Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1532476
MD5:a5762c09b778475ada33e2d4c1c0d8f5
SHA1:2ff1217d17984a3e1527f2f32440ea99803013b3
SHA256:3304d2d210900dcea3680e88f9de9bcefeb3fcdcc89cd39ef3ef60b0a3a94019
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SIDT)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6792 cmdline: "C:\Users\user\Desktop\file.exe" MD5: A5762C09B778475ADA33E2D4C1C0D8F5)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: file.exeAvira: detected
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010512FC CryptVerifySignatureA,0_2_010512FC
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.1662768682.0000000005150000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmp

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDE0E60_2_00FDE0E6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDC0A50_2_00FDC0A5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F770570_2_00F77057
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FEB18D0_2_00FEB18D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F6E2040_2_00F6E204
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EEB3680_2_00EEB368
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE45EC0_2_00FE45EC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC850D0_2_00FC850D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE66B30_2_00FE66B3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED87C90_2_00ED87C9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE17230_2_00FE1723
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDA9890_2_00FDA989
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE9AE20_2_00FE9AE2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F10A090_2_00F10A09
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EF6B670_2_00EF6B67
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE7B6C0_2_00FE7B6C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE2B230_2_00FE2B23
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FECCE30_2_00FECCE3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FAAC280_2_00FAAC28
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0CEF80_2_00F0CEF8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB0F4D0_2_00EB0F4D
Source: C:\Users\user\Desktop\file.exeCode function: String function: 0104C2F1 appears 35 times
Source: file.exe, 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeStatic PE information: Section: ucbmcqjh ZLIB complexity 0.9950850372942387
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 1766912 > 1048576
Source: file.exeStatic PE information: Raw size of ucbmcqjh is bigger than: 0x100000 < 0x1a9400
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.1662768682.0000000005150000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.e60000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ucbmcqjh:EW;bkocszwb:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x1bcad2 should be: 0x1b0bc7
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: ucbmcqjh
Source: file.exeStatic PE information: section name: bkocszwb
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FFE0F5 push 7387EA21h; mov dword ptr [esp], ecx0_2_00FFE118
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01007111 push ebp; mov dword ptr [esp], 23094C4Bh0_2_01007112
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01007111 push 4D0952A2h; mov dword ptr [esp], ebx0_2_01007121
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01007111 push ebp; mov dword ptr [esp], ebx0_2_01007131
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDE0E6 push edx; mov dword ptr [esp], ebp0_2_00FDE1DE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDE0E6 push eax; mov dword ptr [esp], esi0_2_00FDE219
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDE0E6 push edx; mov dword ptr [esp], 7FFB1222h0_2_00FDE29D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDE0E6 push ebp; mov dword ptr [esp], edi0_2_00FDE30B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDE0E6 push eax; mov dword ptr [esp], ebx0_2_00FDE317
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDE0E6 push 6358FAC1h; mov dword ptr [esp], edx0_2_00FDE32B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDE0E6 push edx; mov dword ptr [esp], esi0_2_00FDE359
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDE0E6 push ecx; mov dword ptr [esp], eax0_2_00FDE3C9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDE0E6 push ecx; mov dword ptr [esp], 00000004h0_2_00FDE3F5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDE0E6 push 7508ACE6h; mov dword ptr [esp], ebp0_2_00FDE4EA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDE0E6 push 0CA934FCh; mov dword ptr [esp], edi0_2_00FDE519
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDE0E6 push 15ECF67Dh; mov dword ptr [esp], edx0_2_00FDE53D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDE0E6 push 22971ED4h; mov dword ptr [esp], ebx0_2_00FDE5FA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDE0E6 push 768508EDh; mov dword ptr [esp], esi0_2_00FDE648
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDE0E6 push ecx; mov dword ptr [esp], ebp0_2_00FDE64D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDE0E6 push edi; mov dword ptr [esp], esp0_2_00FDE69C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDE0E6 push ebx; mov dword ptr [esp], 77FBD9E4h0_2_00FDE70B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDE0E6 push 48BA32C6h; mov dword ptr [esp], ebx0_2_00FDE74A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDE0E6 push edx; mov dword ptr [esp], 0AE69805h0_2_00FDE798
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDE0E6 push edx; mov dword ptr [esp], edi0_2_00FDE7C4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDE0E6 push edi; mov dword ptr [esp], eax0_2_00FDE800
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDE0E6 push 6F95C944h; mov dword ptr [esp], esi0_2_00FDE86C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDE0E6 push edx; mov dword ptr [esp], eax0_2_00FDE887
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDE0E6 push 048167BCh; mov dword ptr [esp], esp0_2_00FDE910
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDE0E6 push edx; mov dword ptr [esp], ecx0_2_00FDE96C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDE0E6 push ecx; mov dword ptr [esp], 52F58F85h0_2_00FDE971
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDE0E6 push ebx; mov dword ptr [esp], edi0_2_00FDEA51
Source: file.exeStatic PE information: section name: entropy: 7.776433578331075
Source: file.exeStatic PE information: section name: ucbmcqjh entropy: 7.954511868433097

