evad.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): SIHClient.exe
  • Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File
Process:C:\Users\user\Desktop\file.exe
File Type:CSV text
Category:dropped
Size (bytes):226
Entropy (8bit):5.360398796477698
Encrypted:false
SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:3A8957C6382192B71471BD14359D0B12
SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:true
Reputation:high, very likely benign file
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.9332139354733915
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:1'743'360 bytes
MD5:94eedad5efd6b4130b472b769b0a5c35
SHA1:db9d4f3b42ce62fae1ddcdea627390f1705f0fd9
SHA256:2b87095a88843574715151c409bc2d2f86431f50c6692247b77d3c3a7afd75cd
SHA512:045d08f017e657094ce29391c3286edba3715ea5ad1d9276bfbae2f3769b99780ff10beb2fc3ac0ea243f67eeb16118dadf42ab2b5e089e9fc26dc01f0d5169d
SSDEEP:49152:ljsF/bw3IvNQ8L1123f5PlS2zWbEdjlEh2A:xAw4vNQ8L1MhPQ23djOt
TLSH:35853321BCBE5F16E4AF0B7BCBE6569308F0E431EA49CBAA702B60734106D50D52B5D7
File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$...........@E.. ...`....@.. ........................E.....P#....`................................

File Icon

Icon Hash:90cececece8e8eb0

Static PE Info

General

Entrypoint:0x854000
Entrypoint Section:.taggant
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F20D8805D6Ah
vmread dword ptr [edx], ebx
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [edx+ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
sbb al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 0Ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop es
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x20000x40000x1200d105986ed0c676b21453de9149f3588dFalse0.9338107638888888data7.804495319048474IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0xa0000x2a40000x200e44b64e91fb8edb9163a46684e15d208unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
xnyyorma0x2ae0000x1a40000x1a3600685ba43733b5601f6b2ce070c3d71a74False0.9947547969448585data7.952908636162783IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
coaxywia0x4520000x20000x600f95075da28288265e4e88f1e49699dc2False0.59765625data5.109351678614352IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant0x4540000x40000x22009a0817ed4a5b7cc7df64c5e4c4344d31False0.0646829044117647DOS executable (COM)0.7316721577006059IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x60900x30cdata0.42948717948717946
RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

Imports

DLLImport
kernel32.dlllstrcpy

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:01:18:57
Start date:13/10/2024
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\file.exe"
Imagebase:0x820000
File size:1'743'360 bytes
MD5 hash:94EEDAD5EFD6B4130B472B769B0A5C35
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:4.2%
    Dynamic/Decrypted Code Coverage:3.5%
    Signature Coverage:4.1%
    Total number of Nodes:340
    Total number of Limit Nodes:19
    execution_graph 7289 a04ae3 7294 9ff85c GetCurrentThreadId 7289->7294 7291 a04aef 7292 a04b57 MapViewOfFileEx 7291->7292 7293 a04b08 7291->7293 7292->7293 7295 9ff874 7294->7295 7296 9ff8bb 7295->7296 7297 9ff8aa Sleep 7295->7297 7296->7291 7297->7295 7298 9b4df8 7299 9b4e31 7298->7299 7300 9b4e40 RegOpenKeyA 7299->7300 7301 9b4e67 RegOpenKeyA 7299->7301 7300->7301 7302 9b4e5d 7300->7302 7303 9b4e84 7301->7303 7302->7301 7304 9b4ec8 GetNativeSystemInfo 7303->7304 7305 9b4ed3 7303->7305 7304->7305 7306 a08f44 7308 a08f50 7306->7308 7309 a08f62 7308->7309 7314 a00ed4 7309->7314 7311 a08f71 7312 a08f8a 7311->7312 7313 a08ab5 GetModuleFileNameA VirtualProtect 7311->7313 7313->7312 7316 a00ee0 7314->7316 7317 a00ef5 7316->7317 7319 a00f13 7317->7319 7320 a00f22 7317->7320 7322 a00f2f 7320->7322 7323 a00f45 7322->7323 7324 a00f6a 7323->7324 7334 a00f4d 7323->7334 7343 a09167 7323->7343 7326 9ff85c 2 API calls 7324->7326 7331 a00f6f 7326->7331 7327 a0101a 7365 a00d5a 7327->7365 7328 a0102d 7329 a01037 LoadLibraryExW 7328->7329 7330 a0104b LoadLibraryExA 7328->7330 7338 a00ff1 7329->7338 7330->7338 7339 9fff6e 7331->7339 7334->7327 7334->7328 7336 a00fae 7345 a0089a 7336->7345 7340 9fff7f 7339->7340 7341 9fffbc 7339->7341 7340->7341 7369 9ffe0f 7340->7369 7341->7334 7341->7336 7389 a09176 7343->7389 7346 a008c0 7345->7346 7347 a008b6 7345->7347 7397 a000ed 7346->7397 7347->7338 7354 a00910 7355 a0093d 7354->7355 7363 a009ba 7354->7363 7407 a002cb 7354->7407 7411 a00566 7355->7411 7358 a00948 7358->7363 7416 a004dd 7358->7416 7360 a00975 7361 a0099d 7360->7361 7360->7363 7420 a08dbc 7360->7420 7361->7363 7424 a08ab5 7361->7424 7363->7347 7429 a010ac 7363->7429 7366 a00d65 7365->7366 7367 a00d75 7366->7367 7368 a00d86 LoadLibraryExA 7366->7368 7367->7338 7368->7367 7370 9ffe3c 7369->7370 7371 9ffe6a PathAddExtensionA 7370->7371 7372 9ffe85 7370->7372 7377 9fff42 7370->7377 7371->7372 7373 9ffea7 7372->7373 7381 9ffab0 7372->7381 7373->7377 7378 9ffab0 lstrcmpiA 7373->7378 7379 9ffef0 7373->7379 7375 9ffab0 lstrcmpiA 7376 9fff19 7375->7376 7376->7377 7380 9ffab0 lstrcmpiA 7376->7380 7377->7340 7378->7379 7379->7375 7379->7376 7379->7377 7380->7377 7382 9fface 7381->7382 7383 9ffae5 7382->7383 7385 9ffa2d 7382->7385 7383->7373 7387 9ffa58 7385->7387 7386 9ffaa0 7386->7383 7387->7386 7388 9ffa8a lstrcmpiA 7387->7388 7388->7386 7390 a09186 7389->7390 7391 9ff85c 2 API calls 7390->7391 7396 a091d8 7390->7396 7392 a091ee 7391->7392 7393 9fff6e 2 API calls 7392->7393 7394 a09200 7393->7394 7395 9fff6e 2 API calls 7394->7395 7394->7396 7395->7396 7398 a00109 7397->7398 7399 a00162 7397->7399 7398->7399 7400 a00139 VirtualAlloc 7398->7400 7399->7347 7401 a00193 VirtualAlloc 7399->7401 7400->7399 7402 a001d8 7401->7402 7402->7363 7403 a00210 7402->7403 7404 a00238 7403->7404 7405 a002af 7404->7405 7406 a00251 VirtualAlloc 7404->7406 7405->7354 7406->7404 7406->7405 7408 a002e6 7407->7408 7410 a002eb 7407->7410 7408->7355 7409 a0031e lstrcmpiA 7409->7408 7409->7410 7410->7408 7410->7409 7412 a00672 7411->7412 7414 a00593 7411->7414 7412->7358 7414->7412 7431 a00078 7414->7431 7439 a01189 7414->7439 7417 a00506 7416->7417 7418 a00547 7417->7418 7419 a0051e VirtualProtect 7417->7419 7418->7360 7419->7417 7419->7418 7421 a08e89 7420->7421 7422 a08dd8 7420->7422 7421->7361 7422->7421 7459 a08920 7422->7459 