Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1532848
MD5:d5594be2f336a72d721e5975f0017a0b
SHA1:fc67fa32457fc3b6fa5c21501c19771ff4606797
SHA256:2a57b637d1d4c080203cb0410b2cae1aecf7fd0b945f75c6237d4b3a1edc402e
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to detect virtual machines (SIDT)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6524 cmdline: "C:\Users\user\Desktop\file.exe" MD5: D5594BE2F336A72D721E5975F0017A0B)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: file.exeAvira: detected
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01052B92 CryptVerifySignatureA,0_2_01052B92
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1841243545.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE20D40_2_00FE20D4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FEC0740_2_00FEC074
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010891E70_2_010891E7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EDF1DE0_2_00EDF1DE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBB17E0_2_00FBB17E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E8813F0_2_00E8813F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF12350_2_00FF1235
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010105D90_2_010105D9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FEA55F0_2_00FEA55F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D17110_2_010D1711
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100E74D0_2_0100E74D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FEF7430_2_00FEF743
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDB70A0_2_00FDB70A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE89AC0_2_00FE89AC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01010B310_2_01010B31
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE3A640_2_00FE3A64
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD9B790_2_00FD9B79
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010DBA970_2_010DBA97
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EF0C940_2_00EF0C94
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FDEC7A0_2_00FDEC7A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FEDC020_2_00FEDC02
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F95DC30_2_00F95DC3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE6E7F0_2_00FE6E7F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E9CE480_2_00E9CE48
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF3F440_2_00FF3F44
Source: C:\Users\user\Desktop\file.exeCode function: String function: 0104DB87 appears 35 times
Source: file.exe, 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeStatic PE information: Section: ktgtzmwy ZLIB complexity 0.9949067898882114
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04D015D0 ChangeServiceConfigA,0_2_04D015D0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 1788416 > 1048576
Source: file.exeStatic PE information: Raw size of ktgtzmwy is bigger than: 0x100000 < 0x1ae800
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1841243545.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.e60000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ktgtzmwy:EW;rcunbeor:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x1b4c87 should be: 0x1c47e2
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: ktgtzmwy
Source: file.exeStatic PE information: section name: rcunbeor
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01003CB4 push ebx; mov dword ptr [esp], edi0_2_01006435
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01003CB4 push 160E5CB4h; mov dword ptr [esp], esi0_2_0100643D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01003CB4 push ebp; mov dword ptr [esp], eax0_2_010075C7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01004E4B push ebp; mov dword ptr [esp], ecx0_2_01008C93
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01004E4B push 6C03A775h; mov dword ptr [esp], esi0_2_01008CA3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010CE113 push edi; mov dword ptr [esp], eax0_2_010CE117
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107E120 push ebp; mov dword ptr [esp], edi0_2_0107E15E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0107E120 push ebx; mov dword ptr [esp], edx0_2_0107E180
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE20D4 push edi; mov dword ptr [esp], eax0_2_00FE210E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE20D4 push ebx; mov dword ptr [esp], 7BBFE2B0h0_2_00FE217F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE20D4 push 52AFCC00h; mov dword ptr [esp], esi0_2_00FE2203
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE20D4 push eax; mov dword ptr [esp], edx0_2_00FE2224
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE20D4 push 4CFFEA1Ch; mov dword ptr [esp], edx0_2_00FE2264
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE20D4 push ecx; mov dword ptr [esp], ebx0_2_00FE22B6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE20D4 push eax; mov dword ptr [esp], 229FC71Dh0_2_00FE22C8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE20D4 push 721E60C7h; mov dword ptr [esp], ecx0_2_00FE235D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE20D4 push 6F899328h; mov dword ptr [esp], eax0_2_00FE2365
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE20D4 push edx; mov dword ptr [esp], 6FB34BC9h0_2_00FE2369
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE20D4 push ebx; mov dword ptr [esp], 775F5E00h0_2_00FE23CB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE20D4 push 07288E72h; mov dword ptr [esp], edi0_2_00FE23EA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE20D4 push 719E49D2h; mov dword ptr [esp], ebp0_2_00FE23F9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE20D4 push ebp; mov dword ptr [esp], edi0_2_00FE2477
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE20D4 push 2ED4F10Ah; mov dword ptr [esp], eax0_2_00FE247F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE20D4 push eax; mov dword ptr [esp], esi0_2_00FE249B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE20D4 push 1F16706Fh; mov dword ptr [esp], esi0_2_00FE24CD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE20D4 push ebp; mov dword ptr [esp], 7F96D030h0_2_00FE250C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE20D4 push ebp; mov dword ptr [esp], ecx0_2_00FE25B5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE20D4 push 36FDED02h; mov dword ptr [esp], edi0_2_00FE25CF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE20D4 push eax; mov dword ptr [esp], 1925DE77h0_2_00FE266D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE20D4 push 63391F73h; mov dword ptr [esp], eax0_2_00FE26C4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE20D4 push ecx; mov dword ptr [esp], ebx0_2_00FE26C8