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF0D14 second address: FF0D1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF0D1D second address: FF0D21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF0D21 second address: FF0D29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF0D29 second address: FF0D33 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8CB8EFC59Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF0D33 second address: FF0D3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF0D3F second address: FF0D43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF0E8B second address: FF0E91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF0E91 second address: FF0E97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF0E97 second address: FF0E9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF0E9D second address: FF0EAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jo 00007F8CB8EFC596h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF0EAC second address: FF0EB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF12AD second address: FF12EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CB8EFC59Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F8CB8EFC5A2h 0x0000000e popad 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F8CB8EFC5A8h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF12EF second address: FF1301 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8CB8C94726h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007F8CB8C94726h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF4E76 second address: FF4E90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8CB8EFC59Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF4FF1 second address: FF5065 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F8CB8C94737h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jmp 00007F8CB8C9472Ah 0x00000017 mov eax, dword ptr [eax] 0x00000019 pushad 0x0000001a jns 00007F8CB8C94734h 0x00000020 push esi 0x00000021 jg 00007F8CB8C94726h 0x00000027 pop esi 0x00000028 popad 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d je 00007F8CB8C94747h 0x00000033 pushad 0x00000034 jmp 00007F8CB8C94739h 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF5065 second address: FF5096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 jne 00007F8CB8EFC59Ah 0x0000000c lea ebx, dword ptr [ebp+1245AD88h] 0x00000012 jmp 00007F8CB8EFC5A6h 0x00000017 xchg eax, ebx 0x00000018 pushad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF5096 second address: FF50A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF50A1 second address: FF50A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF50A5 second address: FF50C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push esi 0x00000009 pushad 0x0000000a jmp 00007F8CB8C94731h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF5259 second address: FF526E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F8CB8EFC59Eh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF52EC second address: FF52F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF52F0 second address: FF5355 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8CB8EFC59Fh 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e jo 00007F8CB8EFC598h 0x00000014 push eax 0x00000015 pop eax 0x00000016 pushad 0x00000017 push edx 0x00000018 pop edx 0x00000019 jmp 00007F8CB8EFC59Bh 0x0000001e popad 0x0000001f popad 0x00000020 nop 0x00000021 push 00000000h 0x00000023 push esi 0x00000024 call 00007F8CB8EFC598h 0x00000029 pop esi 0x0000002a mov dword ptr [esp+04h], esi 0x0000002e add dword ptr [esp+04h], 0000001Bh 0x00000036 inc esi 0x00000037 push esi 0x00000038 ret 0x00000039 pop esi 0x0000003a ret 0x0000003b mov esi, dword ptr [ebp+122D3908h] 0x00000041 push 00000000h 0x00000043 push 0E45C17Ah 0x00000048 pushad 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF5355 second address: FF53E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8CB8C94735h 0x00000009 popad 0x0000000a jmp 00007F8CB8C9472Eh 0x0000000f popad 0x00000010 xor dword ptr [esp], 0E45C1FAh 0x00000017 mov ecx, dword ptr [ebp+122D3644h] 0x0000001d push 00000003h 0x0000001f jmp 00007F8CB8C9472Eh 0x00000024 mov di, si 0x00000027 push 00000000h 0x00000029 pushad 0x0000002a mov ebx, edi 0x0000002c jc 00007F8CB8C94739h 0x00000032 jmp 00007F8CB8C94733h 0x00000037 popad 0x00000038 mov ecx, 2DC20348h 0x0000003d push 00000003h 0x0000003f cmc 0x00000040 movzx edx, ax 0x00000043 push A612E864h 0x00000048 push eax 0x00000049 push edx 0x0000004a jl 00007F8CB8C94735h 0x00000050 jmp 00007F8CB8C9472Fh 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF53E4 second address: FF5428 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8CB8EFC598h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 19ED179Ch 0x00000011 call 00007F8CB8EFC5A5h 0x00000016 or edi, dword ptr [ebp+122D1981h] 0x0000001c pop esi 0x0000001d lea ebx, dword ptr [ebp+1245AD9Ch] 0x00000023 xor dword ptr [ebp+122D276Bh], edi 0x00000029 xchg eax, ebx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d push ecx 0x0000002e pop ecx 0x0000002f push ebx 0x00000030 pop ebx 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10069DC second address: 10069E2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1015935 second address: 101593F instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8CB8EFC596h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101593F second address: 1015966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 jne 00007F8CB8C9472Ch 0x0000000e push ecx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 pop ecx 0x00000014 pushad 0x00000015 jc 00007F8CB8C94726h 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d push eax 0x0000001e pop eax 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1015966 second address: 101596F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101596F second address: 1015975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1013A97 second address: 1013A9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1013A9E second address: 1013AA5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1013BEE second address: 1013C04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8CB8EFC5A2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1013C04 second address: 1013C0A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1013D45 second address: 1013D50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F8CB8EFC596h 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1013D50 second address: 1013D56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1013D56 second address: 1013D60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F8CB8EFC596h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1013EB6 second address: 1013EBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1013EBC second address: 1013EEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CB8EFC5A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jmp 00007F8CB8EFC5A7h 0x0000000f pop esi 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10145A6 second address: 10145BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CB8C9472Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10145BC second address: 10145D3 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8CB8EFC596h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d je 00007F8CB8EFC596h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10145D3 second address: 10145D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10145D9 second address: 10145DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101473D second address: 1014741 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1014871 second address: 101489B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F8CB8EFC59Dh 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b jmp 00007F8CB8EFC59Ah 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 jnl 00007F8CB8EFC596h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101489B second address: 101489F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10149DB second address: 10149E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F8CB8EFC596h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1014B11 second address: 1014B1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101504C second address: 1015063 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8CB8EFC596h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1015063 second address: 1015078 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CB8C9472Bh 0x00000007 jng 00007F8CB8C94726h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1015078 second address: 1015095 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F8CB8EFC596h 0x00000009 jmp 00007F8CB8EFC5A2h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1015095 second address: 101509B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10151E7 second address: 1015201 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8CB8EFC5A6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1015201 second address: 1015205 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1015205 second address: 1015237 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8CB8EFC5A0h 0x0000000b jmp 00007F8CB8EFC5A5h 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1015237 second address: 1015240 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10153DF second address: 10153E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1019CF2 second address: 1019CFD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1019E31 second address: 1019E45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8CB8EFC5A0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1019E45 second address: 1019E6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CB8C94735h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007F8CB8C9472Ch 0x00000014 jg 00007F8CB8C94726h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1018E61 second address: 1018E65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101D245 second address: 101D24B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101D24B second address: 101D265 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8CB8EFC5A4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101D265 second address: 101D295 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8CB8C9472Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jmp 00007F8CB8C94739h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101D295 second address: 101D2AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CB8EFC5A4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDA0F5 second address: FDA0F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDA0F9 second address: FDA116 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CB8EFC59Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007F8CB8EFC598h 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDA116 second address: FDA11A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDA11A second address: FDA11E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEC76A second address: FEC76E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEC76E second address: FEC7A6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F8CB8EFC59Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F8CB8EFC5A9h 0x00000011 jmp 00007F8CB8EFC59Ah 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEC7A6 second address: FEC7AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10221AF second address: 10221B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10221B5 second address: 10221B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10221B9 second address: 10221C3 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8CB8EFC596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10221C3 second address: 10221DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 je 00007F8CB8C94726h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 jne 00007F8CB8C94726h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEAC8F second address: FEAC96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEAC96 second address: FEAC9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEAC9C second address: FEACA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEACA5 second address: FEACA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEACA9 second address: FEACAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1025927 second address: 1025940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F8CB8C94726h 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007F8CB8C9472Ah 0x00000011 pushad 0x00000012 popad 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1025940 second address: 102594E instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8CB8EFC598h 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102594E second address: 1025958 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F8CB8C94726h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1025AB2 second address: 1025AB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1025AB6 second address: 1025ABA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1025EAA second address: 1025ED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8CB8EFC5A1h 0x00000009 pop edi 0x0000000a jno 00007F8CB8EFC59Eh 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1025ED4 second address: 1025ED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1025ED9 second address: 1025EDE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102602E second address: 1026032 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1026032 second address: 1026036 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10276EF second address: 10276F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10276F5 second address: 10276FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1028EAE second address: 1028EB8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8CB8C9472Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1028EB8 second address: 1028EC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1028EC6 second address: 1028ECC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1028ECC second address: 1028F00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F8CB8EFC5A9h 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d jns 00007F8CB8EFC59Ah 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1028F00 second address: 1028F0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F8CB8C94726h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1028F0B second address: 1028F10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10293BB second address: 10293C1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1029B28 second address: 1029B35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jnp 00007F8CB8EFC59Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1029CCC second address: 1029CD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1029F47 second address: 1029F4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1029F4D second address: 1029F51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102A5C8 second address: 102A5CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102A5CC second address: 102A5D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102AD92 second address: 102AD9C instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8CB8EFC596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102BEC0 second address: 102BECC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102BECC second address: 102BED0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102BED0 second address: 102BF0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 jmp 00007F8CB8C94730h 0x0000000d push 00000000h 0x0000000f mov di, CDE9h 0x00000013 push 00000000h 0x00000015 or dword ptr [ebp+122D2782h], ebx 0x0000001b xchg eax, ebx 0x0000001c je 00007F8CB8C94730h 0x00000022 pushad 0x00000023 jnc 00007F8CB8C94726h 0x00000029 push edx 0x0000002a pop edx 0x0000002b popad 0x0000002c push eax 0x0000002d pushad 0x0000002e push ecx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102BF0C second address: 102BF15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102BF15 second address: 102BF19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102C954 second address: 102C97C instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8CB8EFC59Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F8CB8EFC5A3h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102C97C second address: 102C982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102C982 second address: 102C9E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 and esi, 68B5BC60h 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F8CB8EFC598h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 jl 00007F8CB8EFC59Eh 0x0000002f jns 00007F8CB8EFC598h 0x00000035 push 00000000h 0x00000037 sub dword ptr [ebp+1245AE2Bh], edi 0x0000003d xchg eax, ebx 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F8CB8EFC5A4h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102C9E1 second address: 102C9F8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jo 00007F8CB8C94732h 0x0000000f jnp 00007F8CB8C9472Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D3E7 second address: 102D3EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D3EB second address: 102D3F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D3F1 second address: 102D3F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D3F7 second address: 102D45C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F8CB8C94728h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push ebp 0x0000002c call 00007F8CB8C94728h 0x00000031 pop ebp 0x00000032 mov dword ptr [esp+04h], ebp 0x00000036 add dword ptr [esp+04h], 00000018h 0x0000003e inc ebp 0x0000003f push ebp 0x00000040 ret 0x00000041 pop ebp 0x00000042 ret 0x00000043 jmp 00007F8CB8C9472Ch 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b push ebx 0x0000004c pushad 0x0000004d popad 0x0000004e pop ebx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D1CD second address: 102D1D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102DE4E second address: 102DE58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102E80A second address: 102E823 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CB8EFC5A5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1030A48 second address: 1030A4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1032890 second address: 1032894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1032894 second address: 1032898 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1036319 second address: 103631F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103631F second address: 10363A7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8CB8C94728h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F8CB8C94728h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 push 00000000h 0x00000029 jmp 00007F8CB8C94733h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebp 0x00000033 call 00007F8CB8C94728h 0x00000038 pop ebp 0x00000039 mov dword ptr [esp+04h], ebp 0x0000003d add dword ptr [esp+04h], 00000016h 0x00000045 inc ebp 0x00000046 push ebp 0x00000047 ret 0x00000048 pop ebp 0x00000049 ret 0x0000004a mov edi, dword ptr [ebp+122D3748h] 0x00000050 xchg eax, esi 0x00000051 push ecx 0x00000052 jmp 00007F8CB8C9472Ch 0x00000057 pop ecx 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b jp 00007F8CB8C94728h 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103743E second address: 1037444 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1037444 second address: 1037466 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CB8C94735h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1037466 second address: 103747B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CB8EFC5A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1036522 second address: 1036528 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103747B second address: 1037481 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1036528 second address: 103652E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103652E second address: 1036532 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1036532 second address: 10365CF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F8CB8C94735h 0x0000000e nop 0x0000000f or bx, 9B5Ah 0x00000014 push dword ptr fs:[00000000h] 0x0000001b xor dword ptr [ebp+122D58C9h], edi 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 push 00000000h 0x0000002a push ebx 0x0000002b call 00007F8CB8C94728h 0x00000030 pop ebx 0x00000031 mov dword ptr [esp+04h], ebx 0x00000035 add dword ptr [esp+04h], 00000018h 0x0000003d inc ebx 0x0000003e push ebx 0x0000003f ret 0x00000040 pop ebx 0x00000041 ret 0x00000042 and bl, 00000009h 0x00000045 mov eax, dword ptr [ebp+122D16F1h] 0x0000004b push 00000000h 0x0000004d push ebp 0x0000004e call 00007F8CB8C94728h 0x00000053 pop ebp 0x00000054 mov dword ptr [esp+04h], ebp 0x00000058 add dword ptr [esp+04h], 00000019h 0x00000060 inc ebp 0x00000061 push ebp 0x00000062 ret 0x00000063 pop ebp 0x00000064 ret 0x00000065 mov ebx, dword ptr [ebp+122D22BCh] 0x0000006b mov edi, dword ptr [ebp+122D2858h] 0x00000071 push FFFFFFFFh 0x00000073 mov bh, 53h 0x00000075 nop 0x00000076 push eax 0x00000077 push edx 0x00000078 push edx 0x00000079 jne 00007F8CB8C94726h 0x0000007f pop edx 0x00000080 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10365CF second address: 10365D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10375C3 second address: 1037642 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b or ebx, 220A5830h 0x00000011 push dword ptr fs:[00000000h] 0x00000018 mov bx, EBF9h 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 sub dword ptr [ebp+122D1D68h], eax 0x00000029 mov eax, dword ptr [ebp+122D0CADh] 0x0000002f push 00000000h 0x00000031 push ebx 0x00000032 call 00007F8CB8C94728h 0x00000037 pop ebx 0x00000038 mov dword ptr [esp+04h], ebx 0x0000003c add dword ptr [esp+04h], 00000017h 0x00000044 inc ebx 0x00000045 push ebx 0x00000046 ret 0x00000047 pop ebx 0x00000048 ret 0x00000049 push FFFFFFFFh 0x0000004b push 00000000h 0x0000004d push edx 0x0000004e call 00007F8CB8C94728h 0x00000053 pop edx 0x00000054 mov dword ptr [esp+04h], edx 0x00000058 add dword ptr [esp+04h], 00000016h 0x00000060 inc edx 0x00000061 push edx 0x00000062 ret 0x00000063 pop edx 0x00000064 ret 0x00000065 or edi, dword ptr [ebp+122D3748h] 0x0000006b mov bx, E14Ah 0x0000006f nop 0x00000070 push eax 0x00000071 push edx 0x00000072 push eax 0x00000073 push edx 0x00000074 push ecx 0x00000075 pop ecx 0x00000076 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1037642 second address: 1037646 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1037646 second address: 103764C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103764C second address: 1037656 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F8CB8EFC596h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1037656 second address: 103767C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CB8C9472Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jnp 00007F8CB8C94728h 0x00000013 push edi 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 jno 00007F8CB8C94726h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10392D7 second address: 10392DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10385B9 second address: 10385BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10385BF second address: 10385C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10385C3 second address: 10385E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CB8C94734h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10385E4 second address: 10385EE instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8CB8EFC596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10385EE second address: 10385F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103948C second address: 10394AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CB8EFC5A3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a je 00007F8CB8EFC5A4h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10394AE second address: 10394B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10394B2 second address: 1039525 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 mov ebx, 0C3DBAC0h 0x0000000c push dword ptr fs:[00000000h] 0x00000013 mov edi, dword ptr [ebp+122D3660h] 0x00000019 mov dword ptr fs:[00000000h], esp 0x00000020 push 00000000h 0x00000022 push edi 0x00000023 call 00007F8CB8EFC598h 0x00000028 pop edi 0x00000029 mov dword ptr [esp+04h], edi 0x0000002d add dword ptr [esp+04h], 00000015h 0x00000035 inc edi 0x00000036 push edi 0x00000037 ret 0x00000038 pop edi 0x00000039 ret 0x0000003a movzx edi, bx 0x0000003d mov eax, dword ptr [ebp+122D1739h] 0x00000043 sub dword ptr [ebp+1248BE5Dh], ebx 0x00000049 mov di, si 0x0000004c push FFFFFFFFh 0x0000004e jmp 00007F8CB8EFC59Ah 0x00000053 nop 0x00000054 push ebx 0x00000055 push eax 0x00000056 push edx 0x00000057 jmp 00007F8CB8EFC5A4h 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1039525 second address: 1039529 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1039529 second address: 103954A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8CB8EFC5A7h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103B21F second address: 103B225 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103B225 second address: 103B235 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8CB8EFC59Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103A3C0 second address: 103A454 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8CB8C9472Ch 0x00000008 ja 00007F8CB8C94726h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push edi 0x00000016 call 00007F8CB8C94728h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], edi 0x00000020 add dword ptr [esp+04h], 00000019h 0x00000028 inc edi 0x00000029 push edi 0x0000002a ret 0x0000002b pop edi 0x0000002c ret 0x0000002d mov dword ptr [ebp+124588D6h], esi 0x00000033 push dword ptr fs:[00000000h] 0x0000003a push eax 0x0000003b jmp 00007F8CB8C9472Dh 0x00000040 pop ebx 0x00000041 mov dword ptr fs:[00000000h], esp 0x00000048 push 00000000h 0x0000004a push esi 0x0000004b call 00007F8CB8C94728h 0x00000050 pop esi 0x00000051 mov dword ptr [esp+04h], esi 0x00000055 add dword ptr [esp+04h], 00000016h 0x0000005d inc esi 0x0000005e push esi 0x0000005f ret 0x00000060 pop esi 0x00000061 ret 0x00000062 mov dword ptr [ebp+12454518h], edi 0x00000068 mov eax, dword ptr [ebp+122D1075h] 0x0000006e or dword ptr [ebp+1245AF09h], edx 0x00000074 push FFFFFFFFh 0x00000076 xor ebx, 4734BEEBh 0x0000007c push eax 0x0000007d push edx 0x0000007e push ecx 0x0000007f push eax 0x00000080 push edx 0x00000081 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103D279 second address: 103D27D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103D27D second address: 103D28A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103B441 second address: 103B445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103D28A second address: 103D29D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jl 00007F8CB8C94732h 0x0000000b jng 00007F8CB8C94726h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103B445 second address: 103B44B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103D29D second address: 103D2AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 pushad 0x00000007 jo 00007F8CB8C94726h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103D93F second address: 103D943 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103DA5C second address: 103DA60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103FA5F second address: 103FA63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103FA63 second address: 103FA7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CB8C94737h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103FA7E second address: 103FAD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CB8EFC5A3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b add dword ptr [ebp+122D28D8h], edi 0x00000011 pop ebx 0x00000012 push 00000000h 0x00000014 mov dword ptr [ebp+122D1B43h], esi 0x0000001a push 00000000h 0x0000001c push edi 0x0000001d jg 00007F8CB8EFC599h 0x00000023 pop ebx 0x00000024 xchg eax, esi 0x00000025 pushad 0x00000026 pushad 0x00000027 jmp 00007F8CB8EFC59Ah 0x0000002c jmp 00007F8CB8EFC59Ah 0x00000031 popad 0x00000032 push eax 0x00000033 push edx 0x00000034 jne 00007F8CB8EFC596h 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103FAD3 second address: 103FAE5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b jns 00007F8CB8C94726h 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103EB2B second address: 103EB2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1040BC2 second address: 1040BC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103FC25 second address: 103FCA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F8CB8EFC596h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f add di, E0A1h 0x00000014 push dword ptr fs:[00000000h] 0x0000001b push 00000000h 0x0000001d push esi 0x0000001e call 00007F8CB8EFC598h 0x00000023 pop esi 0x00000024 mov dword ptr [esp+04h], esi 0x00000028 add dword ptr [esp+04h], 00000016h 0x00000030 inc esi 0x00000031 push esi 0x00000032 ret 0x00000033 pop esi 0x00000034 ret 0x00000035 cld 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d mov bl, 09h 0x0000003f mov eax, dword ptr [ebp+122D11B5h] 0x00000045 push 00000000h 0x00000047 push ebx 0x00000048 call 00007F8CB8EFC598h 0x0000004d pop ebx 0x0000004e mov dword ptr [esp+04h], ebx 0x00000052 add dword ptr [esp+04h], 00000016h 0x0000005a inc ebx 0x0000005b push ebx 0x0000005c ret 0x0000005d pop ebx 0x0000005e ret 0x0000005f mov di, 80A0h 0x00000063 push FFFFFFFFh 0x00000065 and ebx, 54B3AB3Eh 0x0000006b mov ebx, dword ptr [ebp+122D293Fh] 0x00000071 push eax 0x00000072 jng 00007F8CB8EFC5B3h 0x00000078 push eax 0x00000079 push edx 0x0000007a push eax 0x0000007b push edx 0x0000007c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103FCA9 second address: 103FCAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1042C57 second address: 1042C5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1043BB1 second address: 1043C2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 sub dword ptr [ebp+12457BE9h], edx 0x0000000d push dword ptr fs:[00000000h] 0x00000014 mov dword ptr fs:[00000000h], esp 0x0000001b movzx edi, dx 0x0000001e mov eax, dword ptr [ebp+122D0B8Dh] 0x00000024 push 00000000h 0x00000026 push esi 0x00000027 call 00007F8CB8C94728h 0x0000002c pop esi 0x0000002d mov dword ptr [esp+04h], esi 0x00000031 add dword ptr [esp+04h], 0000001Bh 0x00000039 inc esi 0x0000003a push esi 0x0000003b ret 0x0000003c pop esi 0x0000003d ret 0x0000003e jmp 00007F8CB8C94730h 0x00000043 push FFFFFFFFh 0x00000045 push 00000000h 0x00000047 push ebx 0x00000048 call 00007F8CB8C94728h 0x0000004d pop ebx 0x0000004e mov dword ptr [esp+04h], ebx 0x00000052 add dword ptr [esp+04h], 00000017h 0x0000005a inc ebx 0x0000005b push ebx 0x0000005c ret 0x0000005d pop ebx 0x0000005e ret 0x0000005f nop 0x00000060 pushad 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1043C2F second address: 1043C33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1043C33 second address: 1043C4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CB8C94731h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1043C4C second address: 1043C50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1045865 second address: 1045884 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8CB8C94735h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1044AD4 second address: 1044B73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007F8CB8EFC598h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 mov edi, dword ptr [ebp+122D393Ch] 0x00000029 mov dword ptr [ebp+122D1A5Bh], edx 0x0000002f push dword ptr fs:[00000000h] 0x00000036 jmp 00007F8CB8EFC59Ah 0x0000003b mov dword ptr [ebp+122D1D54h], esi 0x00000041 mov dword ptr fs:[00000000h], esp 0x00000048 jmp 00007F8CB8EFC59Fh 0x0000004d mov eax, dword ptr [ebp+122D11ADh] 0x00000053 mov di, bx 0x00000056 push FFFFFFFFh 0x00000058 push 00000000h 0x0000005a push ecx 0x0000005b call 00007F8CB8EFC598h 0x00000060 pop ecx 0x00000061 mov dword ptr [esp+04h], ecx 