7425 a08ac6 7424->7425 7427 a08b49 7424->7427 7425->7427 7428 a08920 VirtualProtect 7425->7428 7463 a0875f 7425->7463 7427->7363 7428->7425 7472 a010b8 7429->7472 7441 a00ebb 7431->7441 7433 a000d1 7433->7414 7434 a0008b 7434->7433 7435 a000dd 7434->7435 7437 a000b4 7434->7437 7436 a010ac 3 API calls 7435->7436 7436->7433 7437->7433 7438 a010ac 3 API calls 7437->7438 7438->7433 7444 a01192 7439->7444 7442 a00f22 18 API calls 7441->7442 7443 a00ed0 7442->7443 7443->7434 7445 a011a1 7444->7445 7447 9ff85c 2 API calls 7445->7447 7452 a011a9 7445->7452 7446 a011d6 GetProcAddress 7449 a011cc 7446->7449 7448 a011b3 7447->7448 7450 a011c3 7448->7450 7448->7452 7453 a00bea 7450->7453 7452->7446 7454 a00cd6 7453->7454 7455 a00c09 7453->7455 7454->7449 7455->7454 7456 a00c46 lstrcmpiA 7455->7456 7457 a00c70 7455->7457 7456->7455 7456->7457 7457->7454 7458 a00b33 17 API calls 7457->7458 7458->7454 7461 a08934 7459->7461 7460 a0894c 7460->7422 7461->7460 7462 a08a6f VirtualProtect 7461->7462 7462->7461 7466 a08766 7463->7466 7465 a087b0 7465->7425 7466->7465 7467 a08920 VirtualProtect 7466->7467 7468 a0866d 7466->7468 7467->7466 7469 a08682 7468->7469 7470 a0870c GetModuleFileNameA 7469->7470 7471 a08742 7469->7471 7470->7469 7471->7466 7473 a010c7 7472->7473 7475 9ff85c 2 API calls 7473->7475 7478 a010cf 7473->7478 7474 a0111d FreeLibrary 7476 a01104 7474->7476 7477 a010d9 7475->7477 7477->7478 7479 a010e9 7477->7479 7478->7474 7481 a00a9a 7479->7481 7482 a00afd 7481->7482 7483 a00abd 7481->7483 7482->7476 7483->7482 7485 9ff656 7483->7485 7486 9ff65f 7485->7486 7487 9ff677 7486->7487 7488 9ff63d GetCurrentThreadId Sleep FreeLibrary 7486->7488 7487->7482 7488->7486 7489 a04985 7491 a04991 7489->7491 7493 a049a9 7491->7493 7494 a049d3 7493->7494 7495 a048bf 7493->7495 7497 a048cb 7495->7497 7498 9ff85c 2 API calls 7497->7498 7499 a048de 7498->7499 7500 a04957 7499->7500 7501 a0491c 7499->7501 7504 a048f8 7499->7504 7502 a0495c CreateFileMappingA 7500->7502 7501->7504 7505 a01f96 7501->7505 7502->7504 7507 a01fad 7505->7507 7506 a02016 CreateFileA 7509 a0205b 7506->7509 7507->7506 7508 a020aa 7507->7508 7508->7504 7509->7508 7511 a01675 CloseHandle 7509->7511 7512 a01689 7511->7512 7512->7508 7513 a041a6 7515 a041af 7513->7515 7516 9ff85c 2 API calls 7515->7516 7517 a041bb 7516->7517 7518 a0420b ReadFile 7517->7518 7519 a041d4 7517->7519 7518->7519 7520 a07ee9 7522 a07ef4 GetSystemInfo 7520->7522 7523 a07f52 VirtualAlloc 7522->7523 7524 a07f14 7522->7524 7537 a08240 7523->7537 7524->7523 7526 a07f99 7527 a08240 VirtualAlloc GetModuleFileNameA VirtualProtect 7526->7527 7536 a0806e 7526->7536 7529 a07fc3 7527->7529 7528 a0808a GetModuleFileNameA VirtualProtect 7530 a08032 7528->7530 7531 a08240 VirtualAlloc GetModuleFileNameA VirtualProtect 7529->7531 7529->7536 7532 a07fed 7531->7532 7533 a08240 VirtualAlloc GetModuleFileNameA VirtualProtect 7532->7533 7532->7536 7534 a08017 7533->7534 7534->7530 7535 a08240 VirtualAlloc GetModuleFileNameA VirtualProtect 7534->7535 7534->7536 7535->7536 7536->7528 7536->7530 7539 a08248 7537->7539 7540 a08274 7539->7540 7541 a0825c 7539->7541 7543 a0810c 2 API calls 7540->7543 7547 a0810c 7541->7547 7544 a08285 7543->7544 7549 a08297 7544->7549 7552 a08114 7547->7552 7550 a082a8 VirtualAlloc 7549->7550 7551 a08293 7549->7551 7550->7551 7553 a08127 7552->7553 7554 a0875f 2 API calls 7553->7554 7555 a0816a 7553->7555 7554->7555 7556 a013cb 7558 a013d7 7556->7558 7559 a013eb 7558->7559 7561 a01413 7559->7561 7562 a0142c 7559->7562 7564 a01435 7562->7564 7565 a01444 7564->7565 7566 a0144c 7565->7566 7567 9ff85c 2 API calls 7565->7567 7568 a014fd GetModuleHandleA 7566->7568 7569 a014ef GetModuleHandleW 7566->7569 7570 a01456 7567->7570 7571 a01484 7568->7571 7569->7571 7572 9fff6e 2 API calls 7570->7572 7573 a01471 7570->7573 7572->7573 7573->7566 7573->7571 7574 a03e2c 7576 a03e38 7574->7576 7577 9ff85c 2 API calls 7576->7577 7578 a03e44 7577->7578 7580 a03e64 7578->7580 7581 a03d83 7578->7581 7583 a03d8f 7581->7583 7584 a03da3 7583->7584 7585 9ff85c 2 API calls 7584->7585 7586 a03dbb 7585->7586 7594 9fffc0 7586->7594 7589 9fff6e 2 API calls 7590 a03dde 7589->7590 7591 a03de6 7590->7591 7592 a03e02 GetFileAttributesW 7590->7592 7593 a03e13 GetFileAttributesA 7590->7593 7592->7591 7593->7591 7595 a00074 7594->7595 7596 9fffd4 7594->7596 7595->7589 7595->7591 7596->7595 7597 9ffe0f 2 API calls 7596->7597 7597->7596 7598 4e40d48 7599 4e40d93 OpenSCManagerW 7598->7599 7601 4e40ddc 7599->7601 7602 4e41308 7603 4e41349 ImpersonateLoggedOnUser 7602->7603 7604 4e41376 7603->7604 7605 a08e8e 7607 a08e9a 7605->7607 7608 a08eac 7607->7608 7609 a08ab5 2 API calls 7608->7609 7610 a08ebe 7609->7610 7611 a04093 7613 a0409f 7611->7613 7614 9ff85c 2 API calls 7613->7614 7615 a040ab 7614->7615 7617 a040cb 7615->7617 7618 a03f9f 7615->7618 7620 a03fab 7618->7620 7621 a03fbf 7620->7621 7622 9ff85c 2 API calls 7621->7622 7623 a03fd7 7622->7623 7624 a03fec 7623->7624 7644 a03eb8 7623->7644 7628 a03ff4 7624->7628 7636 a03f5d IsBadWritePtr 7624->7636 7631 a04045 CreateFileW 7628->7631 7632 a04068 CreateFileA 7628->7632 7629 9fff6e 2 API calls 7630 a04027 7629->7630 7630->7628 7633 a0402f 7630->7633 7635 a04035 7631->7635 7632->7635 7638 a017b2 7633->7638 7637 a03f7f 7636->7637 7637->7628 7637->7629 7639 a017bf 7638->7639 7640 a017f8 CreateFileA 7639->7640 7643 a018ba 7639->7643 7641 a01844 7640->7641 7642 a01675 CloseHandle 7641->7642 7641->7643 7642->7643 7643->7635 7646 a03ec7 GetWindowsDirectoryA 7644->7646 7647 a03ef1 7646->7647 7648 a01073 7649 a00ebb 18 API calls 7648->7649 7650 a01086 7649->7650 7651 4e410f0 7652 4e41131 7651->7652 7655 a025b0 7652->7655 7653 4e41151 7656 9ff85c 2 API calls 7655->7656 7657 a025bc 7656->7657 7658 a025e5 7657->7658 7659 a025d5 7657->7659 7661 a025ea CloseHandle 7658->7661 7663 a0169c 7659->7663 7662 a025db 7661->7662 7662->7653 7666 9ff707 7663->7666 7667 9ff71d 7666->7667 7668 9ff737 7667->7668 7670 9ff6eb 7667->7670 7668->7662 7671 a01675 CloseHandle 7670->7671 7672 9ff6fb 7671->7672 7672->7668 7673 4e41510 7674 4e41558 ControlService 7673->7674 7675 4e4158f 7674->7675 7676 a03917 7677 9ff85c 2 API calls 7676->7677 7678 a03923 GetCurrentProcess 7677->7678 7679 a0396f 7678->7679 7680 a03933 7678->7680 7681 a03974 DuplicateHandle 7679->7681 7680->7679 7682 a0395e 7680->7682 7684 a0396a 7681->7684 7685 a016b4 7682->7685 7686 a016de 7685->7686 7687 a01771 7686->7687 7688 a0169c CloseHandle 7686->7688 7687->7684 7688->7687 7689 a08ef8 7691 a08f04 7689->7691 7692 a08f16 7691->7692 7693 a00ebb 18 API calls 7692->7693 7694 a08f25 7693->7694 7695 a08f3e 7694->7695 7696 a08ab5 2 API calls 7694->7696 7696->7695 7697 a0151e 7698 9ff85c 2 API calls 7697->7698 7699 a0152a 7698->7699 7700 a01548 7699->7700 7701 9fff6e 2 API calls 7699->7701 7702 a01579 GetModuleHandleExA 7700->7702 7703 a01550 7700->7703 7701->7700 7702->7703