Source: file.exeStatic PE information: section name: entropy: 7.787330887518301
Source: file.exeStatic PE information: section name: ktgtzmwy entropy: 7.952952169167182

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF783F second address: FF7850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFDA4C418EAh 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF7850 second address: FF785C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007EFDA4C38656h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF785C second address: FF7867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF7867 second address: FF786B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF79A8 second address: FF79CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFDA4C418F7h 0x00000007 ja 00007EFDA4C418EEh 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF7B3E second address: FF7B4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ebx 0x00000007 pop edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF7B4B second address: FF7B6A instructions: 0x00000000 rdtsc 0x00000002 jg 00007EFDA4C418E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007EFDA4C418F3h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF7CFB second address: FF7D3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007EFDA4C38656h 0x00000009 jmp 00007EFDA4C38661h 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007EFDA4C38660h 0x00000015 popad 0x00000016 pushad 0x00000017 jmp 00007EFDA4C3865Dh 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF9B5F second address: FF9BE5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007EFDA4C418F6h 0x00000008 jmp 00007EFDA4C418F0h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 jmp 00007EFDA4C418F0h 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ebx 0x0000001c call 00007EFDA4C418E8h 0x00000021 pop ebx 0x00000022 mov dword ptr [esp+04h], ebx 0x00000026 add dword ptr [esp+04h], 00000018h 0x0000002e inc ebx 0x0000002f push ebx 0x00000030 ret 0x00000031 pop ebx 0x00000032 ret 0x00000033 mov edx, dword ptr [ebp+122D384Dh] 0x00000039 push esi 0x0000003a movsx ecx, di 0x0000003d pop ecx 0x0000003e call 00007EFDA4C418E9h 0x00000043 jmp 00007EFDA4C418F8h 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b jnc 00007EFDA4C418E6h 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF9BE5 second address: FF9BF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007EFDA4C3865Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF9BF9 second address: FF9BFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF9BFD second address: FF9C02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF9C02 second address: FF9C1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007EFDA4C418ECh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF9C1B second address: FF9C21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF9C21 second address: FF9CAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFDA4C418EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jmp 00007EFDA4C418F2h 0x00000012 pop eax 0x00000013 jmp 00007EFDA4C418EAh 0x00000018 push 00000003h 0x0000001a mov si, F748h 0x0000001e mov ecx, dword ptr [ebp+122D1CBCh] 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push eax 0x00000029 call 00007EFDA4C418E8h 0x0000002e pop eax 0x0000002f mov dword ptr [esp+04h], eax 0x00000033 add dword ptr [esp+04h], 00000015h 0x0000003b inc eax 0x0000003c push eax 0x0000003d ret 0x0000003e pop eax 0x0000003f ret 0x00000040 xor dword ptr [ebp+122D18D0h], ecx 0x00000046 push 00000003h 0x00000048 sub dword ptr [ebp+122D1C43h], ecx 0x0000004e push 88371456h 0x00000053 pushad 0x00000054 jp 00007EFDA4C418F4h 0x0000005a pushad 0x0000005b push ebx 0x0000005c pop ebx 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF9CAB second address: FF9D09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 add dword ptr [esp], 37C8EBAAh 0x0000000d call 00007EFDA4C38669h 0x00000012 cmc 0x00000013 pop esi 0x00000014 lea ebx, dword ptr [ebp+1245FA72h] 0x0000001a mov dword ptr [ebp+122D17D6h], edx 0x00000020 xchg eax, ebx 0x00000021 js 00007EFDA4C38667h 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007EFDA4C3865Fh 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF9D09 second address: FF9D1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFDA4C418EDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF9DBF second address: FF9DC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF9F9C second address: FF9FA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF9FA8 second address: FF9FBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007EFDA4C3865Dh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF9FBD second address: FF9FE4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007EFDA4C418E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 pushad 0x00000011 push esi 0x00000012 pop esi 0x00000013 jnc 00007EFDA4C418E6h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007EFDA4C418EBh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF9FE4 second address: FF9FF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007EFDA4C38656h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF9FF7 second address: FFA00E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFDA4C418F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFA00E second address: FFA046 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFDA4C38663h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e jmp 00007EFDA4C38664h 0x00000013 push eax 0x00000014 push edx 0x00000015 jnp 00007EFDA4C38656h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101B960 second address: 101B964 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE4F3D second address: FE4F43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE4F43 second address: FE4F49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1019D22 second address: 1019D26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1019E58 second address: 1019E5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101A10D second address: 101A12E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFDA4C38667h 0x00000009 jbe 00007EFDA4C38656h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101A12E second address: 101A132 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101A2AD second address: 101A2B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007EFDA4C38656h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101A2B7 second address: 101A2C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101A2C4 second address: 101A2CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101A593 