0x00000065 add dword ptr [esp+04h], 00000014h 0x0000006d inc ecx 0x0000006e push ecx 0x0000006f ret 0x00000070 pop ecx 0x00000071 ret 0x00000072 or di, ED1Ch 0x00000077 nop 0x00000078 pushad 0x00000079 push eax 0x0000007a push edx 0x0000007b jmp 00007F8CB8EFC59Ch 0x00000080 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1055F8E second address: 1055F92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1055F92 second address: 1055FA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F8CB8EFC59Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1056113 second address: 1056123 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jl 00007F8CB8C94726h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1056123 second address: 1056129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105F476 second address: 105F480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105F480 second address: 105F4A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8CB8EFC5A6h 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105F4A1 second address: 105F4A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105F4A7 second address: 105F4AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105F4AB second address: 105F4F9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8CB8C94726h 0x00000008 jne 00007F8CB8C94726h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push edi 0x00000012 pop edi 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 pop eax 0x00000017 popad 0x00000018 ja 00007F8CB8C94741h 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F8CB8C94733h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE2650 second address: FE265A instructions: 0x00000000 rdtsc 0x00000002 je 00007F8CB8EFC59Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1064BBA second address: 1064BBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1064BBE second address: 1064BC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10637F8 second address: 1063806 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ecx 0x00000009 push ebx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1063D9A second address: 1063DA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1063DA0 second address: 1063DA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1063DA4 second address: 1063DEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8CB8EFC5A8h 0x0000000b push esi 0x0000000c jmp 00007F8CB8EFC5A0h 0x00000011 jmp 00007F8CB8EFC5A5h 0x00000016 pop esi 0x00000017 popad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1063DEF second address: 1063DF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F8CB8C94726h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1063DF9 second address: 1063E03 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1063E03 second address: 1063E07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1063F69 second address: 1063F6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1063F6D second address: 1063F75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10643F3 second address: 10643F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10643F9 second address: 106441F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jnp 00007F8CB8C94726h 0x0000000e jmp 00007F8CB8C9472Bh 0x00000013 jne 00007F8CB8C94726h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10645A3 second address: 10645A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10645A9 second address: 10645C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8CB8C94737h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1064752 second address: 1064757 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1064757 second address: 106475D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10648CD second address: 10648EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8CB8EFC59Fh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jc 00007F8CB8EFC59Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1064A0E second address: 1064A32 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b jmp 00007F8CB8C94738h 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1033932 second address: 103393F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F8CB8EFC59Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103393F second address: 10339AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 add dword ptr [esp], 68E1CEEEh 0x0000000c clc 0x0000000d push edi 0x0000000e movsx ecx, ax 0x00000011 pop edi 0x00000012 call 00007F8CB8C94729h 0x00000017 jmp 00007F8CB8C94730h 0x0000001c push eax 0x0000001d jns 00007F8CB8C9472Ch 0x00000023 mov eax, dword ptr [esp+04h] 0x00000027 jmp 00007F8CB8C9472Ch 0x0000002c mov eax, dword ptr [eax] 0x0000002e jmp 00007F8CB8C94738h 0x00000033 mov dword ptr [esp+04h], eax 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a push edx 0x0000003b pop edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1033AD7 second address: 1033ADC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1033B3A second address: 1033B40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1033B40 second address: 1033B77 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], esi 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F8CB8EFC598h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 movsx edi, si 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1033B77 second address: 1033B7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1033B7D second address: 1033B82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1033B82 second address: 1033B9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8CB8C94734h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1033C48 second address: 1033C4D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1033D02 second address: 1033D09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10342B5 second address: 10342C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007F8CB8EFC598h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10342C6 second address: 10342FF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jne 00007F8CB8C94737h 0x0000000f jmp 00007F8CB8C94731h 0x00000014 push 0000001Eh 0x00000016 mov edx, dword ptr [ebp+12458204h] 0x0000001c nop 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 jl 00007F8CB8C94726h 0x00000026 jp 00007F8CB8C94726h 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10342FF second address: 1034313 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 ja 00007F8CB8EFC596h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1034313 second address: 103431A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10343DA second address: 10343E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10346DF second address: 10346F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8CB8C9472Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10346F0 second address: 100C7C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CB8EFC59Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov ch, 0Ah 0x0000000e lea eax, dword ptr [ebp+124990A8h] 0x00000014 mov dword ptr [ebp+12481600h], ebx 0x0000001a push eax 0x0000001b jmp 00007F8CB8EFC59Ch 0x00000020 mov dword ptr [esp], eax 0x00000023 jnp 00007F8CB8EFC5B1h 0x00000029 lea eax, dword ptr [ebp+12499064h] 0x0000002f push 00000000h 0x00000031 push edx 0x00000032 call 00007F8CB8EFC598h 0x00000037 pop edx 0x00000038 mov dword ptr [esp+04h], edx 0x0000003c add dword ptr [esp+04h], 00000014h 0x00000044 inc edx 0x00000045 push edx 0x00000046 ret 0x00000047 pop edx 0x00000048 ret 0x00000049 sub dword ptr [ebp+122D2193h], edx 0x0000004f movsx edi, dx 0x00000052 push eax 0x00000053 pushad 0x00000054 jmp 00007F8CB8EFC59Ch 0x00000059 jmp 00007F8CB8EFC5A1h 0x0000005e popad 0x0000005f mov dword ptr [esp], eax 0x00000062 pushad 0x00000063 mov dx, D6D1h 0x00000067 cmc 0x00000068 popad 0x00000069 call dword ptr [ebp+122D223Fh] 0x0000006f push eax 0x00000070 push edx 0x00000071 jg 00007F8CB8EFC59Ch 0x00000077 jnc 00007F8CB8EFC596h 0x0000007d push eax 0x0000007e push edx 0x0000007f push eax 0x00000080 pop eax 0x00000081 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 100C7C0 second address: 100C7D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8CB8C9472Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE5BF1 second address: FE5BF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106861D second address: 1068641 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8CB8C9472Dh 0x00000009 jmp 00007F8CB8C9472Eh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1068641 second address: 1068656 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8CB8EFC596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007F8CB8EFC596h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1068656 second address: 106866E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F8CB8C94732h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106866E second address: 1068689 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CB8EFC5A5h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1068803 second address: 1068809 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1068809 second address: 1068815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1068815 second address: 106883A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F8CB8C94731h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop ecx 0x0000000b je 00007F8CB8C94732h 0x00000011 jo 00007F8CB8C94726h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106899B second address: 10689A1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10689A1 second address: 10689D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8CB8C9472Bh 0x0000000b push eax 0x0000000c jmp 00007F8CB8C94736h 0x00000011 pushad 0x00000012 popad 0x00000013 pop eax 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10689D3 second address: 10689F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CB8EFC5A8h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10689F6 second address: 10689FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10689FB second address: 1068A04 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107199A second address: 10719B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F8CB8C9472Dh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10719B7 second address: 10719BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107040F second address: 107043E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F8CB8C94736h 0x0000000a jmp 00007F8CB8C9472Eh 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10706F6 second address: 10706FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10706FA second address: 1070710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007F8CB8C94726h 0x00000010 je 00007F8CB8C94726h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107085C second address: 107086C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F8CB8EFC59Ch 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10709E6 second address: 10709F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F8CB8C94726h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10709F3 second address: 10709F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10709F9 second address: 10709FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10709FD second address: 1070A03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1070E2A second address: 1070E2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1070E2E second address: 1070E34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1070FC2 second address: 1070FCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1070FCF second address: 1070FD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107A9BA second address: 107A9C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1079649 second address: 1079653 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8CB8EFC596h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1079653 second address: 107965E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1079DE0 second address: 1079E47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CB8EFC5A6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F8CB8EFC5A8h 0x0000000f jmp 00007F8CB8EFC5A4h 0x00000014 push ecx 0x00000015 push edx 0x00000016 pop edx 0x00000017 jmp 00007F8CB8EFC5A8h 0x0000001c pop ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1079E47 second address: 1079E5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8CB8C94733h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107A28F second address: 107A295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107A295 second address: 107A29A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107A29A second address: 107A2AF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F8CB8EFC5A0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107A411 second address: 107A417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107A736 second address: 107A73C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E9F4 second address: 107EA0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8CB8C9472Dh 0x00000009 popad 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107EA0E second address: 107EA13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E74F second address: 107E755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107FFB4 second address: 107FFBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F8CB8EFC596h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1082EDE second address: 1082EFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F8CB8C94726h 0x0000000a jmp 00007F8CB8C94733h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1082EFC second address: 1082F01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1082A54 second address: 1082A58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1082A58 second address: 1082A68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F8CB8EFC596h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1082A68 second address: 1082A82 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F8CB8C94728h 0x0000000c popad 0x0000000d je 00007F8CB8C94747h 0x00000013 pushad 0x00000014 push edx 0x00000015 pop edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108536F second address: 1085387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c jnc 00007F8CB8EFC596h 0x00000012 popad 0x00000013 push esi 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1087588 second address: 108758C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108A585 second address: 108A589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1089CD6 second address: 1089CE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F8CB8C94726h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1089DF4 second address: 1089DF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1089DF8 second address: 1089DFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1089F9C second address: 1089FA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1089FA2 second address: 1089FA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1089FA8 second address: 1089FB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1089FB2 second address: 1089FC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jno 00007F8CB8C94728h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1089FC6 second address: 1089FE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CB8EFC5A9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1089FE3 second address: 1089FE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1089FE9 second address: 1089FF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108A2C5 second address: 108A2C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108A2C9 second address: 108A2D3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108D8B0 second address: 108D8CA instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8CB8C94726h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnp 00007F8CB8C94728h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push edi 0x00000019 pop edi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108DA47 second address: 108DA6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8CB8EFC5A6h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c push ecx 0x0000000d jg 00007F8CB8EFC59Eh 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDF10A second address: FDF10E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDF10E second address: FDF129 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8CB8EFC5A2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDF129 second address: FDF12F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10929C9 second address: 10929E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8CB8EFC59Bh 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10929E0 second address: 10929E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10929E6 second address: 1092A0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8CB8EFC5A3h 0x00000009 popad 0x0000000a jmp 00007F8CB8EFC59Bh 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1092CBC second address: 1092CE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8CB8C94735h 0x00000009 jmp 00007F8CB8C9472Fh 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1092E7E second address: 1092E9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CB8EFC5A8h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1092E9C second address: 1092EA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jne 00007F8CB8C94726h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1092EA9 second address: 1092EBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F8CB8EFC59Bh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1093138 second address: 109315B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CB8C94738h 0x00000007 pushad 0x00000008 jo 00007F8CB8C94726h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1034064 second address: 103406E instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8CB8EFC59Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103406E second address: 10340E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 and cl, 00000000h 0x0000000a mov ebx, dword ptr [ebp+124990A3h] 0x00000010 mov dword ptr [ebp+124588D6h], edi 0x00000016 mov dword ptr [ebp+124578F8h], ebx 0x0000001c add eax, ebx 0x0000001e push 00000000h 0x00000020 push ebx 0x00000021 call 00007F8CB8C94728h 0x00000026 pop ebx 0x00000027 mov dword ptr [esp+04h], ebx 0x0000002b add dword ptr [esp+04h], 0000001Ch 0x00000033 inc ebx 0x00000034 push ebx 0x00000035 ret 0x00000036 pop ebx 0x00000037 ret 0x00000038 or dword ptr [ebp+12469787h], eax 0x0000003e nop 0x0000003f jmp 00007F8CB8C94733h 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F8CB8C94738h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10340E5 second address: 103416E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CB8EFC5A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F8CB8EFC598h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 mov edx, dword ptr [ebp+122D196Eh] 0x0000002a push 00000004h 0x0000002c mov dword ptr [ebp+12484D9Fh], edx 0x00000032 nop 0x00000033 jns 00007F8CB8EFC5AEh 0x00000039 push eax 0x0000003a pushad 0x0000003b jmp 00007F8CB8EFC5A8h 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1093333 second address: 1093337 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109B667 second address: 109B677 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8CB8EFC5A2h 0x00000008 jc 00007F8CB8EFC596h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109997B second address: 1099991 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CB8C94732h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099C29 second address: 1099C54 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8CB8EFC596h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jng 00007F8CB8EFC598h 0x00000012 pushad 0x00000013 jp 00007F8CB8EFC596h 0x00000019 jmp 00007F8CB8EFC59Eh 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099ED0 second address: 1099ED8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A18C second address: 109A192 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A192 second address: 109A19A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A19A second address: 109A1A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A1A0 second address: 109A1A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A478 second address: 109A492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F8CB8EFC5A5h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A492 second address: 109A4A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F8CB8C94726h 0x0000000a jmp 00007F8CB8C9472Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A7A8 second address: 109A7B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F8CB8EFC596h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A7B2 second address: 109A7B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A7B6 second address: 109A7D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F8CB8EFC59Bh 0x0000000e jmp 00007F8CB8EFC59Eh 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A7D9 second address: 109A7DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109A7DF second address: 109A7FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8CB8EFC5A9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109AB16 second address: 109AB1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109B09C second address: 109B0B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8CB8EFC59Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDD63C second address: FDD644 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDD644 second address: FDD64C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDD64C second address: FDD652 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AC0B0 second address: 10AC0B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AC0B6 second address: 10AC0BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AC69D second address: 10AC6A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AC6A3 second address: 10AC6A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ACB09 second address: 10ACB1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8CB8EFC59Dh 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AD52B second address: 10AD531 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B31B0 second address: 10B31BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F8CB8EFC596h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10B31BA second address: 10B31E8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F8CB8C94731h 0x00000008 jmp 00007F8CB8C94732h 0x0000000d pop ebx 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BFC9B second address: 10BFC9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BFC9F second address: 10BFCC6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F8CB8C94739h 0x0000000e pushad 0x0000000f popad 0x00000010 push edi 0x00000011 pop edi 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BFCC6 second address: 10BFCCB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BFCCB second address: 10BFCD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BFE5F second address: 10BFE67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BFE67 second address: 10BFE7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8CB8C9472Eh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BFE7E second address: 10BFE82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C59BF second address: 10C59EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F8CB8C94736h 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007F8CB8C9472Bh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C59EA second address: 10C59F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C59F3 second address: 10C59F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C5B37 second address: 10C5B3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C5B3B second address: 10C5B43 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C95FD second address: 10C9601 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C9601 second address: 10C9643 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8CB8C9472Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007F8CB8C9472Eh 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007F8CB8C94733h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d jne 00007F8CB8C94726h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C979C second address: 10C97A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C97A2 second address: 10C97A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C97A6 second address: 10C97D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F8CB8EFC5A2h 0x0000000e je 00007F8CB8EFC59Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 jo 00007F8CB8EFC596h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C97D7 second address: 10C97DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DB090 second address: 10DB094 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DB094 second address: 10DB0A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8CB8C9472Ch 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DB0A8 second address: 10DB0AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D9BDF second address: 10D9BEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop esi 0x00000007 pop edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D9BEC second address: 10D9BF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D9BF0 second address: 10D9C0B instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8CB8C94726h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007F8CB8C9472Eh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D9D84 second address: 10D9D88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D9EF4 second address: 10D9F16 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8CB8C94726h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F8CB8C9472Dh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jc 00007F8CB8C94726h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D9F16 second address: 10D9F1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10D9F1C second address: 10D9F21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DA1E3 second address: 10DA1E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DA35C second address: 10DA362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DA362 second address: 10DA366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E0EB2 second address: 10E0EBE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E0EBE second address: 10E0EC8 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8CB8EFC596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E43B4 second address: 10E43BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E43BA second address: 10E43BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E7950 second address: 10E7954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E77E0 second address: 10E77E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E96C3 second address: 10E96C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E96C7 second address: 10E96DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CB8EFC5A0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E96DB second address: 10E96F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8CB8C9472Eh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E96F1 second address: 10E9709 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F8CB8EFC5A1h 0x00000008 pop esi 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FE85E second address: 10FE864 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FE864 second address: 10FE86A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FE86A second address: 10FE876 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FE3DF second address: 10FE3F3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 ja 00007F8CB8EFC596h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jns 00007F8CB8EFC598h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FE3F3 second address: 10FE3FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F8CB8C94726h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1105552 second address: 1105558 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1105558 second address: 1105562 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8CB8C94726h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1105562 second address: 11055B9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F8CB8EFC5A9h 0x00000008 pop ebx 0x00000009 push esi 0x0000000a jmp 00007F8CB8EFC5A2h 0x0000000f pop esi 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F8CB8EFC5A2h 0x00000019 jmp 00007F8CB8EFC5A0h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11055B9 second address: 11055C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11047ED second address: 11047FD instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8CB8EFC596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1104E2C second address: 1104E57 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8CB8C94726h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d ja 00007F8CB8C94726h 0x00000013 jl 00007F8CB8C94726h 0x00000019 jmp 00007F8CB8C94731h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1104E57 second address: 1104E5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1110DBF second address: 1110DC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1110DC3 second address: 1110DCD instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8CB8EFC596h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1112D94 second address: 1112DB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8CB8C9472Ah 0x00000007 jmp 00007F8CB8C9472Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1112DB0 second address: 1112DB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1112DB6 second address: 1112DBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1109A0D second address: 1109A11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1109A11 second address: 1109A25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d jp 00007F8CB8C94726h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1109A25 second address: 1109A30 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 pop ecx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1109A30 second address: 1109A3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F8CB8C94726h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1108640 second address: 110864A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1108778 second address: 1108782 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1108782 second address: 1108788 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1108788 second address: 110878C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110878C second address: 11087AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8CB8EFC5A7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11087AF second address: 11087B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E6D9D9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 10188ED instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1018550 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E6B005 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 10334B2 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 10B8B6A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E74403 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 5350000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 55A0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 5350000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100B143 rdtsc 0_2_0100B143
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01006D55 sidt fword ptr [esp-02h]0_2_01006D55
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1012Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01059EBE GetSystemInfo,VirtualAlloc,0_2_01059EBE
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100B143 rdtsc 0_2_0100B143
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01006A23 LdrInitializeThunk,0_2_01006A23
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, file.exe, 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: tProgram Manager
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0105043E GetSystemTime,GetFileTime,0_2_0105043E