    Executed Functions

    Function 00A07EF4 Relevance: 3.1, APIs: 2, Instructions: 107memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 163 a07ef4-a07f0e GetSystemInfo 164 a07f52-a07f9b VirtualAlloc call a08240 163->164 165 a07f14-a07f4c 163->165 169 a08081 call a0808a 164->169 170 a07fa1-a07fc5 call a08240 164->170 165->164 175 a08086 169->175 170->169 176 a07fcb-a07fef call a08240 170->176 177 a08088-a08089 175->177 176->169 180 a07ff5-a08019 call a08240 176->180 180->169 183 a0801f-a0802c 180->183 184 a08052-a08069 call a08240 183->184 185 a08032-a0804d 183->185 188 a0806e-a08070 184->188 189 a0807c 185->189 188->169 190 a08076 188->190 189->177 190->189
    APIs
    • GetSystemInfo.KERNELBASE(?,-11AA5FEC), ref: 00A07F00
    • VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 00A07F61
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID: AllocInfoSystemVirtual
    • String ID:
    • API String ID: 3440192736-0
    • Opcode ID: fedfaed17d5b4b85c81288f82ededbdd81e9c760a6b89be20f3ab2dd7de75edf
    • Instruction ID: 01245c424089d295e8e89d70c63057e7221f5225157f78fb7cdbf495c49cc7db
    • Opcode Fuzzy Hash: fedfaed17d5b4b85c81288f82ededbdd81e9c760a6b89be20f3ab2dd7de75edf
    • Instruction Fuzzy Hash: 5A4111B1D0060AEFD729DF60D905B9677ACFF48B40F4000A6A697CE482EA7495D4CBA4
    Function 00A00F2F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • LoadLibraryExW.KERNEL32(?,?,?), ref: 00A01040
    • LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 00A01054
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: .dll$.exe$1002
    • API String ID: 1029625771-847511843
    • Opcode ID: 8d76c6858da23c6f9d54f44af5f691c8fe201d2363cc46783c12b6bbde5b35b5
    • Instruction ID: 7b18229ad341a605fcc0644a559deb8c6b380b50b9a5b17fe63a4bcaeaed2bf4
    • Opcode Fuzzy Hash: 8d76c6858da23c6f9d54f44af5f691c8fe201d2363cc46783c12b6bbde5b35b5
    • Instruction Fuzzy Hash: EB31567590424EEFDF25AF90EA04FAE7B75FF04311F108129F906961A1D73099E0EBA1
    Function 00A01435 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 40 a01435-a01446 call a00d99 43 a01451-a0145a call 9ff85c 40->43 44 a0144c 40->44 51 a01460-a0146c call 9fff6e 43->51 52 a0148e-a01495 43->52 45 a014e5-a014e9 44->45 47 a014fd-a01500 GetModuleHandleA 45->47 48 a014ef-a014f8 GetModuleHandleW 45->48 50 a01506 47->50 48->50 54 a01510-a01512 50->54 58 a01471-a01473 51->58 55 a014e0 call 9ff907 52->55 56 a0149b-a014a2 52->56 55->45 56->55 59 a014a8-a014af 56->59 58->55 60 a01479-a0147e 58->60 59->55 61 a014b5-a014bc 59->61 60->55 62 a01484-a0150b call 9ff907 60->62 61->55 63 a014c2-a014d6 61->63 62->54 63->55
    APIs
    • GetModuleHandleW.KERNEL32(?,?,?,?,00A013C7,?,00000000,00000000), ref: 00A014F2
    • GetModuleHandleA.KERNEL32(00000000,?,?,?,00A013C7,?,00000000,00000000), ref: 00A01500
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID: HandleModule
    • String ID: .dll
    • API String ID: 4139908857-2738580789
    • Opcode ID: 8817379b5eaf1054a268c6221333a1f27cb3ac5ac722316b212ca33e08827ab2
    • Instruction ID: 6f69fee55c3be837ffa4a6cf200c66d11a2d640f17330247aad6c9a434b294ee
    • Opcode Fuzzy Hash: 8817379b5eaf1054a268c6221333a1f27cb3ac5ac722316b212ca33e08827ab2
    • Instruction Fuzzy Hash: 731152B120460EFBDB319F64E918BEC7AB1FF40389F444225F513494E0C7B2A8E4DA95
    Function 00A03D8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 67 a03d8f-a03d9d 68 a03da3-a03daa 67->68 69 a03daf 67->69 70 a03db6-a03dcc call 9ff85c call 9fffc0 68->70 69->70 75 a03dd2-a03de0 call 9fff6e 70->75 76 a03deb 70->76 82 a03de6 75->82 83 a03df7-a03dfc 75->83 78 a03def-a03df2 76->78 80 a03e22-a03e29 call 9ff907 78->80 82->78 85 a03e02-a03e0e GetFileAttributesW 83->85 86 a03e13-a03e16 GetFileAttributesA 83->86 87 a03e1c-a03e1d 85->87 86->87 87->80
    APIs
    • GetFileAttributesW.KERNELBASE(00FE1214,-11AA5FEC), ref: 00A03E08
    • GetFileAttributesA.KERNEL32(00000000,-11AA5FEC), ref: 00A03E16
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: 49562351db3421a63943072abd362d60f48d39424de05b2d15336c1a3801a381
    • Instruction ID: f5a7abdc0c8fe8453ff0f4efb766ac263f79c445bbaf7354cef69ee04c62f9f5
    • Opcode Fuzzy Hash: 49562351db3421a63943072abd362d60f48d39424de05b2d15336c1a3801a381
    • Instruction Fuzzy Hash: 1601693250410CFBEF21AF24E9097AD7EB8EF40344F208669F603650D1D7B59BA1EB80
    Function 009B4DF8 Relevance: 4.6, APIs: 3, Instructions: 124registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 88 9b4df8-9b4e3e 90 9b4e40-9b4e5b RegOpenKeyA 88->90 91 9b4e67-9b4e82 RegOpenKeyA 88->91 90->91 92 9b4e5d 90->92 93 9b4e9a-9b4ec6 91->93 94 9b4e84-9b4e8e 91->94 92->91 97 9b4ec8-9b4ed1 GetNativeSystemInfo 93->97 98 9b4ed3-9b4edd 93->98 94->93 97->98 99 9b4ee9-9b4ef7 98->99 100 9b4edf 98->100 102 9b4ef9 99->102 103 9b4f03-9b4f0a 99->103 100->99 102->103 104 9b4f1d 103->104 105 9b4f10-9b4f17 103->105 107 9b5a9b-9b60c9 104->107 105->104 106 9b5775-9b577c 105->106 109 9b5782-9b57d2 106->109 110 9b8cd5-9b8cdc 106->110 111 9b7433-9b93d2 107->111 109->107 112 9b688d-9b6a4a 109->112 116 9b93d5 111->116 112->111 116->116
    APIs
    • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 009B4E53
    • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 009B4E7A
    • GetNativeSystemInfo.KERNELBASE(?), ref: 009B4ED1
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID: Open$InfoNativeSystem
    • String ID:
    • API String ID: 1247124224-0
    • Opcode ID: 4620a2f78cfb743750df4fbfa45fc1287465414d4b422f990b49e5b4b5656851
    • Instruction ID: 9aa715802aeead31f691899bba73ee491d9f508f6cbd6740db71f60f304833e1
    • Opcode Fuzzy Hash: 4620a2f78cfb743750df4fbfa45fc1287465414d4b422f990b49e5b4b5656851
    • Instruction Fuzzy Hash: C9513A7140821AEFDB11EF64C949BEE77E8EF04310F11482EE98186A50D7765CA4DF9A