second address: 101A5A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007EFDA4C418E6h 0x0000000a jg 00007EFDA4C418E6h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101A5A4 second address: 101A5CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jo 00007EFDA4C3866Ch 0x00000011 jmp 00007EFDA4C38666h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101A5CF second address: 101A5D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101A763 second address: 101A77D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007EFDA4C38664h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101A77D second address: 101A782 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101AFBE second address: 101AFF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007EFDA4C3865Fh 0x0000000a jmp 00007EFDA4C3865Ah 0x0000000f popad 0x00000010 pushad 0x00000011 jmp 00007EFDA4C38663h 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101B13D second address: 101B147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007EFDA4C418E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101B77A second address: 101B780 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101B780 second address: 101B786 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101DD49 second address: 101DD54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 101DDD5 second address: 101DDDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1025B6C second address: 1025B88 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFDA4C38668h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102627C second address: 1026280 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1026280 second address: 1026284 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1026284 second address: 102629D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFDA4C418F3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102629D second address: 10262A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10262A3 second address: 10262A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1026500 second address: 1026511 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007EFDA4C38656h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1026511 second address: 102651B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1028B1D second address: 1028B5C instructions: 0x00000000 rdtsc 0x00000002 jc 00007EFDA4C38658h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 585A9333h 0x00000013 and esi, 0B892A9Dh 0x00000019 call 00007EFDA4C38659h 0x0000001e jl 00007EFDA4C38662h 0x00000024 jg 00007EFDA4C3865Ch 0x0000002a push eax 0x0000002b jbe 00007EFDA4C3866Dh 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1028B5C second address: 1028B8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFDA4C418EFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f jnc 00007EFDA4C418F7h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1028F7F second address: 1028F83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1028F83 second address: 1028F89 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1028F89 second address: 1028F8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1028F8F second address: 1028FB0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c jmp 00007EFDA4C418F4h 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1029110 second address: 1029114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102934C second address: 1029350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102991B second address: 1029921 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1029AE8 second address: 1029AEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102B318 second address: 102B33B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 jmp 00007EFDA4C38660h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102B33B second address: 102B353 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFDA4C418F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D25B second address: 102D261 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102D261 second address: 102D265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103071F second address: 1030723 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1030723 second address: 103075B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007EFDA4C418F0h 0x0000000b popad 0x0000000c nop 0x0000000d mov edi, 44B6D0DBh 0x00000012 push 00000000h 0x00000014 mov esi, edi 0x00000016 pushad 0x00000017 mov al, 83h 0x00000019 or dword ptr [ebp+1247A59Eh], ebx 0x0000001f popad 0x00000020 push 00000000h 0x00000022 adc esi, 3BC40904h 0x00000028 push eax 0x00000029 pushad 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103075B second address: 1030761 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1030761 second address: 103076A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103076A second address: 103076E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1031941 second address: 103194F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10350C8 second address: 10350CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1036441 second address: 103645E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007EFDA4C418F6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10374CA second address: 10374D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10385B4 second address: 10385B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10374D1 second address: 10374E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007EFDA4C3865Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103C2CF second address: 103C2D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10385B8 second address: 10385BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10374E7 second address: 10374F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007EFDA4C418E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103C2D7 second address: 103C2DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10385BC second address: 10385C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103C2DC second address: 103C2EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFDA4C3865Ch 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103C915 second address: 103C96A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov dword ptr [esp], eax 0x00000008 mov dword ptr [ebp+122D1CEDh], eax 0x0000000e push 00000000h 0x00000010 call 00007EFDA4C418F6h 0x00000015 mov ebx, dword ptr [ebp+122D3537h] 0x0000001b pop ebx 0x0000001c mov di, A500h 0x00000020 push 00000000h 0x00000022 or edi, dword ptr [ebp+122D2F71h] 0x00000028 xchg eax, esi 0x00000029 push ebx 0x0000002a pushad 0x0000002b jmp 00007EFDA4C418F7h 