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		41
Disable or Modify Tools		LSASS Memory641
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Bypass User Account Control		271
Virtualization/Sandbox Evasion		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS271
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets24
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
Obfuscated Files or Information		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
Software Packing		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
Bypass User Account Control		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe100%AviraTR/Crypt.XPACK.Gen
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1532476
Start date and time:2024-10-13 11:03:06 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 43s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.evad.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): SIHClient.exe
  • Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File
Process:C:\Users\user\Desktop\file.exe
File Type:CSV text
Category:dropped
Size (bytes):226
Entropy (8bit):5.360398796477698
Encrypted:false
SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:3A8957C6382192B71471BD14359D0B12
SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:true
Reputation:high, very likely benign file
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.935535350109379
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:1'766'912 bytes
MD5:a5762c09b778475ada33e2d4c1c0d8f5
SHA1:2ff1217d17984a3e1527f2f32440ea99803013b3
SHA256:3304d2d210900dcea3680e88f9de9bcefeb3fcdcc89cd39ef3ef60b0a3a94019
SHA512:580b49fcb64fe751670f4f4df7a80dbe798c700666a0b86ba9757a33d0f65d7ba410e73cdb0adc2e7abaa696f3a67d8d3c324d348896324091b8ee2c89e557bc
SSDEEP:49152:+DZzmsRoVhO2a0/ygsE4BFgmScgmCWf2:+DZyQoBa0/yLLO0C2
TLSH:508533783E5C61D0F9CC6BF81D3BCF34AC34E3188A61D0E9250867792A65693B4B95B3
File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............F.. ...`....@.. ........................F...........`................................