    Function 009FFE0F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 117 9ffe0f-9ffe3f 119 9fff6a-9fff6b 117->119 120 9ffe45-9ffe5a 117->120 120->119 122 9ffe60-9ffe64 120->122 123 9ffe6a-9ffe7c PathAddExtensionA 122->123 124 9ffe86-9ffe8d 122->124 127 9ffe85 123->127 125 9ffeaf-9ffeb6 124->125 126 9ffe93-9ffea2 call 9ffab0 124->126 129 9ffebc-9ffec3 125->129 130 9ffef8-9ffeff 125->130 133 9ffea7-9ffea9 126->133 127->124 134 9ffedc-9ffeeb call 9ffab0 129->134 135 9ffec9-9ffed2 129->135 131 9fff05-9fff1b call 9ffab0 130->131 132 9fff21-9fff28 130->132 131->119 131->132 137 9fff2e-9fff44 call 9ffab0 132->137 138 9fff4a-9fff51 132->138 133->119 133->125 141 9ffef0-9ffef2 134->141 135->134 139 9ffed8 135->139 137->119 137->138 138->119 144 9fff57-9fff64 call 9ffae9 138->144 139->134 141->119 141->130 144->119
    APIs
    • PathAddExtensionA.KERNELBASE(?,00000000), ref: 009FFE71
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID: ExtensionPath
    • String ID: \\?\
    • API String ID: 158807944-4282027825
    • Opcode ID: 6b4642aa9cfe0f05be9527e032fa777b7f9eff7af289625a899a0f67b471047a
    • Instruction ID: 17265ba237a060a1552b759d328f6e5dd1ee142d5f903d224feff740d66a3afa
    • Opcode Fuzzy Hash: 6b4642aa9cfe0f05be9527e032fa777b7f9eff7af289625a899a0f67b471047a
    • Instruction Fuzzy Hash: 51315A36A0060EBFDF219F94CC19BAEBB79FF48305F0010A1FB05A5061EB729A61DB54
    Function 00A0151E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 148 a0151e-a01531 call 9ff85c 151 a01574-a01588 call 9ff907 GetModuleHandleExA 148->151 152 a01537-a01543 call 9fff6e 148->152 158 a01592-a01594 151->158 155 a01548-a0154a 152->155 155->151 157 a01550-a01557 155->157 159 a01560-a0158d call 9ff907 157->159 160 a0155d 157->160 159->158 160->159
    APIs
      • Part of subcall function 009FF85C: GetCurrentThreadId.KERNEL32 ref: 009FF86B
      • Part of subcall function 009FF85C: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 009FF8AE
    • GetModuleHandleExA.KERNELBASE(?,?,?), ref: 00A01582
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID: CurrentHandleModuleSleepThread
    • String ID: .dll
    • API String ID: 683542999-2738580789
    • Opcode ID: 22ce94050ac99d64b98a90fbac697a1636f8d54ab76b28cab45dff3796c8e618
    • Instruction ID: aa355bed8b447af6690db2f5a5f9e77e94cb5372dd8c5b702611ec72b01390c5
    • Opcode Fuzzy Hash: 22ce94050ac99d64b98a90fbac697a1636f8d54ab76b28cab45dff3796c8e618
    • Instruction Fuzzy Hash: 02F01D7210020CBFDF109F64E985BED3BB4FF94354F108125FA178A092D771E9A1AB52
    Function 00A03FAB Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 191 a03fab-a03fb9 192 a03fcb 191->192 193 a03fbf-a03fc6 191->193 194 a03fd2-a03fde call 9ff85c 192->194 193->194 197 a03fe4-a03fee call a03eb8 194->197 198 a03ff9-a04009 call a03f5d 194->198 197->198 205 a03ff4 197->205 203 a0401b-a04029 call 9fff6e 198->203 204 a0400f-a04016 198->204 206 a0403a-a0403f 203->206 211 a0402f-a04030 call a017b2 203->211 204->206 205->206 209 a04045-a04063 CreateFileW 206->209 210 a04068-a0407d CreateFileA 206->210 212 a04083-a04084 209->212 210->212 215 a04035 211->215 214 a04089-a04090 call 9ff907 212->214 215->214
    APIs
    • CreateFileW.KERNELBASE(00FE1214,?,?,-11AA5FEC,?,?,?,-11AA5FEC,?), ref: 00A0405D
      • Part of subcall function 00A03F5D: IsBadWritePtr.KERNEL32(?,00000004), ref: 00A03F6B
    • CreateFileA.KERNEL32(?,?,?,-11AA5FEC,?,?,?,-11AA5FEC,?), ref: 00A0407D
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID: CreateFile$Write
    • String ID:
    • API String ID: 1125675974-0
    • Opcode ID: f48c4aee4076ff52ea52610a15cb1f40e6c940969b21716f611e8a5b3c85233a
    • Instruction ID: eee35c95309a85e70ce1e11f05d991defb6d2f06091182aee51c33a5cde49e4d
    • Opcode Fuzzy Hash: f48c4aee4076ff52ea52610a15cb1f40e6c940969b21716f611e8a5b3c85233a
    • Instruction Fuzzy Hash: 7011297250410EFBDF229F90EE05BAE3E75BF18345F048115BA02644E0C77A8AB1EB51
    Function 00A03917 Relevance: 3.0, APIs: 2, Instructions: 41COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 218 a03917-a0392d call 9ff85c GetCurrentProcess 221 a03933-a03936 218->221 222 a0396f-a03991 call 9ff907 DuplicateHandle 218->222 221->222 223 a0393c-a0393f 221->223 228 a0399b-a0399d 222->228 223->222 225 a03945-a03958 call 9ff6b6 223->225 225->222 230 a0395e-a03996 call a016b4 call 9ff907 225->230 230->228
    APIs
      • Part of subcall function 009FF85C: GetCurrentThreadId.KERNEL32 ref: 009FF86B
      • Part of subcall function 009FF85C: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 009FF8AE
    • GetCurrentProcess.KERNEL32(-11AA5FEC), ref: 00A03924
    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A0398A
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID: Current$DuplicateHandleProcessSleepThread
    • String ID:
    • API String ID: 2846201637-0
    • Opcode ID: 0b65ae04ff8c4d9a864fcb16df193b0414ea937a66ec3b37adad06a791f38f21
    • Instruction ID: 9a63dc9cf66f2160bff9bf8dd7c981fbd80212fe060f79f75127bfb059c73610
    • Opcode Fuzzy Hash: 0b65ae04ff8c4d9a864fcb16df193b0414ea937a66ec3b37adad06a791f38f21
    • Instruction Fuzzy Hash: A4014B3310014EBBCF22AFA9EC18EEE3B39BF94394B004121FA1290055CB72D562EB61
    Function 009FF85C Relevance: 3.0, APIs: 2, Instructions: 33sleepthreadCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 235 9ff85c-9ff872 GetCurrentThreadId 236 9ff874-9ff880 235->236 237 9ff8bb-9ff8c8 call a066db 236->237 238 9ff886-9ff888 236->238 238->237 239 9ff88e-9ff895 238->239 241 9ff89b-9ff8a2 239->241 242 9ff8aa-9ff8b6 Sleep 239->242 241->242 244 9ff8a8 241->244 242->236 244->242
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 009FF86B
    • Sleep.KERNELBASE(00000005,00050000,00000000), ref: 009FF8AE
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID: CurrentSleepThread
    • String ID:
    • API String ID: 1164918020-0
    • Opcode ID: 8f4b6c5eeca0487dc8872092fb2f383e11fd3c6e49e72bb283761c49bdd024b2
    • Instruction ID: 27746e8d8f03e67a40775d7a204aa3f9105ec2d5a83fdf8974d75089739220ca
    • Opcode Fuzzy Hash: 8f4b6c5eeca0487dc8872092fb2f383e11fd3c6e49e72bb283761c49bdd024b2
    • Instruction Fuzzy Hash: D2F0BE3250110DEBE7218F90C9A876EB3B8FF413AAF2001B9D20395890D7721996EB85