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103C96A second address: 103C98C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007EFDA4C38669h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103C98C second address: 103C991 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103CC24 second address: 103CC2E instructions: 0x00000000 rdtsc 0x00000002 jne 00007EFDA4C38656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103EC60 second address: 103EC65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103EC65 second address: 103EC6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103FC6A second address: 103FC6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103FC6E second address: 103FCD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a jg 00007EFDA4C38673h 0x00000010 push 00000000h 0x00000012 mov di, ax 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007EFDA4C38658h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 0000001Ch 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 mov ebx, dword ptr [ebp+122D3729h] 0x00000037 sub ebx, dword ptr [ebp+122D18C9h] 0x0000003d xchg eax, esi 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103EDA7 second address: 103EDAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103DCC1 second address: 103DCDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFDA4C38665h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103EDAB second address: 103EDAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1042403 second address: 1042415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007EFDA4C3865Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103DCDE second address: 103DCE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1043486 second address: 104348B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103EDAF second address: 103EDB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1044338 second address: 104433E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1042415 second address: 1042499 instructions: 0x00000000 rdtsc 0x00000002 ja 00007EFDA4C418E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c mov dword ptr [ebp+122D1AD1h], edi 0x00000012 push dword ptr fs:[00000000h] 0x00000019 sbb bx, 4433h 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 push 00000000h 0x00000027 push edi 0x00000028 call 00007EFDA4C418E8h 0x0000002d pop edi 0x0000002e mov dword ptr [esp+04h], edi 0x00000032 add dword ptr [esp+04h], 00000017h 0x0000003a inc edi 0x0000003b push edi 0x0000003c ret 0x0000003d pop edi 0x0000003e ret 0x0000003f jg 00007EFDA4C418FAh 0x00000045 mov eax, dword ptr [ebp+122D13FDh] 0x0000004b cld 0x0000004c push FFFFFFFFh 0x0000004e mov di, dx 0x00000051 mov dword ptr [ebp+122D195Eh], edi 0x00000057 nop 0x00000058 jmp 00007EFDA4C418EEh 0x0000005d push eax 0x0000005e push edi 0x0000005f pushad 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103DCE2 second address: 103DCE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104348B second address: 1043491 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103EDB9 second address: 103EDBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF288B second address: FF289C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007EFDA4C418E6h 0x00000009 jnp 00007EFDA4C418E6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1043491 second address: 1043495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 103EDBD second address: 103EE6E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFDA4C418F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d jmp 00007EFDA4C418F1h 0x00000012 pop ecx 0x00000013 push ecx 0x00000014 pushad 0x00000015 popad 0x00000016 pop ecx 0x00000017 popad 0x00000018 nop 0x00000019 sub di, B44Fh 0x0000001e push dword ptr fs:[00000000h] 0x00000025 jmp 00007EFDA4C418EEh 0x0000002a mov dword ptr fs:[00000000h], esp 0x00000031 push 00000000h 0x00000033 push edx 0x00000034 call 00007EFDA4C418E8h 0x00000039 pop edx 0x0000003a mov dword ptr [esp+04h], edx 0x0000003e add dword ptr [esp+04h], 0000001Dh 0x00000046 inc edx 0x00000047 push edx 0x00000048 ret 0x00000049 pop edx 0x0000004a ret 0x0000004b cmc 0x0000004c mov eax, dword ptr [ebp+122D10D5h] 0x00000052 sub dword ptr [ebp+122D30F0h], esi 0x00000058 jbe 00007EFDA4C418F1h 0x0000005e jp 00007EFDA4C418EBh 0x00000064 xor di, 8D90h 0x00000069 push FFFFFFFFh 0x0000006b xor dword ptr [ebp+122D196Ah], eax 0x00000071 xor dword ptr [ebp+122D19A5h], ecx 0x00000077 push eax 0x00000078 jc 00007EFDA4C418FCh 0x0000007e pushad 0x0000007f push eax 0x00000080 push edx 0x00000081 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1043495 second address: 10434AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFDA4C3865Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10476B1 second address: 10476B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10434AF second address: 10434D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007EFDA4C38668h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10476B6 second address: 10476BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10476BB second address: 10476C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10476C1 second address: 10476D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b jmp 00007EFDA4C418ECh 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10476D9 second address: 10476DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10476DF second address: 10476E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104692C second address: 1046930 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 104785D second address: 1047861 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1047861 second address: 1047867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE1C2E second address: FE1C32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE1C32 second address: FE1C38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1055DA1 second address: 1055DAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1055DAA second address: 1055DAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105A39F second address: 105A3D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFDA4C418F9h 0x00000007 jmp 00007EFDA4C418F4h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 105A3D4 second address: 105A3D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1059D6A second address: 1059D70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1059D70 second address: 1059D7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007EFDA4C38656h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1059EF3 second address: 1059EF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1059EF7 second address: 