File Icon

Icon Hash:90cececece8e8eb0

Static PE Info

General

Entrypoint:0x868000
Entrypoint Section:.taggant
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F8CB8806CCAh
paddq mm3, qword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [ecx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], eax
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], eax
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 0Ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
inc eax
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x20000x40000x12002ee82b9b2f0bc66d257daab628396012False0.9318576388888888data7.776433578331075IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0xa0000x2b20000x200137d18ee1998d521dc656230a590bfc4unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ucbmcqjh0x2bc0000x1aa0000x1a9400bac0ab17622f5f9dda9ca1c3fbd02d10False0.9950850372942387data7.954511868433097IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
bkocszwb0x4660000x20000x400a7b8e2005961b1882da6a1c7e892b512False0.7568359375data5.973673254862783IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant0x4680000x40000x220042ee66d3379f265b6595b5c8898881ccFalse0.06744025735294118DOS executable (COM)0.6987100013403911IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x60900x30cdata0.42948717948717946
RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

Imports

DLLImport
kernel32.dlllstrcpy

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:05:03:55
Start date:13/10/2024
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\file.exe"
Imagebase:0xe60000
File size:1'766'912 bytes
MD5 hash:A5762C09B778475ADA33E2D4C1C0D8F5
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:3.8%
    Dynamic/Decrypted Code Coverage:3.4%
    Signature Coverage:4.6%
    Total number of Nodes:350
    Total number of Limit Nodes:12
    execution_graph 8037 1006a23 LdrInitializeThunk 8038 1006a35 8037->8038 7758 5541510 7759 5541558 ControlService 7758->7759 7760 554158f 7759->7760 7761 10508c1 7763 10508cd 7761->7763 7768 104c2f1 GetCurrentThreadId 7763->7768 7765 10508d9 7767 10508f9 7765->7767 7772 1050818 7765->7772 7770 104c309 7768->7770 7769 104c350 7769->7765 7770->7769 7771 104c33f Sleep 7770->7771 7771->7770 7774 1050824 7772->7774 7775 1050838 7774->7775 7776 104c2f1 2 API calls 7775->7776 7777 1050850 7776->7777 7785 104ca55 7777->7785 7780 105087b 7783 1050897 GetFileAttributesW 7783->7780 7784 10508a8 GetFileAttributesA 7784->7780 7786 104cb09 7785->7786 7787 104ca69 7785->7787 7786->7780 7789 104ca03 7786->7789 7787->7786 7793 104c8a4 7787->7793 7790 104ca51 7789->7790 7792 104ca14 7789->7792 7790->7780 7790->7783 7790->7784 7791 104c8a4 2 API calls 7791->7792 7792->7790 7792->7791 7795 104c8d1 7793->7795 7794 104c9d7 7794->7787 7795->7794 7796 104c8ff PathAddExtensionA 7795->7796 7797 104c91a 7795->7797 7796->7797 7801 104c93c 7797->7801 7805 104c545 7797->7805 7798 104c985 7798->7794 7800 104c9ae 7798->7800 7803 104c545 lstrcmpiA 7798->7803 7800->7794 7804 104c545 lstrcmpiA 7800->7804 7801->7794 7801->7798 7802 104c545 lstrcmpiA 7801->7802 7802->7798 7803->7800 7804->7794 7806 104c563 7805->7806 7807 104c57a 7806->7807 7809 104c4c2 7806->7809 7807->7801 7811 104c4ed 7809->7811 7810 104c535 7810->7807 7811->7810 7812 104c51f lstrcmpiA 7811->7812 7812->7810 8039 104de60 8041 104de6c 8039->8041 8042 104de80 8041->8042 8044 104dea8 8042->8044 8045 104dec1 8042->8045 8047 104deca 8045->8047 8048 104ded9 8047->8048 8049 104c2f1 2 API calls 8048->8049 8056 104dee1 8048->8056 8052 104deeb 8049->8052 8050 104df84 GetModuleHandleW 8053 104df19 8050->8053 8051 104df92 GetModuleHandleA 8051->8053 8054 104df06 8052->8054 8055 104ca03 2 API calls 8052->8055 8054->8053 8054->8056 8055->8054 8056->8050 8056->8051 8057 55410f0 8058 5541131 8057->8058 8061 104f045 8058->8061 8059 5541151 8062 104c2f1 2 API calls 8061->8062 8063 104f051 8062->8063 8064 104f07a 8063->8064 8065 104f06a 8063->8065 8067 104f07f CloseHandle 8064->8067 8069 104e131 8065->8069 8068 104f070 8067->8068 8068->8059 8072 104c19c 8069->8072 8073 104c1b2 8072->8073 8074 104c1cc 8073->8074 8076 104c180 8073->8076 8074->8068 8077 104e10a CloseHandle 8076->8077 8078 104c190 8077->8078 8078->8074 7813 105aec2 7815 105aece 7813->7815 7816 105aee0 7815->7816 7821 104d950 7816->7821 7819 105af08 7829 104d9b7 7821->7829 7823 104d965 7823->7819 7824 105aa7f 7823->7824 7826 105ab13 7824->7826 7827 105aa90 7824->7827 7826->7819 7827->7826 7828 105a8ea VirtualProtect 7827->7828 7968 105a729 7827->7968 7828->7827 7831 104d9c4 7829->7831 7833 104d9da 7831->7833 7832 104d9e2 7836 104dac2 7832->7836 7837 104daaf 7832->7837 7833->7832 7834 104d9ff 7833->7834 7848 105b131 7833->7848 7835 104c2f1 2 API calls 7834->7835 7839 104da04 7835->7839 7841 104dae0 LoadLibraryExA 7836->7841 7842 104dacc LoadLibraryExW 7836->7842 7870 104d7ef 7837->7870 7843 104ca03 2 API calls 7839->7843 7844 104da86 7841->7844 7842->7844 7845 104da15 7843->7845 7845->7832 7846 104da43 7845->7846 7850 104d32f 7846->7850 7874 105b140 7848->7874 7851 104d355 7850->7851 7852 104d34b 7850->7852 7882 104cb82 7851->7882 7852->7844 7859 104d3a5 7860 104d3d2 7859->7860 7869 104d44f 7859->7869 7892 104cd60 7859->7892 7896 104cffb 7860->7896 7863 104d3dd 7863->7869 7901 104cf72 7863->7901 7865 104d40a 7866 104d432 7865->7866 7865->7869 7905 105ad86 7865->7905 7868 105aa7f 2 API calls 7866->7868 7866->7869 7868->7869 7869->7852 7909 104db41 7869->7909 7871 104d7fa 7870->7871 7872 104d80a 7871->7872 7873 104d81b LoadLibraryExA 7871->7873 7872->7844 7873->7872 7875 105b150 7874->7875 7876 104c2f1 2 API calls 7875->7876 7881 105b1a2 7875->7881 7877 105b1b8 7876->7877 7878 104ca03 2 API calls 7877->7878 7879 105b1ca 7878->7879 7880 104ca03 2 API calls 7879->7880 7879->7881 7880->7881 7883 104cb9e 7882->7883 7885 104cbf7 7882->7885 7884 104cbce VirtualAlloc 7883->7884 7883->7885 7884->7885 7885->7852 7886 104cc28 VirtualAlloc 7885->7886 7887 104cc6d 7886->7887 7887->7869 7888 104cca5 7887->7888 7889 104cccd 7888->7889 7890 104cd44 7889->7890 7891 104cce6 VirtualAlloc 7889->7891 7890->7859 7891->7889 7891->7890 7893 104cd7b 7892->7893 7895 104cd80 7892->7895 7893->7860 7894 104cdb3 lstrcmpiA 7894->7893 7894->7895 7895->7893 7895->7894 7898 104d107 7896->7898 7900 104d028 7896->7900 7898->7863 7900->7898 7911 104cb0d 7900->7911 7919 104dc1e 7900->7919 7903 104cf9b 7901->7903 7902 104cfdc 7902->7865 7903->7902 7904 104cfb3 VirtualProtect 7903->7904 7904->7902 7904->7903 7906 105ae53 7905->7906 7908 105ada2 7905->7908 7906->7866 7908->7906 7944 105a8ea 7908->7944 7948 104db4d 7909->7948 7912 104d950 18 API calls 7911->7912 7913 104cb20 7912->7913 7914 104cb72 7913->7914 7915 104cb49 7913->7915 7918 104cb66 7913->7918 7916 104db41 3 API calls 7914->7916 7917 104db41 3 API calls 7915->7917 7915->7918 7916->7918 7917->7918 7918->7900 7921 104dc27 7919->7921 7922 104dc36 7921->7922 7924 104c2f1 2 API calls 7922->7924 7926 104dc3e 7922->7926 7923 104dc6b GetProcAddress 7929 104dc61 7923->7929 7925 104dc48 7924->7925 7925->7926 7927 104dc58 7925->7927 7926->7923 7930 104d67f 7927->7930 7931 104d69e 7930->7931 7935 104d76b 7930->7935 7932 104d6db lstrcmpiA 7931->7932 7933 104d705 7931->7933 7931->7935 7932->7931 7932->7933 7933->7935 7936 104d5c8 7933->7936 7935->7929 7937 104d5d9 7936->7937 7938 104d609 lstrcpyn 7937->7938 7939 104d664 7937->7939 7938->7939 7942 104d625 7938->7942 7939->7935 7940 104cb0d 17 API calls 7941 104d653 7940->7941 7941->7939 7943 104dc1e 17 API calls 7941->7943 7942->7939 7942->7940 7943->7939 7946 105a8fe 7944->7946 7945 105a916 7945->7908 7946->7945 7947 105aa39 VirtualProtect 7946->7947 7947->7946 7950 104db5c 7948->7950 7949 104db64 7951 104dbb2 FreeLibrary 7949->7951 7950->7949 7952 104c2f1 2 API calls 7950->7952 7953 104db99 7951->7953 7954 104db6e 7952->7954 7954->7949 7955 104db7e 7954->7955 7957 104d52f 7955->7957 7958 104d592 7957->7958 7959 104d552 7957->7959 7958->7953 7959->7958 7961 104c0eb 7959->7961 7964 104c0f4 7961->7964 7962 104c10c 7962->7958 7964->7962 7965 104c0d2 7964->7965 7966 104db41 GetCurrentThreadId Sleep FreeLibrary 7965->7966 7967 104c0df 7966->7967 7967->7964 7971 105a730 7968->7971 7970 105a77a 7970->7827 7971->7970 7972 105a8ea VirtualProtect 7971->7972 7973 105a637 7971->7973 7972->7971 7976 105a64c 7973->7976 7974 105a70c 7974->7971 7975 105a6d6 GetModuleFileNameA 7975->7976 7976->7974 7976->7975 8079 10503ac 8080 104c2f1 2 API calls 8079->8080 8081 10503b8 GetCurrentProcess 8080->8081 8082 1050404 8081->8082 8084 10503c8 8081->8084 8083 1050409 DuplicateHandle 8082->8083 8087 10503ff 8083->8087 8084->8082 8085 10503f3 8084->8085 8088 104e149 8085->8088 8091 104e173 8088->8091 8089 104e206 8089->8087 8090 104e131 CloseHandle 8090->8089 8091->8089 8091->8090 7977 105af0e 7979 105af1a 7977->7979 7980 105af2c 7979->7980 7985 104d969 7980->7985 7982 105af3b 7983 105af54 7982->7983 7984 105aa7f GetModuleFileNameA VirtualProtect 7982->7984 7984->7983 7987 104d975 7985->7987 7988 104d98a 7987->7988 7989 104d9a8 7988->7989 7990 104d9b7 18 API calls 7988->7990 7990->7989 7991 104db08 7992 104d950 18 API calls 7991->7992 7993 104db1b 7992->7993 8092 1050b28 8094 1050b34 8092->8094 8095 104c2f1 2 API calls 8094->8095 8096 1050b40 8095->8096 8098 1050b60 8096->8098 8099 1050a34 8096->8099 8101 1050a40 8099->8101 8102 1050a54 8101->8102 8103 104c2f1 2 API calls 8102->8103 8104 1050a6c 8103->8104 8105 1050a81 8104->8105 8125 105094d 8104->8125 8109 1050a89 8105->8109 8117 10509f2 IsBadWritePtr 8105->8117 8112 1050afd CreateFileA 8109->8112 8113 1050ada CreateFileW 8109->8113 8110 104ca03 2 API calls 8111 1050abc 8110->8111 8111->8109 8114 1050ac4 8111->8114 8116 1050aca 8112->8116 8113->8116 8119 104e247 8114->8119 8118 1050a14 8117->8118 8118->8109 8118->8110 8121 104e254 8119->8121 8120 104e28d CreateFileA 8123 104e2d9 8120->8123 8121->8120 8122 104e34f 8121->8122 8122->8116 8123->8122 8124 104e10a CloseHandle 8123->8124 8124->8122 8127 105095c GetWindowsDirectoryA 8125->8127 8128 1050986 8127->8128 8129 104dfb3 8130 104c2f1 2 API calls 8129->8130 8131 104dfbf 8130->8131 8132 104dfdd 8131->8132 8133 104ca03 2 API calls 8131->8133 8134 104e00e GetModuleHandleExA 8132->8134 8135 104dfe5 8132->8135 8133->8132 8134->8135 8136 1059ebe GetSystemInfo 8137 1059f1c VirtualAlloc 8136->8137 8138 1059ede 8136->8138 8151 105a20a 8137->8151 8138->8137 8140 1059f63 8141 105a20a VirtualAlloc GetModuleFileNameA VirtualProtect 8140->8141 8150 105a038 8140->8150 8143 1059f8d 8141->8143 8142 105a054 GetModuleFileNameA VirtualProtect 8148 1059ffc 8142->8148 8144 105a20a VirtualAlloc GetModuleFileNameA VirtualProtect 8143->8144 8143->8150 8145 1059fb7 8144->8145 8146 105a20a VirtualAlloc GetModuleFileNameA VirtualProtect 8145->8146 8145->8150 8147 1059fe1 8146->8147 8147->8148 8149 105a20a VirtualAlloc GetModuleFileNameA VirtualProtect 8147->8149 8147->8150 8149->8150 8150->8142 8150->8148 8153 105a212 8151->8153 8154 105a226 8153->8154 8155 105a23e 8153->8155 8161 105a0d6 8154->8161 8156 105a0d6 2 API calls 8155->8156 8158 105a24f 8156->8158 8163 105a261 8158->8163 8166 105a0de 8161->8166 8164 105a272 VirtualAlloc 8163->8164 8165 105a25d 8163->8165 8164->8165 8167 105a0f1 8166->8167 8168 105a134 8167->8168 8169 105a729 2 API calls 8167->8169 8169->8168 7994 5540d48 7995 5540d93 OpenSCManagerW 7994->7995 7997 5540ddc 7995->7997 7998 5541308 7999 5541349 ImpersonateLoggedOnUser 7998->7999 8000 5541376 7999->8000 8001 ffe1a3 8006 fffbe7 8001->8006 8002 1001b68 RegOpenKeyA 8003 1001b8f RegOpenKeyA 8002->8003 8002->8006 8003->8006 8004 1001bf0 GetNativeSystemInfo 8004->8006 8005 1001c45 8006->8002 8006->8003 8006->8004 8006->8005 8007 105ae58 8009 105ae64 8007->8009 8010 105ae76 8009->8010 8011 105aa7f 2 API calls 8010->8011 8012 105ae88 8011->8012 8170 1051578 8171 104c2f1 2 API calls 8170->8171 8172 1051584 8171->8172 8173 10515ec MapViewOfFileEx 8172->8173 8174 105159d 8172->8174 8173->8174 8175 100023e 8176 10009e0 LoadLibraryA 8175->8176 8178 100283a 8176->8178 8179 1050c3b 8181 1050c44 8179->8181 8182 104c2f1 2 API calls 8181->8182 8183 1050c50 8182->8183 8184 1050ca0 ReadFile 8183->8184 8185 1050c69 8183->8185 8184->8185 8013 105141a 8015 1051426 8013->8015 8016 105143e 8015->8016 8018 1051468 8016->8018 8019 1051354 8016->8019 8021 1051360 8019->8021 8022 104c2f1 2 API calls 8021->8022 8023 1051373 8022->8023 8024 10513ec 8023->8024 8025 10513b1 8023->8025 8028 105138d 8023->8028 8026 10513f1 CreateFileMappingA 8024->8026 8025->8028 8029 104ea2b 8025->8029 8026->8028 8032 104ea42 8029->8032 8030 104eb3f 8030->8028 8031 104eaab CreateFileA 8033 104eaf0 8031->8033 8032->8030 8032->8031 8033->8030 8035 104e10a CloseHandle 8033->8035 8036 104e11e 8035->8036 8036->8030