    Function 00A08920 Relevance: 1.6, APIs: 1, Instructions: 112COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 261 a08920-a0892e 262 a08951-a0895b call a087b5 261->262 263 a08934-a08946 261->263 268 a08961 262->268 269 a08966-a0896f 262->269 263->262 267 a0894c 263->267 270 a08ab0-a08ab2 267->270 268->270 271 a08975-a0897c 269->271 272 a08987-a0898e 269->272 271->272 273 a08982 271->273 274 a08994 272->274 275 a08999-a089a9 272->275 273->270 274->270 275->270 276 a089af-a089bb call a0888a 275->276 279 a089be-a089c2 276->279 279->270 280 a089c8-a089d2 279->280 281 a089d8-a089eb 280->281 282 a089f9-a089fc 280->282 281->282 287 a089f1-a089f3 281->287 283 a089ff-a08a02 282->283 285 a08aa8-a08aab 283->285 286 a08a08-a08a0f 283->286 285->279 288 a08a15-a08a1b 286->288 289 a08a3d-a08a56 286->289 287->282 287->285 290 a08a21-a08a26 288->290 291 a08a38 288->291 295 a08a5c-a08a6a 289->295 296 a08a6f-a08a77 VirtualProtect 289->296 290->291 294 a08a2c-a08a32 290->294 292 a08aa0-a08aa3 291->292 292->283 294->289 294->291 297 a08a7d-a08a80 295->297 296->297 297->292 299 a08a86-a08a9f 297->299 299->292
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 600a0e63277d6b442cc83dbda46948e66705838856fdda208412b9ab0b6e660d
    • Instruction ID: 0468e28de65b4c6b3fd0c4da922a349cc88a5ab89004d2b9503856a6332398d2
    • Opcode Fuzzy Hash: 600a0e63277d6b442cc83dbda46948e66705838856fdda208412b9ab0b6e660d
    • Instruction Fuzzy Hash: 91418371A0020DEFDB24DF14E944BAE77B1FF00390F654055E582AB9D2CB39AD90CB59
    Function 00A01F96 Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 301 a01f96-a01fa7 302 a01fd6-a01fdf call 9ff93a 301->302 303 a01fad-a01fc1 call 9ff93a 301->303 308 a01fe5-a01ff6 call a01778 302->308 309 a020bc-a020bf call 9ff95f 302->309 314 a020c4 303->314 315 a01fc7-a01fd5 303->315 316 a02016-a02055 CreateFileA 308->316 317 a01ffc-a02000 308->317 309->314 318 a020cb-a020cf 314->318 315->302 321 a02079-a0207c 316->321 322 a0205b-a02078 316->322 319 a02013 317->319 320 a02006-a02012 call a06800 317->320 319->316 320->319 325 a02082-a02099 call 9ff67c 321->325 326 a020af-a020b7 call a01607 321->326 322->321 325->318 333 a0209f-a020aa call a01675 325->333 326->314 333->314
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 00A0204B
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 99a7081256bfc52ad671be7ae622d601fc96b60b97ec23064844d6077a203953
    • Instruction ID: 132963807377b0ad529740375d2992b5389d934879a07d7abc6f8a4dc84f764f
    • Opcode Fuzzy Hash: 99a7081256bfc52ad671be7ae622d601fc96b60b97ec23064844d6077a203953
    • Instruction Fuzzy Hash: E5316071900309FAEB209F64EC49FAEBBB8FF44714F208169F615AA1D1C7729A51DB24
    Function 00A017B2 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 336 a017b2-a017c1 call 9ff93a 339 a018c7 336->339 340 a017c7-a017d8 call a01778 336->340 342 a018ce-a018d2 339->342 344 a017f8-a0183e CreateFileA 340->344 345 a017de-a017e2 340->345 348 a01844-a01865 344->348 349 a01889-a0188c 344->349 346 a017f5 345->346 347 a017e8-a017f4 call a06800 345->347 346->344 347->346 348->349 358 a0186b-a01888 348->358 351 a01892-a018a9 call 9ff67c 349->351 352 a018bf-a018c2 call a01607 349->352 351->342 359 a018af-a018ba call a01675 351->359 352->339 358->349 359->339
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 00A01834
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: b0b5802f27130bc2166e39052294704520d64fea7296bf618bdb3daf80dd49e4
    • Instruction ID: 047378a446f882fe50e090f49d78763f440bd2f5845bd467155dbbdd00804dc9
    • Opcode Fuzzy Hash: b0b5802f27130bc2166e39052294704520d64fea7296bf618bdb3daf80dd49e4
    • Instruction Fuzzy Hash: 2D31A572A00209BAE7209F64EC45FD977B8EF04728F208369F611EA0D1C7B2A656CB54
    Function 00A0866D Relevance: 1.6, APIs: 1, Instructions: 65COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,?), ref: 00A0871A
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID: FileModuleName
    • String ID:
    • API String ID: 514040917-0
    • Opcode ID: f11bff13e041cae5ee732c0bf41c9fb08ea371149e8cb25145f341efd72e7bed
    • Instruction ID: 7eb47b258b309a87283b377574aba912716d6e637505c6cb5c235c8984fba811
    • Opcode Fuzzy Hash: f11bff13e041cae5ee732c0bf41c9fb08ea371149e8cb25145f341efd72e7bed
    • Instruction Fuzzy Hash: FF11D671A0122DDFEF204714AC48BEB7B7CEF04B10F2050A5F985920C5DF789D808AA9
    Function 04E40D41 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04E40DCD
    Memory Dump Source
    • Source File: 00000000.00000002.1807637489.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4e40000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 64c4d2cde608a9ffd3a60210439e3326993e2c2ce691d99e5e008e48c525e6ca
    • Instruction ID: feaedfd9cb100034c8b57e2979c9fef87526cbcfd22a3647299495cc624c4b95
    • Opcode Fuzzy Hash: 64c4d2cde608a9ffd3a60210439e3326993e2c2ce691d99e5e008e48c525e6ca
    • Instruction Fuzzy Hash: 612115B6D00219CFCB54CF99E484BDEFBF1EB88320F14852AD908AB244D734A545CFA5
    Function 04E40D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04E40DCD
    Memory Dump Source
    • Source File: 00000000.00000002.1807637489.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4e40000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: b35dba3f139148b40d55da489f9bade0058b1b441124f66bd2b9e3eaceb30f55
    • Instruction ID: 30375254530521ebf37e4c2def0a82e13bd56d57225b12eecf458759206c2f91
    • Opcode Fuzzy Hash: b35dba3f139148b40d55da489f9bade0058b1b441124f66bd2b9e3eaceb30f55
    • Instruction Fuzzy Hash: 842115B6C012189FCB50CF99E884ADEFBF4EB88320F14852AD908AB204D774A544CFA5
    Function 04E41510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 04E41580
    Memory Dump Source
    • Source File: 00000000.00000002.1807637489.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4e40000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 69e43c469c2db9636df72ff24e7ab95ee30375c53b267558c3ce03af2af18f1b
    • Instruction ID: 8b65b26004b099754506cbd5f33bdb3bab63b177524ad22e22388151e3647bc2
    • Opcode Fuzzy Hash: 69e43c469c2db9636df72ff24e7ab95ee30375c53b267558c3ce03af2af18f1b
    • Instruction Fuzzy Hash: 4811F6B5D00249DFDB10CF9AD584BDEFBF4EB48324F10842AE559A7250D378A684CFA5
    Function 04E41509 Relevance: 1.6, APIs: 1, Instructions: 52serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 04E41580
    Memory Dump Source
    • Source File: 00000000.00000002.1807637489.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4e40000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: cc59763796d1bf5234c7d8062e699a17b5614b7c6217fbca71414484b48f3c5b
    • Instruction ID: e0fdaaf7fc8a92e6eb47a0703c6e005ff7f68de6091aa27f5de45a9c7a06bade
    • Opcode Fuzzy Hash: cc59763796d1bf5234c7d8062e699a17b5614b7c6217fbca71414484b48f3c5b
    • Instruction Fuzzy Hash: 551126B5D00209CFDB10CF9AD584BDEFBF4BB48320F10842AE959A7250D778A684CFA5
    Function 00A04AE3 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009FF85C: GetCurrentThreadId.KERNEL32 ref: 009FF86B
      • Part of subcall function 009FF85C: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 009FF8AE
    • MapViewOfFileEx.KERNELBASE(?,?,?,?,?,?,-11AA5FEC), ref: 00A04B6A
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID: CurrentFileSleepThreadView
    • String ID:
    • API String ID: 2270672837-0
    • Opcode ID: 49f76f5bf833461dbc9591cab42551e9042d386fd7374aee36e090aa1f78ffc4
    • Instruction ID: cb8b2e9245f322b560c01af00e3254c18f0e39333314d951d19b1b94bb62c8ed
    • Opcode Fuzzy Hash: 49f76f5bf833461dbc9591cab42551e9042d386fd7374aee36e090aa1f78ffc4
    • Instruction Fuzzy Hash: 7911B7B610014EFACF126FA4ED09EAE3B7AFF5A354B044525FB11550A1C736C871EB61
    Function 04E41301 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 04E41367
    Memory Dump Source
    • Source File: 00000000.00000002.1807637489.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4e40000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: d0abb873852576491b19ddaa22d849880e4d326bef24f4d5fc52ff7bb509a0c1
    • Instruction ID: ee70dd3fdd83d5e7fde361b86d3a3f25bdfe7aa925c23d35ed0e4b2310ccf158
    • Opcode Fuzzy Hash: d0abb873852576491b19ddaa22d849880e4d326bef24f4d5fc52ff7bb509a0c1
    • Instruction Fuzzy Hash: 1D1146B1900249CFDB10CF9AD584BEEFBF4EF48324F24842AD558A3240C778A580CFA5
    Function 00A048CB Relevance: 1.6, APIs: 1, Instructions: 50COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID: CurrentSleepThread
    • String ID:
    • API String ID: 1164918020-0
    • Opcode ID: aaebd99a1bd4090d352f5afca3844824b67edfa9e3343e71d5a56dd466cfa982
    • Instruction ID: fd065aa015b6fd3d388baeba1ad8e3b418a605faa1aa1137d9a3e9f77eb99751
    • Opcode Fuzzy Hash: aaebd99a1bd4090d352f5afca3844824b67edfa9e3343e71d5a56dd466cfa982
    • Instruction Fuzzy Hash: 0F111BB210020EEECF12AFA4E909FAF3B75BF48384F104025FA11860A5C775CA65EB91
    Function 04E41308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 04E41367
    Memory Dump Source
    • Source File: 00000000.00000002.1807637489.0000000004E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4e40000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 372e307ed279888d46b6aa3f68234c587d652f77e696636d78f52919abef798d
    • Instruction ID: 62f821ffc43d7d9a18e2fc3f7141d0f05581c38413e1b58fdc79272887958c10
    • Opcode Fuzzy Hash: 372e307ed279888d46b6aa3f68234c587d652f77e696636d78f52919abef798d
    • Instruction Fuzzy Hash: AE1148B1800349CFDB10CF9AD449BEEFBF4EB48324F20842AD558A3250C778A584CFA5
    Function 00A041AF Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009FF85C: GetCurrentThreadId.KERNEL32 ref: 009FF86B
      • Part of subcall function 009FF85C: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 009FF8AE
    • ReadFile.KERNELBASE(?,00000000,?,00000400,?,-11AA5FEC,?,?,00A01EDE,?,?,00000400,?,00000000,?,00000000), ref: 00A0421B
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID: CurrentFileReadSleepThread
    • String ID:
    • API String ID: 1253362762-0
    • Opcode ID: cbc304a06912e606ea622cbeb8ce83efa7958a3d7a29b9d6b8918853b0866948
    • Instruction ID: 59f5619e9348b3e771f759461c13ba8de64c0a1301dfb23cc082fd02a3b74e79
    • Opcode Fuzzy Hash: cbc304a06912e606ea622cbeb8ce83efa7958a3d7a29b9d6b8918853b0866948
    • Instruction Fuzzy Hash: 56F0B67620410EBBCF129FA4E919EAE3F76FF99351F004121FB0185061D772C5A1EB61
    Function 009FFA2D Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID: lstrcmpi
    • String ID:
    • API String ID: 1586166983-0
    • Opcode ID: 6fab3f730afc7e2c06d7ca3597e7125ea1385cbe460197ad6946ad7dab325f28
    • Instruction ID: c0538c019e67bffa2ce53ff8628839ca9bdb38b94872bb8f3ec921ad74e0cfa4
    • Opcode Fuzzy Hash: 6fab3f730afc7e2c06d7ca3597e7125ea1385cbe460197ad6946ad7dab325f28
    • Instruction Fuzzy Hash: F901D236A0010DFFDF219FA4CC14EAEBB7AEF84750F005171B609A41A1E732CA65DB60
    Function 00A08297 Relevance: 1.3, APIs: 1, Instructions: 37memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,?,00A08293,?,?,00A07F99,?,?,00A07F99,?,?,00A07F99), ref: 00A082B7
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: e3aa8db192c7bdec13656a24576690dc9b4245eee357810281f5f7f9af9122f9
    • Instruction ID: 38d277a9151d03265e0ef3b4c6ee5fe62fc88f9df0216ae55f12b27fbf74bc30
    • Opcode Fuzzy Hash: e3aa8db192c7bdec13656a24576690dc9b4245eee357810281f5f7f9af9122f9
    • Instruction Fuzzy Hash: 15F081B1900309EFE7208F04D905B99BBF4FF48B51F208068F59A9BA91D7B598D0CBA4
    Function 00A025B0 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009FF85C: GetCurrentThreadId.KERNEL32 ref: 009FF86B
      • Part of subcall function 009FF85C: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 009FF8AE
    • CloseHandle.KERNELBASE(00A01F73,-11AA5FEC,?,?,00A01F73,?), ref: 00A025EE
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID: CloseCurrentHandleSleepThread
    • String ID:
    • API String ID: 4003616898-0
    • Opcode ID: 3d0f1eb4322930a99e918ec6457f3ef0d07144fcf0cb1576196365f8c87f0d3d
    • Instruction ID: e4f7bb341c48d8ca3e007630fa4f7ff29a973ed000b4a2fc8be9f52f5ae68d3e
    • Opcode Fuzzy Hash: 3d0f1eb4322930a99e918ec6457f3ef0d07144fcf0cb1576196365f8c87f0d3d
    • Instruction Fuzzy Hash: 56E04FB320014DB6CE207B78EC2DFAE3F789FD1354B044131B60385491DB69E5E2A769
    Function 00A01675 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNELBASE(?,?,009FF6FB,?,?), ref: 00A0167B
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: 03c1c0bd21155187c4fdcb039e8be15873d6e63cf9b7ed41dae91f3acf2babf4
    • Instruction ID: 65bb8cca2e6fd2af98b7f1499758205dc3b3a61461843241e8d848950284d15f
    • Opcode Fuzzy Hash: 03c1c0bd21155187c4fdcb039e8be15873d6e63cf9b7ed41dae91f3acf2babf4
    • Instruction Fuzzy Hash: F0B09B3100010C77CB417F51EC0584D7F65FF51355B04C110B54684461C773E560D7D5

    Non-executed Functions

    Function 0099967E Relevance: 12.9, Strings: 9, Instructions: 1617COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID:
    • String ID: #9y$&\/}$I'_w$VJF?$Vvo=$_<a$bOX)$=vo$os