    Executed Functions

    Function 01059EBE Relevance: 3.1, APIs: 2, Instructions: 107memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 159 1059ebe-1059ed8 GetSystemInfo 160 1059f1c-1059f65 VirtualAlloc call 105a20a 159->160 161 1059ede-1059f16 159->161 165 105a04b call 105a054 160->165 166 1059f6b-1059f8f call 105a20a 160->166 161->160 171 105a050 165->171 166->165 172 1059f95-1059fb9 call 105a20a 166->172 173 105a052-105a053 171->173 172->165 176 1059fbf-1059fe3 call 105a20a 172->176 176->165 179 1059fe9-1059ff6 176->179 180 105a01c-105a033 call 105a20a 179->180 181 1059ffc-105a017 179->181 184 105a038-105a03a 180->184 185 105a046 181->185 184->165 186 105a040 184->186 185->173 186->185
    APIs
    • GetSystemInfo.KERNELBASE(?,-11465FEC), ref: 01059ECA
    • VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 01059F2B
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: AllocInfoSystemVirtual
    • String ID:
    • API String ID: 3440192736-0
    • Opcode ID: 4f0c1bb90a66967473b7ab002be09b8bdcf66e89d0c5fb434fd0e65cbab00bb4
    • Instruction ID: cd4a7b0e38981282044b37f752ba5efe06ca14fe579c414a0dc1726fd48c3da4
    • Opcode Fuzzy Hash: 4f0c1bb90a66967473b7ab002be09b8bdcf66e89d0c5fb434fd0e65cbab00bb4
    • Instruction Fuzzy Hash: 3B4161B1E10606AFE765DF648845F97B7ACFF18740F1111A2B64BCA882D77291D0CBA0
    Function 01006A23 Relevance: 1.5, APIs: 1, Instructions: 10libraryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: InitializeThunk
    • String ID:
    • API String ID: 2994545307-0
    • Opcode ID: 9348a6c1ceec2c5ca07593df74b232b2413065af9be7d7deaa544e3ad0c37136
    • Instruction ID: a25e4887fb2d78a338abb6943d7615ca4a02dfc4215529a80fb3db13d465438c
    • Opcode Fuzzy Hash: 9348a6c1ceec2c5ca07593df74b232b2413065af9be7d7deaa544e3ad0c37136
    • Instruction Fuzzy Hash: EBC02BB196839298D003776E0C4137CB6401767D00F04C006B245236C1C76510119843
    Function 0104D9C4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • LoadLibraryExW.KERNEL32(?,?,?), ref: 0104DAD5
    • LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 0104DAE9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: .dll$.exe$1002
    • API String ID: 1029625771-847511843
    • Opcode ID: 6ea9fd6ca3fef49d33e127acb786051564227d7b46ef3dc09bc0a34eaec2d90f
    • Instruction ID: 0a45210a2af286f4a76cbeb99b8afe02299b7f81f6a702a0b67990afe1bbf933
    • Opcode Fuzzy Hash: 6ea9fd6ca3fef49d33e127acb786051564227d7b46ef3dc09bc0a34eaec2d90f
    • Instruction Fuzzy Hash: E53180B1504206EFDF11EF94D984AAE7BB5FF28350F0041BAE98556560C77099B0CB91
    Function 0104DECA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 40 104deca-104dedb call 104d82e 43 104dee6-104deef call 104c2f1 40->43 44 104dee1 40->44 51 104def5-104df01 call 104ca03 43->51 52 104df23-104df2a 43->52 45 104df7a-104df7e 44->45 47 104df84-104df8d GetModuleHandleW 45->47 48 104df92-104df95 GetModuleHandleA 45->48 50 104df9b 47->50 48->50 56 104dfa5-104dfa7 50->56 59 104df06-104df08 51->59 53 104df75 call 104c39c 52->53 54 104df30-104df37 52->54 53->45 54->53 57 104df3d-104df44 54->57 57->53 60 104df4a-104df51 57->60 59->53 61 104df0e-104df13 59->61 60->53 63 104df57-104df6b 60->63 61->53 62 104df19-104dfa0 call 104c39c 61->62 62->56 63->53
    APIs
    • GetModuleHandleW.KERNEL32(?,?,?,?,0104DE5C,?,00000000,00000000), ref: 0104DF87
    • GetModuleHandleA.KERNEL32(00000000,?,?,?,0104DE5C,?,00000000,00000000), ref: 0104DF95
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: HandleModule
    • String ID: .dll
    • API String ID: 4139908857-2738580789
    • Opcode ID: 4bd635577d0e51b0063d7bc68137e18fe17ffdfa8d2811cc398003a4cd14a622
    • Instruction ID: f11c19374e4adbd80d112e3d991a69321643086b4ced0c6898de46b8f5a8826e
    • Opcode Fuzzy Hash: 4bd635577d0e51b0063d7bc68137e18fe17ffdfa8d2811cc398003a4cd14a622
    • Instruction Fuzzy Hash: 4B1179F0204606FBFB319F98C98C7E97EB0BF20385F004275EA89445A0D7B5A5A4CB91
    Function 01050824 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetFileAttributesW.KERNELBASE(015F1214,-11465FEC), ref: 0105089D
    • GetFileAttributesA.KERNEL32(00000000,-11465FEC), ref: 010508AB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: cee6ea3fa987e994d430115d65f50c5abf712567a0294122f8fa8b40414cde99
    • Instruction ID: 855e603f3fb9c385813a98d08c776c4ab2f6135d758a30f23a78ff8b25d0814d
    • Opcode Fuzzy Hash: cee6ea3fa987e994d430115d65f50c5abf712567a0294122f8fa8b40414cde99
    • Instruction Fuzzy Hash: CB018CB0500605FBFFA19F68CA49BBE7EB0BF10344F408174FDCA65098D7B06691DA94
    Function 00FFE1A3 Relevance: 4.6, APIs: 3, Instructions: 83registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 88 ffe1a3-10002cd 90 1001b2f-1001b66 88->90 92 1001b68-1001b83 RegOpenKeyA 90->92 93 1001b8f-1001baa RegOpenKeyA 90->93 92->93 96 1001b85 92->96 94 1001bc2-1001bee 93->94 95 1001bac-1001bb6 93->95 99 1001bf0-1001bf9 GetNativeSystemInfo 94->99 100 1001bfb-1001c05 94->100 95->94 96->93 99->100 101 1001c11-1001c1f 100->101 102 1001c07 100->102 104 1001c21 101->104 105 1001c2b-1001c32 101->105 102->101 104->105 106 1001c45 105->106 107 1001c38-1001c3f 105->107 109 1001cda-1001e1d 106->109 107->106 108 fffbe7-fffbee 107->108 108->109 110 fffbf4-1001928 108->110 110->90
    APIs
    • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 01001B7B
    • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 01001BA2
    • GetNativeSystemInfo.KERNELBASE(?), ref: 01001BF9
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: Open$InfoNativeSystem
    • String ID:
    • API String ID: 1247124224-0
    • Opcode ID: 4cc02e8628f63de67bb8bd70c7b9226d469c565172d3d780210b9f27a4fcb494
    • Instruction ID: 18a9c7f0b2d94d77c594985764325300c74020df4920020ee648bb0029d4b5f1
    • Opcode Fuzzy Hash: 4cc02e8628f63de67bb8bd70c7b9226d469c565172d3d780210b9f27a4fcb494
    • Instruction Fuzzy Hash: C33108B100058EEAFB12DF10C849BEF3AA4EF04710F14442AD98682991E7768DA4CF9D
    Function 0104C8A4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 113 104c8a4-104c8d4 115 104c9ff-104ca00 113->115 116 104c8da-104c8ef 113->116 116->115 118 104c8f5-104c8f9 116->118 119 104c8ff-104c911 PathAddExtensionA 118->119 120 104c91b-104c922 118->120 125 104c91a 119->125 121 104c944-104c94b 120->121 122 104c928-104c937 call 104c545 120->122 123 104c951-104c958 121->123 124 104c98d-104c994 121->124 127 104c93c-104c93e 122->127 128 104c971-104c980 call 104c545 123->128 129 104c95e-104c967 123->129 130 104c9b6-104c9bd 124->130 131 104c99a-104c9b0 call 104c545 124->131 125->120 127->115 127->121 138 104c985-104c987 128->138 129->128 132 104c96d 129->132 135 104c9c3-104c9d9 call 104c545 130->135 136 104c9df-104c9e6 130->136 131->115 131->130 132->128 135->115 135->136 136->115 137 104c9ec-104c9f9 call 104c57e 136->137 137->115 138->115 138->124
    APIs
    • PathAddExtensionA.KERNELBASE(?,00000000), ref: 0104C906
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: ExtensionPath
    • String ID: \\?\
    • API String ID: 158807944-4282027825
    • Opcode ID: 9ef19c2b86359c5c0e192ca7a7526e7d2af5ee109913d3a039569e7fe4433e2a
    • Instruction ID: 5c86a4228cea5db8a7716b9a647f7cad310c60bc3ec42bf30808d655fe1b3ae7
    • Opcode Fuzzy Hash: 9ef19c2b86359c5c0e192ca7a7526e7d2af5ee109913d3a039569e7fe4433e2a
    • Instruction Fuzzy Hash: AB31607990120ABFEF62DF98CE48F9E7BF6BF04740F0401A4E640A5060D7729AA1DB54
    Function 0104DFB3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 144 104dfb3-104dfc6 call 104c2f1 147 104dfcc-104dfd8 call 104ca03 144->147 148 104e009-104e01d call 104c39c GetModuleHandleExA 144->148 151 104dfdd-104dfdf 147->151 154 104e027-104e029 148->154 151->148 153 104dfe5-104dfec 151->153 155 104dff5-104e022 call 104c39c 153->155 156 104dff2 153->156 155->154 156->155
    APIs
      • Part of subcall function 0104C2F1: GetCurrentThreadId.KERNEL32 ref: 0104C300
      • Part of subcall function 0104C2F1: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 0104C343
    • GetModuleHandleExA.KERNELBASE(?,?,?), ref: 0104E017
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: CurrentHandleModuleSleepThread
    • String ID: .dll
    • API String ID: 683542999-2738580789
    • Opcode ID: fa441556b41e5fcb08f97d48292ba083e1175f20a69c5e47265bdaab4fefad82
    • Instruction ID: 3f02dc3c533dc1409c87e1080c814bfacb168f0c10afb010ed00fd4fb0d9dd62
    • Opcode Fuzzy Hash: fa441556b41e5fcb08f97d48292ba083e1175f20a69c5e47265bdaab4fefad82
    • Instruction Fuzzy Hash: DEF09AF6100206AFEB209F98DAC8BAE3BB5BF14304F008075FE698A151C374D5A0DB21
    Function 01050A40 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 187 1050a40-1050a4e 188 1050a54-1050a5b 187->188 189 1050a60 187->189 190 1050a67-1050a73 call 104c2f1 188->190 189->190 193 1050a8e-1050a9e call 10509f2 190->193 194 1050a79-1050a83 call 105094d 190->194 200 1050aa4-1050aab 193->200 201 1050ab0-1050abe call 104ca03 193->201 194->193 199 1050a89 194->199 202 1050acf-1050ad4 199->202 200->202 201->202 207 1050ac4-1050ac5 call 104e247 201->207 205 1050afd-1050b12 CreateFileA 202->205 206 1050ada-1050af8 CreateFileW 202->206 208 1050b18-1050b19 205->208 206->208 212 1050aca 207->212 210 1050b1e-1050b25 call 104c39c 208->210 212->210
    APIs
    • CreateFileW.KERNELBASE(015F1214,?,?,-11465FEC,?,?,?,-11465FEC,?), ref: 01050AF2
      • Part of subcall function 010509F2: IsBadWritePtr.KERNEL32(?,00000004), ref: 01050A00
    • CreateFileA.KERNEL32(?,?,?,-11465FEC,?,?,?,-11465FEC,?), ref: 01050B12
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: CreateFile$Write
    • String ID:
    • API String ID: 1125675974-0
    • Opcode ID: 9529f75a69a0bafacd5fc7d5a93c15f16ad91e861ca3d1e676e4d289b3e4244f
    • Instruction ID: c5a6f4ac0043d8a984e0ea760991b42dd2e187b43f5366e8a307d5498b9c72fb
    • Opcode Fuzzy Hash: 9529f75a69a0bafacd5fc7d5a93c15f16ad91e861ca3d1e676e4d289b3e4244f
    • Instruction Fuzzy Hash: 7B11377210114AFBEF929F94CE04BDE3E72BF19344F048225BE8964068C77689B1EB91
    Function 010503AC Relevance: 3.0, APIs: 2, Instructions: 41COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 214 10503ac-10503c2 call 104c2f1 GetCurrentProcess 217 1050404-1050426 call 104c39c DuplicateHandle 214->217 218 10503c8-10503cb 214->218 223 1050430-1050432 217->223 218->217 220 10503d1-10503d4 218->220 220->217 222 10503da-10503ed call 104c14b 220->222 222->217 226 10503f3-105042b call 104e149 call 104c39c 222->226 226->223
    APIs
      • Part of subcall function 0104C2F1: GetCurrentThreadId.KERNEL32 ref: 0104C300
      • Part of subcall function 0104C2F1: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 0104C343
    • GetCurrentProcess.KERNEL32(-11465FEC), ref: 010503B9
    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0105041F
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: Current$DuplicateHandleProcessSleepThread
    • String ID:
    • API String ID: 2846201637-0
    • Opcode ID: a60d590932de267896346b59a0b217bc998e19d7ed913e55721f72f7470faa24
    • Instruction ID: bb6c54025e208e21530810db5e6f4cf72e1e66c067e4b40d137fd57ee8abd792
    • Opcode Fuzzy Hash: a60d590932de267896346b59a0b217bc998e19d7ed913e55721f72f7470faa24
    • Instruction Fuzzy Hash: BA0128F210010AAB8F62AFA8DD48CDF3F75BF98754B008121FE85A4024CB31D062DB61
    Function 0104C2F1 Relevance: 3.0, APIs: 2, Instructions: 33sleepthreadCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 231 104c2f1-104c307 GetCurrentThreadId 232 104c309-104c315 231->232 233 104c350-104c35d call 1053170 232->233 234 104c31b-104c31d 232->234 234->233 235 104c323-104c32a 234->235 237 104c330-104c337 235->237 238 104c33f-104c34b Sleep 235->238 237->238 240 104c33d 237->240 238->232 240->238
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 0104C300
    • Sleep.KERNELBASE(00000005,00050000,00000000), ref: 0104C343
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: CurrentSleepThread
    • String ID:
    • API String ID: 1164918020-0
    • Opcode ID: 30ffef8ba36f6daa23a925e8f5b6fa81b6b69ef22aaed949a6d1b0f4980e5b10
    • Instruction ID: 6f017f2ca7773272d23bd5ff2e920ab2a5acda0b7b8104a5fcf3474649dc73e3
    • Opcode Fuzzy Hash: 30ffef8ba36f6daa23a925e8f5b6fa81b6b69ef22aaed949a6d1b0f4980e5b10
    • Instruction Fuzzy Hash: F9F05972102209FFFB228F65CA8435EB6F4FF0030EF2040B9E20281160E7751B85CAC1
    Function 0105A8EA Relevance: 1.6, APIs: 1, Instructions: 112COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 249 105a8ea-105a8f8 250 105a8fe-105a910 249->250 251 105a91b-105a925 call 105a77f 249->251 250->251 255 105a916 250->255 256 105a930-105a939 251->256 257 105a92b 251->257 258 105aa7a-105aa7c 255->258 259 105a951-105a958 256->259 260 105a93f-105a946 256->260 257->258 261 105a963-105a973 259->261 262 105a95e 259->262 260->259 263 105a94c 260->263 261->258 264 105a979-105a985 call 105a854 261->264 262->258 263->258 267 105a988-105a98c 264->267 267->258 268 105a992-105a99c 267->268 269 105a9c3-105a9c6 268->269 270 105a9a2-105a9b5 268->270 271 105a9c9-105a9cc 269->271 270->269 275 105a9bb-105a9bd 270->275 273 105aa72-105aa75 271->273 274 105a9d2-105a9d9 271->274 273->267 276 105aa07-105aa20 274->276 277 105a9df-105a9e5 274->277 275->269 275->273 283 105aa26-105aa34 276->283 284 105aa39-105aa41 VirtualProtect 276->284 278 105aa02 277->278 279 105a9eb-105a9f0 277->279 281 105aa6a-105aa6d 278->281 279->278 280 105a9f6-105a9fc 279->280 280->276 280->278 281->271 285 105aa47-105aa4a 283->285 284->285 285->281 287 105aa50-105aa69 285->287 287->281