    • API String ID: 0-1076337712
    • Opcode ID: d1b67b0d4447811f0184e223bbbd8483cf29dc058eef6a684f259c91f4e49c62
    • Instruction ID: 8e41ee0a8db7b49956c5261cad75aebdc09983902d73cc8e838061a11c9dfe7d
    • Opcode Fuzzy Hash: d1b67b0d4447811f0184e223bbbd8483cf29dc058eef6a684f259c91f4e49c62
    • Instruction Fuzzy Hash: FEB217F3A0C2049FE304AE6DDC8567AFBE9EF94620F1A453DEAC4C7744EA3558048697
    Function 0099CC15 Relevance: 9.1, Strings: 6, Instructions: 1640COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID:
    • String ID: Ask$/2uw$4SS?$Q0S[$`|;~$v:1
    • API String ID: 0-411699891
    • Opcode ID: 42c80cd76fb479069e917626ec1101481acc99c559a76547ebfd8f02b9ab118b
    • Instruction ID: 77931b2b7db77710c3d50c6c021437fcc4adfeb4282fab7dfa40cc2cb909f797
    • Opcode Fuzzy Hash: 42c80cd76fb479069e917626ec1101481acc99c559a76547ebfd8f02b9ab118b
    • Instruction Fuzzy Hash: EFB2F5F3A0C2109FE304AE29DC8167AF7E9EF94720F1A893DE6C487744E63598418797
    Function 009A1DE5 Relevance: 7.9, Strings: 5, Instructions: 1694COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID:
    • String ID: !Dn$%Dn$1v7Y$|^&$7-
    • API String ID: 0-1708577662
    • Opcode ID: f2a308f1d439e861ee61cbfee89a7ad877314fa2a922feb5f930e1143abd6ed4
    • Instruction ID: 0ff3d34ebb24c8ed6ff3e3905124114a297beb522efb87f433015016da1e21a7
    • Opcode Fuzzy Hash: f2a308f1d439e861ee61cbfee89a7ad877314fa2a922feb5f930e1143abd6ed4
    • Instruction Fuzzy Hash: D7B228F3A082049FE304AE2DEC8567AFBE9EFD4320F1A453DEAC4C7744E97558058696
    Function 009A036F Relevance: 6.6, Strings: 4, Instructions: 1608COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID:
    • String ID: "=w$%vy$+Hs$E@dN
    • API String ID: 0-1078463195
    • Opcode ID: 1f6a824c43f640b24c37f43e7a9d72e1e97c2dd3fe58ca469edf4e927f32f151
    • Instruction ID: b4c549565db05786dbf450de448f0dc0d1ab49061dfa11651064e5b35a942747
    • Opcode Fuzzy Hash: 1f6a824c43f640b24c37f43e7a9d72e1e97c2dd3fe58ca469edf4e927f32f151
    • Instruction Fuzzy Hash: AAB2E7F360C2049FE304AE29EC8567AFBE9EF94720F16893DE6C5C3744EA3558058697
    Function 00997BE8 Relevance: 6.6, Strings: 4, Instructions: 1600COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID:
    • String ID: 1p{$eXwz$v&P$(/
    • API String ID: 0-1030765502
    • Opcode ID: 6ae9d1de4ef9c4953285b0972b429af790b0bb265be1928f3c9a5d62b53ce98a
    • Instruction ID: 26efac95706a077ea522d78c68c91506896ea0bd171c18ee1022b44f85d9f91a
    • Opcode Fuzzy Hash: 6ae9d1de4ef9c4953285b0972b429af790b0bb265be1928f3c9a5d62b53ce98a
    • Instruction Fuzzy Hash: 6AB204F360C204AFE7086E29EC8567AF7E9EF94720F1A492DE6C5C7344EA3558418693
    Function 0099B19B Relevance: 6.5, Strings: 4, Instructions: 1549COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID:
    • String ID: +u=$FW%$Ku7?$YX~{
    • API String ID: 0-1333385171
    • Opcode ID: 0dca64854829f68f2d4775cf854c45e6b76ad987b7cd97eeabaeb57a6dcb304f
    • Instruction ID: e4b75c68e64bedb0faf9b1711b615368c280111a6f67b0fc6231af90e3f151fd
    • Opcode Fuzzy Hash: 0dca64854829f68f2d4775cf854c45e6b76ad987b7cd97eeabaeb57a6dcb304f
    • Instruction Fuzzy Hash: 20B215F360C204AFE704AE2DEC8577ABBE5EF94720F1A492DE6C583744EA3558018797
    Function 0099F2E4 Relevance: 5.8, Strings: 4, Instructions: 758COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID:
    • String ID: )QgZ$,W_$,}{$XFm
    • API String ID: 0-3934199372
    • Opcode ID: 8c81c477c3eece5ee99815cc19993815891da6dfa7f828b78e49bc18726c30e6
    • Instruction ID: 0d2f90295002395d1f248c96c26ed142c70234157f46ef907dd4de983d930099
    • Opcode Fuzzy Hash: 8c81c477c3eece5ee99815cc19993815891da6dfa7f828b78e49bc18726c30e6
    • Instruction Fuzzy Hash: AA3259F3A083049FE7046E2DEC8577ABBE5EB94620F1A463DEAC4C3744EA3558058797
    Function 009A399E Relevance: 5.4, Strings: 3, Instructions: 1651COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID:
    • String ID: We5$b^VL$yA;
    • API String ID: 0-884815210
    • Opcode ID: d0003a6dfca4385a58611d23df8479b698278fb86bd80ca4f7a2d2ed3ac551db
    • Instruction ID: 1001e8ad56d67ff5bef4bc737b1a5d8438afb35291233a47e3680b742e9ec8f0
    • Opcode Fuzzy Hash: d0003a6dfca4385a58611d23df8479b698278fb86bd80ca4f7a2d2ed3ac551db
    • Instruction Fuzzy Hash: 46B207F360C304AFE3046E6DEC85A7ABBE9EBD4720F1A463DE6C4C3744E67558018696
    Function 008BA7FA Relevance: 5.2, Strings: 4, Instructions: 162COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID:
    • String ID: &Z?s$1I4$1I4$sJvg
    • API String ID: 0-2913234596
    • Opcode ID: 295c214475e748996a62fb486ad6807801d5857d453fd01c0ec6c40c93128ddd
    • Instruction ID: 8be8f896c41424a2dc6de342cc3a094dd2c698b79d036c0a151d1a41f2d7c58c
    • Opcode Fuzzy Hash: 295c214475e748996a62fb486ad6807801d5857d453fd01c0ec6c40c93128ddd
    • Instruction Fuzzy Hash: B25106F3E181105BF308AA2CDC4677ABAD6EBD8310F1B453DEAC9D3380E97958018696
    Function 009948F3 Relevance: 3.9, Strings: 2, Instructions: 1358COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID:
    • String ID: #as$P,/w
    • API String ID: 0-2130119002
    • Opcode ID: 72d404061706b4ec26c4e15e7a5e859a392c115116b6f4796a3d4dc68c10f6a5
    • Instruction ID: fc3bbbc3837c3fab100f1a72da33c476772da3a3994f63fb865fc980a5747f77
    • Opcode Fuzzy Hash: 72d404061706b4ec26c4e15e7a5e859a392c115116b6f4796a3d4dc68c10f6a5
    • Instruction Fuzzy Hash: 2B922BF360C2049FE304AE29EC8577AF7E9EB94320F16863DEAC4C7744E63558058697
    Function 00A03011 Relevance: 3.8, Strings: 3, Instructions: 66COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID:
    • String ID: %$shell32.dll$x
    • API String ID: 0-999810496
    • Opcode ID: fa52c3c9bd8b6724eaaa3e2716bd5d5aa1608201b07c68003117f6cea949c9ca
    • Instruction ID: 47785d822e5241183ba46eaaff79033e4ef7b05ab4a10af8b4450cfddf670c44
    • Opcode Fuzzy Hash: fa52c3c9bd8b6724eaaa3e2716bd5d5aa1608201b07c68003117f6cea949c9ca
    • Instruction Fuzzy Hash: 0B116073D0420AEAEB24DF54EA49BAEB7BCFF84704F208056F10399582E37559D58BE1
    Function 00A039A9 Relevance: 3.0, APIs: 2, Instructions: 43timeCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009FF85C: GetCurrentThreadId.KERNEL32 ref: 009FF86B
      • Part of subcall function 009FF85C: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 009FF8AE
    • GetSystemTime.KERNEL32(?,-11AA5FEC), ref: 00A039DE
    • GetFileTime.KERNEL32(?,?,?,?,-11AA5FEC), ref: 00A03A21