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 6a753b274beea7729b9f130d65dfdba53dc14715bcfcd10e5949c088cf315ce4
    • Instruction ID: 6262e1d91a6c3b0e24454fef6bc13be040027c695c572797abfc952f64fdc1ca
    • Opcode Fuzzy Hash: 6a753b274beea7729b9f130d65dfdba53dc14715bcfcd10e5949c088cf315ce4
    • Instruction Fuzzy Hash: 16418D71A00216EFEBA1CF18DA44BAFBBF1FF04310F158295ED82A7591D371A890CB51
    Function 0104EA2B Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 289 104ea2b-104ea3c 290 104ea42-104ea56 call 104c3cf 289->290 291 104ea6b-104ea74 call 104c3cf 289->291 302 104eb59 290->302 303 104ea5c-104ea6a 290->303 296 104eb51-104eb54 call 104c3f4 291->296 297 104ea7a-104ea8b call 104e20d 291->297 296->302 304 104ea91-104ea95 297->304 305 104eaab-104eaea CreateFileA 297->305 306 104eb60-104eb64 302->306 303->291 307 104eaa8 304->307 308 104ea9b-104eaa7 call 1053295 304->308 309 104eaf0-104eb0d 305->309 310 104eb0e-104eb11 305->310 307->305 308->307 309->310 313 104eb44-104eb4c call 104e09c 310->313 314 104eb17-104eb2e call 104c111 310->314 313->302 314->306 321 104eb34-104eb3f call 104e10a 314->321 321->302
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 0104EAE0
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 569fea121fa003d98e6201cfa16525e176c6e5c6d1f72d653c245ded06daa273
    • Instruction ID: 5d6d490398dfb0a8d72ff5bcf2b096ff5527775054f73540b3d0ed09dcae3b2d
    • Opcode Fuzzy Hash: 569fea121fa003d98e6201cfa16525e176c6e5c6d1f72d653c245ded06daa273
    • Instruction Fuzzy Hash: 6B318FB1900205FBEB209F64DC88F9EBBB8FF04314F208179F659AA191D775A651CB60
    Function 0104E247 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 324 104e247-104e256 call 104c3cf 327 104e35c 324->327 328 104e25c-104e26d call 104e20d 324->328 330 104e363-104e367 327->330 332 104e273-104e277 328->332 333 104e28d-104e2d3 CreateFileA 328->333 334 104e27d-104e289 call 1053295 332->334 335 104e28a 332->335 336 104e31e-104e321 333->336 337 104e2d9-104e2fa 333->337 334->335 335->333 339 104e354-104e357 call 104e09c 336->339 340 104e327-104e33e call 104c111 336->340 337->336 346 104e300-104e31d 337->346 339->327 340->330 347 104e344-104e34f call 104e10a 340->347 346->336 347->327
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 0104E2C9
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: a7879254be8e8501f1559cc98395fd09ceee7fbcdbd066d2cd85b0efb7bb4ce9
    • Instruction ID: ecca103e380ef035fe85613413476407a0a16e2672e8422ad0fb2d3588818968
    • Opcode Fuzzy Hash: a7879254be8e8501f1559cc98395fd09ceee7fbcdbd066d2cd85b0efb7bb4ce9
    • Instruction Fuzzy Hash: 0E31F7B1600205BFE7219F64DC89FD9B7B8BF04764F208369F615EA0D1D7B5A151CB14
    Function 0105A637 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 351 105a637-105a646 352 105a652-105a666 351->352 353 105a64c 351->353 355 105a724-105a726 352->355 356 105a66c-105a676 352->356 353->352 357 105a713-105a71f 356->357 358 105a67c-105a686 356->358 357->352 358->357 359 105a68c-105a696 358->359 359->357 360 105a69c-105a6ab 359->360 362 105a6b6-105a6bb 360->362 363 105a6b1 360->363 362->357 364 105a6c1-105a6d0 362->364 363->357 364->357 365 105a6d6-105a6ed GetModuleFileNameA 364->365 365->357 366 105a6f3-105a701 call 105a593 365->366 369 105a707 366->369 370 105a70c-105a70e 366->370 369->357 370->355
    APIs
    • GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,?), ref: 0105A6E4
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: FileModuleName
    • String ID:
    • API String ID: 514040917-0
    • Opcode ID: 9fb5150bbb9a6c6923bdf6ea33020c590ebed361e664cdf9aeb33adf05f57005
    • Instruction ID: f8e84e9ef25520a0cdb7e45f2a143292c15cc3312da7e58685c09082b94b25c2
    • Opcode Fuzzy Hash: 9fb5150bbb9a6c6923bdf6ea33020c590ebed361e664cdf9aeb33adf05f57005
    • Instruction Fuzzy Hash: FA117F71F01629DBEBF18A188C48BEB77FCFF44750F1041A5ED86A7041D7749980CAA1
    Function 05540D42 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 05540DCD
    Memory Dump Source
    • Source File: 00000000.00000002.1797943626.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5540000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 1feb8c0cbca53226c6b94e83d275f0ee7323d892ee8947ae52f70e59605bfd50
    • Instruction ID: 254df88d99d6df325485940b6059f5074aa22ee8ae282625c9d639a59ea20955
    • Opcode Fuzzy Hash: 1feb8c0cbca53226c6b94e83d275f0ee7323d892ee8947ae52f70e59605bfd50
    • Instruction Fuzzy Hash: EB2137B6C002189FCB50CF99D888ADEFBF4FB88320F24851AD909AB254D734A544CFA4
    Function 05540D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 05540DCD
    Memory Dump Source
    • Source File: 00000000.00000002.1797943626.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5540000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: a6bfcc82017bbfd5856cec474521187718df7256af8f9a9cfb6b3176259504ad
    • Instruction ID: 5b685e5c4c53f1ada3e3f9e153c375db56b655471f03e170eac2a3ea424d4a13
    • Opcode Fuzzy Hash: a6bfcc82017bbfd5856cec474521187718df7256af8f9a9cfb6b3176259504ad
    • Instruction Fuzzy Hash: 5C2115B6C012189FCB54CF99D884ADEFBF4FF88320F24811AD909AB254D734A544CFA5
    Function 05541509 Relevance: 1.6, APIs: 1, Instructions: 56serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 05541580
    Memory Dump Source
    • Source File: 00000000.00000002.1797943626.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5540000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 6fbb13e5a45e5b240c160911404af0377a9d13fbda90b5ca2d2b8ff2b4c8708b
    • Instruction ID: 50fc725fc7db7a58323f00e755000c0019f57debfd3ee7e19d3ea505f54160a7
    • Opcode Fuzzy Hash: 6fbb13e5a45e5b240c160911404af0377a9d13fbda90b5ca2d2b8ff2b4c8708b
    • Instruction Fuzzy Hash: 972103B59002499FCB10CFAAC484BDEFBF4FB48324F10842AE559A7250D778A684CFA5
    Function 05541510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 05541580
    Memory Dump Source
    • Source File: 00000000.00000002.1797943626.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5540000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 8bf43caa00edc1a2a8d08a26af22c3b89b98b4c4de70f959638be3b30dd2676f
    • Instruction ID: c2f164ad89d8fae02eed3f5bb3aaa35747a7a5dbc5723bd8e3dfe7ab233a29a7
    • Opcode Fuzzy Hash: 8bf43caa00edc1a2a8d08a26af22c3b89b98b4c4de70f959638be3b30dd2676f
    • Instruction Fuzzy Hash: 2D11D3B59006499FDB10CF9AC584BDEFBF4BB48324F10802AE559A7250D778A684CFA5
    Function 01051578 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0104C2F1: GetCurrentThreadId.KERNEL32 ref: 0104C300
      • Part of subcall function 0104C2F1: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 0104C343
    • MapViewOfFileEx.KERNELBASE(?,?,?,?,?,?,-11465FEC), ref: 010515FF
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: CurrentFileSleepThreadView
    • String ID:
    • API String ID: 2270672837-0
    • Opcode ID: 9e4903331b2b8fd1ab93215f23223eefb0b31ee92dac940732fb8259d45e4646
    • Instruction ID: a8981f7ef9e6ac024a379a8b835c3b376f7ba03d7fae0881d20ecd0a1c652759
    • Opcode Fuzzy Hash: 9e4903331b2b8fd1ab93215f23223eefb0b31ee92dac940732fb8259d45e4646
    • Instruction Fuzzy Hash: 0B11B7B250020BFFDF52AFA4DD48EDF3F66AF59244B084561FA5255020C736C5B2EBA1
    Function 01051360 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: CurrentSleepThread
    • String ID:
    • API String ID: 1164918020-0
    • Opcode ID: 2df8f18561c8f31556778d8c9369da88dd5348c6cb7b55d0aa098eec582d90a1
    • Instruction ID: b0b962ad39dec1d8ad0daeac945af152e3e98ec681127cd4a38521f7cbb8f3b7
    • Opcode Fuzzy Hash: 2df8f18561c8f31556778d8c9369da88dd5348c6cb7b55d0aa098eec582d90a1
    • Instruction Fuzzy Hash: CB1139B210020AEBDF52AFA8C948BDF3FB5BF54244F048460FE9556061C775C661DB60
    Function 05541301 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 05541367
    Memory Dump Source
    • Source File: 00000000.00000002.1797943626.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5540000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: b34d2eb5b0e49789514ed6b74bea1a7df64da7e71e03cb4d613a14a89b839480
    • Instruction ID: 7a7bae0629b0994f8b4c11df7f0404445467ff6a0977cfcfb2131714d0552bb4
    • Opcode Fuzzy Hash: b34d2eb5b0e49789514ed6b74bea1a7df64da7e71e03cb4d613a14a89b839480
    • Instruction Fuzzy Hash: E81113B1900349CFDB20DF9AD445BDEBBF4AF48324F20842AD558A3251D778A584CFA5
    Function 05541308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 05541367
    Memory Dump Source
    • Source File: 00000000.00000002.1797943626.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5540000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: e252bfb651c921ce154d6b7bbf0d8b61683c2352fdab3c4d1f26c5fa2e386ded
    • Instruction ID: eb864193d734bfda98c4678be2721862ca12f11669eddd3159c4fd23776a74d7
    • Opcode Fuzzy Hash: e252bfb651c921ce154d6b7bbf0d8b61683c2352fdab3c4d1f26c5fa2e386ded
    • Instruction Fuzzy Hash: D71133B1900349CFDB20CF9AC445BDEFBF8EB48324F20842AD558A3250C778A984CFA5
    Function 0100023E Relevance: 1.5, APIs: 1, Instructions: 42libraryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 28a29951d78db42937d8c3b61dd0300973b381a068cb10d034fdf82878bfc5ed
    • Instruction ID: 9018b654ba421848112a49e4cd9a499c17124b78f468a0afeaf353e5a21b8871
    • Opcode Fuzzy Hash: 28a29951d78db42937d8c3b61dd0300973b381a068cb10d034fdf82878bfc5ed
    • Instruction Fuzzy Hash: 560149B694D311DBE3029E28D88C23DF7E5EF44A50F59843DB5C687380E9700982C783
    Function 01050C44 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0104C2F1: GetCurrentThreadId.KERNEL32 ref: 0104C300
      • Part of subcall function 0104C2F1: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 0104C343
    • ReadFile.KERNELBASE(?,00000000,?,00000400,?,-11465FEC,?,?,0104E973,?,?,00000400,?,00000000,?,00000000), ref: 01050CB0
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: CurrentFileReadSleepThread
    • String ID:
    • API String ID: 1253362762-0
    • Opcode ID: 337e7d219a2edfeb51a8e9c0bd02fbe4bc603d704865fa9fcf5cbcf7855602ec
    • Instruction ID: 50e0e559d30d8ad21e4b518b6cf4d0f577adeebffb983cf02ec59504880b6992
    • Opcode Fuzzy Hash: 337e7d219a2edfeb51a8e9c0bd02fbe4bc603d704865fa9fcf5cbcf7855602ec
    • Instruction Fuzzy Hash: 16F0C9B210020AABDF526F98DD48DDF3F76BF5A341B008425FA4555024C772C5A2EB61
    Function 0104C4C2 Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: lstrcmpi
    • String ID:
    • API String ID: 1586166983-0
    • Opcode ID: e9e3d6ddfa8d4c48ce061244e55fffdeba2c6268e065e75a7f7bc1d3f46eb061
    • Instruction ID: 09e8ce4e00cca8106ea31482f67d366d545b36887b4564a5eb53326b9c1231eb
    • Opcode Fuzzy Hash: e9e3d6ddfa8d4c48ce061244e55fffdeba2c6268e065e75a7f7bc1d3f46eb061
    • Instruction Fuzzy Hash: B901E8B5A01119BFEF21AFA8DD44EDEBFBAEF44740F0441B1A905A4060D73296A1DBA4
    Function 0105A261 Relevance: 1.3, APIs: 1, Instructions: 37memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,?,0105A25D,?,?,01059F63,?,?,01059F63,?,?,01059F63), ref: 0105A281
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 00b82cd5eee70b8f6a4bb5974a43255ad9f72dc6ab5523d9201fe31b286fdae5
    • Instruction ID: de4b8766f089b3bb5e810fdf3c3dd3d7d16b24604018c53fd449e3f122165a09
    • Opcode Fuzzy Hash: 00b82cd5eee70b8f6a4bb5974a43255ad9f72dc6ab5523d9201fe31b286fdae5
    • Instruction Fuzzy Hash: CAF0D6B1A00305EFE7618F18C906B5ABBF0FF447A1F5180A5F54A9B952D37284D1DB90
    Function 0104F045 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0104C2F1: GetCurrentThreadId.KERNEL32 ref: 0104C300
      • Part of subcall function 0104C2F1: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 0104C343
    • CloseHandle.KERNELBASE(0104EA08,-11465FEC,?,?,0104EA08,?), ref: 0104F083
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: CloseCurrentHandleSleepThread
    • String ID:
    • API String ID: 4003616898-0
    • Opcode ID: 64f5baf00820f3b068ebb331971a9e9a6360fd69bfd802fabbbc0c26644fcc04
    • Instruction ID: 0bddb582f7d4f5b2fa1cc868d441fe2d973eb7ac52807377998579b6423db511
    • Opcode Fuzzy Hash: 64f5baf00820f3b068ebb331971a9e9a6360fd69bfd802fabbbc0c26644fcc04
    • Instruction Fuzzy Hash: 86E04FF6200107A7EF207BBCDD88DCE6E68AFE57817008131B58695020DA74D19286B1
    Function 0104E10A Relevance: 1.3, APIs: 1, Instructions: 8COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNELBASE(?,?,0104C190,?,?), ref: 0104E110
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: d2e49351ba64fd5bbde756d1ff08aeaeb932299c6dceb17367650a09de61f405
    • Instruction ID: df2adfbd990d3995df8497c0263d1013139dcd25fbd7cea7395ac34144e077af
    • Opcode Fuzzy Hash: d2e49351ba64fd5bbde756d1ff08aeaeb932299c6dceb17367650a09de61f405
    • Instruction Fuzzy Hash: 75B09B7100450DB7CB01BF51DC4584D7F65BF112D4B008120B555440219775D56197D1

    Non-executed Functions

    Function 00FDC0A5 Relevance: 14.1, Strings: 10, Instructions: 1630COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID: spt$"2V$*HCw$>/z$AW<W$DG|$$HL6y$Ws~$q'_$}o9~
    • API String ID: 0-2785596020
    • Opcode ID: a9619664bf15cd9678661ba3b185ef6b8dcc7b3a0e920e93c71767b6c603cfe7
    • Instruction ID: 1685ad5f9a832427c00ed6157d46f8ef34a109173c53000eff85a6f85359adfb
    • Opcode Fuzzy Hash: a9619664bf15cd9678661ba3b185ef6b8dcc7b3a0e920e93c71767b6c603cfe7
    • Instruction Fuzzy Hash: A9B239F3A0C2049FE304AE2DEC8567ABBE5EF94720F1A463DEAC4C3744E93558058697
    Function 00FEB18D Relevance: 11.6, Strings: 8, Instructions: 1619COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID: .XDm$6}~$7M~{$LMg>$nd9}$qMV$z\>^$w
    • API String ID: 0-529721429
    • Opcode ID: eac79dc0560abe5afd0a3d27228caca40dd01bd8f610b5e2419d03c515c736c6
    • Instruction ID: e8775786898dce853be971bf09ca226bb8c8e9ea8b33189c586a0fa0bd37858d
    • Opcode Fuzzy Hash: eac79dc0560abe5afd0a3d27228caca40dd01bd8f610b5e2419d03c515c736c6
    • Instruction Fuzzy Hash: 8DB2D5F360C2009FE304AE2DEC8567AFBE9EB94720F16893DE6C5C7744EA3558058697
    Function 00FECCE3 Relevance: 10.4, Strings: 7, Instructions: 1669COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID: 1m]$6&fz$B?~$O1u$vhk~$whk~$}Z
    • API String ID: 0-795530417
    • Opcode ID: f40ed40d24cbb3b668faf9d61d1c783a0df58fd9959e46e7113d121e15308ca2
    • Instruction ID: 0eebaf698218f70132e8dc297789b935042c84ffc77154947f6b139dbd59088f
    • Opcode Fuzzy Hash: f40ed40d24cbb3b668faf9d61d1c783a0df58fd9959e46e7113d121e15308ca2
    • Instruction Fuzzy Hash: FFB23AF3A082049FE304AE2DEC8577ABBE5EF94320F1A453DEAC5C7744E93598058697
    Function 00FE7B6C Relevance: 9.1, Strings: 6, Instructions: 1628COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID: ?N}U$Av$O_7$\7p$a"o$e1ry
    • API String ID: 0-3634947784
    • Opcode ID: 41d31c30af8e95030e7067f9114779738ac16af65091cb5829ac8428007dec03
    • Instruction ID: 815a8e58cc9cb8eb734cb8c9825eac83278702158ea0a582cc6ba2a4285632aa
    • Opcode Fuzzy Hash: 41d31c30af8e95030e7067f9114779738ac16af65091cb5829ac8428007dec03
    • Instruction Fuzzy Hash: AAB206F360C2049FE304AE2DEC85A7AF7E9EF94720F16493DEAC583740EA7558058697
    Function 00FDA989 Relevance: 8.9, Strings: 6, Instructions: 1384COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID: /"y}$4D]g$B$ $e6~_$r:'$wG_4
    • API String ID: 0-871776663
    • Opcode ID: e12bbcf4726188292e04491eae55b854f47c6ba7bcf3a0ae5b265e200c6e0a37
    • Instruction ID: 4b5ad90fb865c4f16de522a5664a2ebbfbd6f2ea8006440dea24656ae83fb912
    • Opcode Fuzzy Hash: e12bbcf4726188292e04491eae55b854f47c6ba7bcf3a0ae5b265e200c6e0a37
    • Instruction Fuzzy Hash: AE924AF3A0C2049FE7086E2DEC8567AFBE5EB94720F16463DE6C5C3744EA3198058697
    Function 00FE2B23 Relevance: 7.9, Strings: 5, Instructions: 1663COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID: 7Y^^$E!o-$OL21$n eU$}Y;u
    • API String ID: 0-689923787
    • Opcode ID: 00c86e943685abc22c4a86c7bc13b9eb3861c3fbdf79086c4f1e24ef224ff56e
    • Instruction ID: db8356de36d1aa9829d62b2c4f45103b5d6db989b5aac7638f4a5addf24ab610
    • Opcode Fuzzy Hash: 00c86e943685abc22c4a86c7bc13b9eb3861c3fbdf79086c4f1e24ef224ff56e
    • Instruction Fuzzy Hash: D2B206F360C2149FE3046E2DEC8567AFBE9EF94320F16493DEAC4C3744EA7558058696
    Function 00FE45EC Relevance: 7.9, Strings: 5, Instructions: 1641COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID: 4i~o$59>S$Q"-$j2w$sow
    • API String ID: 0-3447971803
    • Opcode ID: 1071aff2d71d9f0441804e94e878c3622b4c059ecd11ede053f0b503533652f6
    • Instruction ID: d155c74b21a19e25d57b9493c96b7dcc961fba8f6d131e87e1c3cf204186c060
    • Opcode Fuzzy Hash: 1071aff2d71d9f0441804e94e878c3622b4c059ecd11ede053f0b503533652f6
    • Instruction Fuzzy Hash: 7FB218F360C6049FE304AE29EC8567AFBE9EF94720F16493DE6C5C3744EA3598018697
    Function 00FE9AE2 Relevance: 6.3, Strings: 4, Instructions: 1262COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID: 'HW$<#Ww$<#Ww$rYc^
    • API String ID: 0-930339465
    • Opcode ID: 8ad99d208b656e510aa43f6b53f60e95693c1538cf80be94f04c92a21610f663
    • Instruction ID: 19d23b5604bbc0be5fc993d107ad9066585803a7de691faecc6e9559eadcccc9
    • Opcode Fuzzy Hash: 8ad99d208b656e510aa43f6b53f60e95693c1538cf80be94f04c92a21610f663
    • Instruction Fuzzy Hash: 698218F360C204AFE3046E2DEC8567ABBEAEFD4720F1A853DE6C487744E93558058697
    Function 00FE66B3 Relevance: 4.9, Strings: 3, Instructions: 1122COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID: hu}$"=`t$J<g
    • API String ID: 0-3734201161
    • Opcode ID: 973d3351ffb9ea19dad24bdc138362788d0d756c775d893e9d815b69e24d5374
    • Instruction ID: e72ef654e08fbdd3f32d67d87ccd58dad67ccdea9d4a1472725e553f3df38050
    • Opcode Fuzzy Hash: 973d3351ffb9ea19dad24bdc138362788d0d756c775d893e9d815b69e24d5374
    • Instruction Fuzzy Hash: 4472F8F360C2009FE704AE29EC8567EFBE9EF94720F1A492DE6C4C7744E63598058697
    Function 00FE1723 Relevance: 4.8, Strings: 3, Instructions: 1005COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID: F6|$d/{$znOy
    • API String ID: 0-1812145564
    • Opcode ID: 2b5a5934808c378ef7d22592be967378c84197811d01f88ad6e0047df5df1b39
    • Instruction ID: 97cd052e2aafede6505b9e7f2692ce59b6a23a880ba775d002db2dc1e5da2f40
    • Opcode Fuzzy Hash: 2b5a5934808c378ef7d22592be967378c84197811d01f88ad6e0047df5df1b39
    • Instruction Fuzzy Hash: 9F6237F350C2049FE3046E2DEC8567ABBE9EF94720F1A493DEAC8C3744E67599008796
    Function 0105043E Relevance: 3.0, APIs: 2, Instructions: 43timeCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0104C2F1: GetCurrentThreadId.KERNEL32 ref: 0104C300
      • Part of subcall function 0104C2F1: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 0104C343
    • GetSystemTime.KERNEL32(?,-11465FEC), ref: 01050473
    • GetFileTime.KERNEL32(?,?,?,?,-11465FEC), ref: 010504B6
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: Time$CurrentFileSleepSystemThread
    • String ID:
    • API String ID: 3818558864-0
    • Opcode ID: 9844918f152a8b96182a767728a15b914e478e2659c1209e47e5ed44ccd4e5f5
    • Instruction ID: 45cc98d89ca4d2c0033da615053b4968636353a4662cd98f1fbdb923ecdfb5bd
    • Opcode Fuzzy Hash: 9844918f152a8b96182a767728a15b914e478e2659c1209e47e5ed44ccd4e5f5
    • Instruction Fuzzy Hash: 310128B220254AFBEF216F59DD08D8F7F79FFD5711B008131F84555025CB7288A2DA61
    Function 00FDE0E6 Relevance: 2.4, Strings: 1, Instructions: 1141COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID: o]_
    • API String ID: 0-1648518021
    • Opcode ID: b5f6e54db56f11844e447b81cbfb25a3d7ace15fdf7b9e5fe096061ffd8c9d87
    • Instruction ID: cf246b01388dcfa14636a385c7fb893578eb2b720f59dd37d417adf3a542a142
    • Opcode Fuzzy Hash: b5f6e54db56f11844e447b81cbfb25a3d7ace15fdf7b9e5fe096061ffd8c9d87
    • Instruction Fuzzy Hash: 8372F7F360C2009FE7046E29EC8567ABBE9EFD4720F1A893DEAC487344E63558158697
    Function 010512FC Relevance: 1.5, APIs: 1, Instructions: 24encryptionCOMMON
    Download Yara Rule
    APIs
    • CryptVerifySignatureA.ADVAPI32(?,?,?,?,?,?), ref: 01051343
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: CryptSignatureVerify
    • String ID:
    • API String ID: 1015439381-0
    • Opcode ID: f31c64ab76e5a7eb776fd48b53d4dd5140fcd8960ef7ebda0a616fbf768d1e00
    • Instruction ID: 41667a0320e2ac28a95087ef2fce08a931857c8df5c13949b519951ab167f851
    • Opcode Fuzzy Hash: f31c64ab76e5a7eb776fd48b53d4dd5140fcd8960ef7ebda0a616fbf768d1e00
    • Instruction Fuzzy Hash: 33F0F83260120AEFCF41CF94C918A8D7BB1FF09354F14C525F915A6512C77596A1EF44
    Function 00EF6B67 Relevance: 1.4, Strings: 1, Instructions: 175COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID: .?
    • API String ID: 0-2522436520
    • Opcode ID: 631011378b7c297269105f1f474c730cea881f0517390fb195906030a0630b13
    • Instruction ID: f72423a426db3fa8f91890ece0d7eebc0bfaca99a22be60b611f255f0d7f61e1
    • Opcode Fuzzy Hash: 631011378b7c297269105f1f474c730cea881f0517390fb195906030a0630b13
    • Instruction Fuzzy Hash: A8517DF3E082145BE3106E2DDC8476ABAD9EBD4720F2B863DDBC497784E8794C0582C6
    Function 00F10A09 Relevance: 1.4, Strings: 1, Instructions: 174COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID: $\]
    • API String ID: 0-399495259
    • Opcode ID: e8eeb51c8776b533405713fb1a30bf9a690644bce0d3acecf386cf349f30b7e6
    • Instruction ID: 8f5e44969501ca8f38e3017ab88189763ba41c898293fb4e1e5e492892b611bb
    • Opcode Fuzzy Hash: e8eeb51c8776b533405713fb1a30bf9a690644bce0d3acecf386cf349f30b7e6
    • Instruction Fuzzy Hash: 075117F3E087148BE310693DDD8537AB7D69B90720F2A823DDF98577C5E93A980582C6
    Function 00EB0F4D Relevance: 1.4, Strings: 1, Instructions: 168COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID: AVm7
    • API String ID: 0-36897443
    • Opcode ID: 92cd71127e994b4eeaae2508181352ec07415060c48cb0045774f50bc037cbb8
    • Instruction ID: d42b9480d8474d0e3be7f3d95fbdf419f409696acba12f8bbd63e236a672fb06
    • Opcode Fuzzy Hash: 92cd71127e994b4eeaae2508181352ec07415060c48cb0045774f50bc037cbb8
    • Instruction Fuzzy Hash: 3F5137F3919608AFE3046D68EC847B6B7D9DB90320F0A453DEA9483780F93A881586C6
    Function 00EEB368 Relevance: .2, Instructions: 217COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 75d0e8b5800f0677965d61e1e8be34ec1a2a8995f7cf38922c0bed63b6a2663c
    • Instruction ID: f6d4a18cae6b0edcadb216b170b0343e61cf1cf656d434cbf35470bd833551b6
    • Opcode Fuzzy Hash: 75d0e8b5800f0677965d61e1e8be34ec1a2a8995f7cf38922c0bed63b6a2663c
    • Instruction Fuzzy Hash: E45169F3F142044BE704593DDD5836ABB8BDBD4320F2F863DDA4897788EC7959098292
    Function 00FC850D Relevance: .2, Instructions: 206COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: cb0f48f0cf54baf7e0e39cd2590199923974dc7e4eb3b2b1df97117eb64a7b0b
    • Instruction ID: 0da9bcc1776d3c9e6ca5fb4fed1e6434e2bae63c6d6db3b46d05f9b0887e74c1
    • Opcode Fuzzy Hash: cb0f48f0cf54baf7e0e39cd2590199923974dc7e4eb3b2b1df97117eb64a7b0b
    • Instruction Fuzzy Hash: FE5108F37182045FF314AD39EC9577BBBD6DBC4720F1A863DE68487784E83594054295
    Function 00F6E204 Relevance: .2, Instructions: 201COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 174b8a3c263489beb1398e6263a5e362e0613727e38ff83a58f30aeacd031292
    • Instruction ID: b7d85d82d559687829aa6cc836ae4fb3a028d126ac5b626cbdb0e18bb3f285c3
    • Opcode Fuzzy Hash: 174b8a3c263489beb1398e6263a5e362e0613727e38ff83a58f30aeacd031292
    • Instruction Fuzzy Hash: 6D515BF3A582285BE3187E6DDC597BBB7D9EB40320F1A463DDAC5C3784ED3499048286
    Function 00FAAC28 Relevance: .2, Instructions: 201COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f97d4fd19cf6391c16ccfbe524450a552431f3e51f8e3375f27007f04cb98ea0
    • Instruction ID: 79403784302b97ec0762a9c98cfeb291a1e2f6fa2800f731e42bdd07f3442073
    • Opcode Fuzzy Hash: f97d4fd19cf6391c16ccfbe524450a552431f3e51f8e3375f27007f04cb98ea0
    • Instruction Fuzzy Hash: C161B1F3D086108BF3546A38DC4532ABAE1AB94320F2B463DDEDDA77C0E9795C458686
    Function 00ED87C9 Relevance: .2, Instructions: 196COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 939cf701118409441b9f441b253b55df5f1db315677f05d19cd87bbb92f943dd
    • Instruction ID: b3546f70575623c2fd79fce329068e2fe8a4c3d62c85734310096844bc9cc428
    • Opcode Fuzzy Hash: 939cf701118409441b9f441b253b55df5f1db315677f05d19cd87bbb92f943dd
    • Instruction Fuzzy Hash: 9B5128F36083009FE308AE29DC5477ABBD6EBD4760F1A893DE2C4C7744E57998418792
    Function 00F0CEF8 Relevance: .2, Instructions: 194COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e10bea804cae9ea09d52dd7947ce3a33022e81def2aa73b346271bd6895bc5b4
    • Instruction ID: b94da647839d9e8eb45e26d5cec939ecf619bb2f9b4a0130ed41ccdd6622a1f8
    • Opcode Fuzzy Hash: e10bea804cae9ea09d52dd7947ce3a33022e81def2aa73b346271bd6895bc5b4
    • Instruction Fuzzy Hash: B75126F3E082249BF304692DECA87767694EB54760F1A463DDF89EB7C0E9294C0483C5
    Function 00F77057 Relevance: .1, Instructions: 136COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 3ae98e764eb13fdee0a854ba9f7fc6f2f71fad42e8bfcb740796bf43bc1181c9
    • Instruction ID: 9cf161da0d9ec5c5ffa0279a4ebd1b55e55b0f6a3342f7a01cf28e05fe228f6c
    • Opcode Fuzzy Hash: 3ae98e764eb13fdee0a854ba9f7fc6f2f71fad42e8bfcb740796bf43bc1181c9
    • Instruction Fuzzy Hash: CE41F6F3A083049BF3107E29EC857BAB7D5EB94320F1A453DD6D483740E67A99498647
    Function 0100B143 Relevance: .1, Instructions: 124COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2ac7dcc2b3fe9aafecb4029bd96ef8a9f5b0b2125cbdfaddf4d64e77f6ef3105
    • Instruction ID: f138317ccad03c2fe99cfddb7afb3a3bfbeb98365a463b4e3c7508a3f1f38782
    • Opcode Fuzzy Hash: 2ac7dcc2b3fe9aafecb4029bd96ef8a9f5b0b2125cbdfaddf4d64e77f6ef3105
    • Instruction Fuzzy Hash: BD3128B250C710AFE7026F19DC817BABBE8EF45760F16492EEAC4C7641DA3588408BD6
    Function 01006D55 Relevance: .0, Instructions: 21COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 08184a80a5a5f5f56379f4b0da027f0f987e49351abad2972efbed73fef191c2
    • Instruction ID: 0638b27c95f1bdffd83f1850a50dec980af498a6915cc80dac011f289d35713a
    • Opcode Fuzzy Hash: 08184a80a5a5f5f56379f4b0da027f0f987e49351abad2972efbed73fef191c2
    • Instruction Fuzzy Hash: 82E04F76004101AFD701EF54C84599BFBF5FF19311F608449E484CB226C2358891CB29
    Function 0104F974 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0104C2F1: GetCurrentThreadId.KERNEL32 ref: 0104C300
      • Part of subcall function 0104C2F1: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 0104C343
      • Part of subcall function 010509F2: IsBadWritePtr.KERNEL32(?,00000004), ref: 01050A00
    • wsprintfA.USER32 ref: 0104F9BA
    • LoadImageA.USER32(?,?,?,?,?,?), ref: 0104FA7E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: CurrentImageLoadSleepThreadWritewsprintf
    • String ID: %8x$%8x
    • API String ID: 2375920415-2046107164
    • Opcode ID: 95910e20cf84189c59db64e3de088f7444f5fc687512f655a4c524f23a0bb379
    • Instruction ID: 8236eef1778fa35333db2a7846e33ce2d4b95752a2124e81f9536b52384bd41e
    • Opcode Fuzzy Hash: 95910e20cf84189c59db64e3de088f7444f5fc687512f655a4c524f23a0bb379
    • Instruction Fuzzy Hash: DD3112B290010ABFDF11DF94DD48EEEBBB9FF88710F108126F915A61A0D7719A61DB60
    Function 01050545 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesExW.KERNEL32(015F1214,00004020,00000000,-11465FEC), ref: 01050632
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1795933821.0000000000FF9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1795885619.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795901306.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795919297.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000110D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1795933821.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796164355.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796277725.00000000012C6000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1796345812.00000000012C8000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: 927879b61c62d6209be70eaa6b00c59063a8e154e545d3bbacd534eba7d98a4f
    • Instruction ID: 2857599fe413ce8b6d1eb61708d2419aed23ef197bdc81a352c2be19c9c7a5a7
    • Opcode Fuzzy Hash: 927879b61c62d6209be70eaa6b00c59063a8e154e545d3bbacd534eba7d98a4f
    • Instruction Fuzzy Hash: 633146B1504706EFEB258F58C844B9EBFB0FF48354F508529F99A66650C3B1A6A4CBA0