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID: Time$CurrentFileSleepSystemThread
    • String ID:
    • API String ID: 3818558864-0
    • Opcode ID: 9070b161a775d8da4f8ed2ad4881b700e7dc8ad073ddd309b3057ad8ab8f203a
    • Instruction ID: af0d6b8478a13fe83564fabe44ded88cebc16a2c9c787e6a3ff8160f2b49eacb
    • Opcode Fuzzy Hash: 9070b161a775d8da4f8ed2ad4881b700e7dc8ad073ddd309b3057ad8ab8f203a
    • Instruction Fuzzy Hash: 3E01E83720008AFBCF21AF69E80CE9E7F79FFC5354B104125F65285461C77299A1EB61
    Function 00933604 Relevance: 2.7, Strings: 2, Instructions: 194COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID:
    • String ID: "&vV$;*
    • API String ID: 0-2995814020
    • Opcode ID: 761a93aa2261a7f83cfa497db0b1b88719a5bf0109e7cac52a12c0d5c152fb20
    • Instruction ID: 8abec84db7c858b9320e597b32de9f751ee498e8e64ea234842d0bda699273c5
    • Opcode Fuzzy Hash: 761a93aa2261a7f83cfa497db0b1b88719a5bf0109e7cac52a12c0d5c152fb20
    • Instruction Fuzzy Hash: E8519FF3A082045FF3489E3CEC9572B77D6EBC4710F15823DE98987784E9766D058256
    Function 00A04867 Relevance: 1.5, APIs: 1, Instructions: 24encryptionCOMMON
    Download Yara Rule
    APIs
    • CryptVerifySignatureA.ADVAPI32(?,?,?,?,?,?), ref: 00A048AE
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID: CryptSignatureVerify
    • String ID:
    • API String ID: 1015439381-0
    • Opcode ID: 84649ded8abc832ccb920803104653ec84ce0bc7d6e1518528160dafc81f2bfe
    • Instruction ID: ce688c575c94ab8754d53a218ca7b3a452b10aa0083b8fd396aab370853caa74
    • Opcode Fuzzy Hash: 84649ded8abc832ccb920803104653ec84ce0bc7d6e1518528160dafc81f2bfe
    • Instruction Fuzzy Hash: 65F0F83260064EFFCF01CF94D94499C7BB1FF18315B10C529FA1596150D3769A65EF80
    Function 008E7B12 Relevance: 1.5, Strings: 1, Instructions: 213COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID:
    • String ID: KG1?
    • API String ID: 0-1757393386
    • Opcode ID: 61bb8dd31965f654784dfe299a2aeacb6ddbf068501fe37e35181ba38925afa6
    • Instruction ID: 7ec88c62addee4f7bbf575e6e48a967ff5d654994087a7a86011c0c98b2482ee
    • Opcode Fuzzy Hash: 61bb8dd31965f654784dfe299a2aeacb6ddbf068501fe37e35181ba38925afa6
    • Instruction Fuzzy Hash: 0651D5F3A082149FE340AE2DEC8477AB7E5EF94764F26863DDAC483744E93558058692
    Function 00949DD8 Relevance: .2, Instructions: 232COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 94a0bb5910aa3aec410d7f220c6795eb61547f9605e26e0bf64747a177a959cc
    • Instruction ID: 1bb6740a392ef1e5f191c982497377721bb6fb5d00e1e344e959a2026c08b5a4
    • Opcode Fuzzy Hash: 94a0bb5910aa3aec410d7f220c6795eb61547f9605e26e0bf64747a177a959cc
    • Instruction Fuzzy Hash: A461F3F3F182105BE3085A2DEC957BAB7D6EBD4720F1B453EAA89D3380E9755C008696
    Function 00966C65 Relevance: .2, Instructions: 157COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 671d8ef3ed7fddf7dfe6ac131c7ee68a4de96a499288da1953410698b6dd245d
    • Instruction ID: 6ca5b0b437abb6c99c6b8b7b20325e5a3fc000bbc21eb8d5c85f9bfcca083e8f
    • Opcode Fuzzy Hash: 671d8ef3ed7fddf7dfe6ac131c7ee68a4de96a499288da1953410698b6dd245d
    • Instruction Fuzzy Hash: 4C51F7B3B083049BF3449E29DC85779B7D6EBD4310F2A893DD6C4C7780DAB998468746
    Function 009FE225 Relevance: .1, Instructions: 84COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5d0dd46b7f019c92334eb91b7923faede66dcbbce96ebf8b7504a460c65bdbdb
    • Instruction ID: 14faab89af06ba59e3fb1cfcc320498e60b41c0f6f8115038d2585eb935463a7
    • Opcode Fuzzy Hash: 5d0dd46b7f019c92334eb91b7923faede66dcbbce96ebf8b7504a460c65bdbdb
    • Instruction Fuzzy Hash: 452162B251C304AFE315BE68DC81B6AF7E5EF58310F06492DE7D4C3340EA7558508A9B
    Function 009BE17F Relevance: .0, Instructions: 34COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b7f34283938768cd15b7ab180c4eebfe4952537d3defd5c5bd330f1250b1a7cb
    • Instruction ID: 9a10c2d61f2842324c6106daaeafa9df21ec9dfa1dcb772bb2c975ed908db8a1
    • Opcode Fuzzy Hash: b7f34283938768cd15b7ab180c4eebfe4952537d3defd5c5bd330f1250b1a7cb
    • Instruction Fuzzy Hash: F40124B590021A9ADF25CF04C108ADBB7B6FF48360F2682A9D8056BB10D7746D90CF49
    Function 00A02EDF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 009FF85C: GetCurrentThreadId.KERNEL32 ref: 009FF86B
      • Part of subcall function 009FF85C: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 009FF8AE
      • Part of subcall function 00A03F5D: IsBadWritePtr.KERNEL32(?,00000004), ref: 00A03F6B
    • wsprintfA.USER32 ref: 00A02F25
    • LoadImageA.USER32(?,?,?,?,?,?), ref: 00A02FE9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID: CurrentImageLoadSleepThreadWritewsprintf
    • String ID: %8x$%8x
    • API String ID: 2375920415-2046107164
    • Opcode ID: 3a4e292b31e23eca2faa66904e4f922088c20d2956c7b647bb3515085073645f
    • Instruction ID: dfaf4767713afd84ca56f515e598d299395769b0134309349018e7ca51c0b5b8
    • Opcode Fuzzy Hash: 3a4e292b31e23eca2faa66904e4f922088c20d2956c7b647bb3515085073645f
    • Instruction Fuzzy Hash: 0431067290020EFBDF119FA4DD49FEEBB79FF84310F108125BA11A61A1D7719A61EB60
    Function 00A03AB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesExW.KERNEL32(00FE1214,00004020,00000000,-11AA5FEC), ref: 00A03B9D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1804547252.00000000009B0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00820000, based on PE: true
    • Associated: 00000000.00000002.1803295756.0000000000820000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804351796.0000000000822000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804382221.0000000000826000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ABF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804547252.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1804949959.0000000000ACF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805086459.0000000000C72000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1805114980.0000000000C74000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_820000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: 8d1c65975e713b108d5f70ea099adb4d63300cddad4da7b033dc37d29fa9bf3c
    • Instruction ID: 6ab22c3236f376faf9a926aa2fda8de856ad05b4b63ee2a95ed64ee29413109f
    • Opcode Fuzzy Hash: 8d1c65975e713b108d5f70ea099adb4d63300cddad4da7b033dc37d29fa9bf3c
    • Instruction Fuzzy Hash: 3D31BC76504709EFCF248F54D844B9EBBB4FF08354F008529F95667690C3B5AAA4DF90