1059F01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007EFDA4C38656h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1059F01 second address: 1059F05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1059F05 second address: 1059F0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1059F0B second address: 1059F20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007EFDA4C418E8h 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1059F20 second address: 1059F3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007EFDA4C38656h 0x0000000a jmp 00007EFDA4C38663h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1059F3E second address: 1059F56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFDA4C418F2h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1062347 second address: 106234C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106234C second address: 1062352 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1062352 second address: 1062356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10623DB second address: 10623E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10623E2 second address: 1062433 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ecx 0x00000009 ja 00007EFDA4C38658h 0x0000000f pushad 0x00000010 popad 0x00000011 pop ecx 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push edx 0x00000017 push edi 0x00000018 push edi 0x00000019 pop edi 0x0000001a pop edi 0x0000001b pop edx 0x0000001c mov eax, dword ptr [eax] 0x0000001e pushad 0x0000001f jmp 00007EFDA4C38668h 0x00000024 jmp 00007EFDA4C3865Bh 0x00000029 popad 0x0000002a mov dword ptr [esp+04h], eax 0x0000002e push ebx 0x0000002f pushad 0x00000030 jo 00007EFDA4C38656h 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10625BE second address: 10625C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10625C2 second address: 10625D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jg 00007EFDA4C38656h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1066FF8 second address: 1066FFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1066FFC second address: 1067002 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1066436 second address: 1066456 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007EFDA4C418F8h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1066456 second address: 1066464 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFDA4C3865Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10666F7 second address: 1066720 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007EFDA4C418F2h 0x0000000c jmp 00007EFDA4C418EBh 0x00000011 popad 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1066CF8 second address: 1066D04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007EFDA4C38662h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1066D04 second address: 1066D0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1066D0A second address: 1066D15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1066E74 second address: 1066E8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 jmp 00007EFDA4C418EFh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106E945 second address: 106E962 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFDA4C38669h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106EB1B second address: 106EB20 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106EC69 second address: 106EC8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a jnc 00007EFDA4C38656h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 popad 0x00000013 pushad 0x00000014 pushad 0x00000015 je 00007EFDA4C38656h 0x0000001b jno 00007EFDA4C38656h 0x00000021 popad 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106EC8E second address: 106ECB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007EFDA4C418F9h 0x0000000b jno 00007EFDA4C418E6h 0x00000011 popad 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106EF48 second address: 106EF51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106EF51 second address: 106EF56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106F252 second address: 106F256 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106F256 second address: 106F27A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 js 00007EFDA4C418E6h 0x0000000f jmp 00007EFDA4C418F3h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106F27A second address: 106F281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 106F408 second address: 106F425 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFDA4C418F7h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1012AA1 second address: 1012AE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFDA4C38668h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c jmp 00007EFDA4C38669h 0x00000011 jmp 00007EFDA4C3865Ch 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1012AE6 second address: 1012AF0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1012AF0 second address: 1012AF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1077415 second address: 1077426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007EFDA4C418E6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1077426 second address: 107742C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107742C second address: 1077432 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1077432 second address: 1077438 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1077438 second address: 1077458 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007EFDA4C418F5h 0x0000000a pop ecx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1027C27 second address: 1027C2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1027C2B second address: 1027C5C instructions: 0x00000000 rdtsc 0x00000002 jne 00007EFDA4C418E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d pop edi 0x0000000e popad 0x0000000f add dword ptr [esp], 1365446Bh 0x00000016 jnp 00007EFDA4C418ECh 0x0000001c add dword ptr [ebp+122D19A5h], esi 0x00000022 push 23C72556h 0x00000027 push eax 0x00000028 push edx 0x00000029 jno 00007EFDA4C418E8h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1027C5C second address: 1027C62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1028420 second address: 1028425 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1028582 second address: 1028588 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 102874E second address: 1028752 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1028752 second address: 1028764 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007EFDA4C38656h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1028764 second address: 10287E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007EFDA4C418E8h 0x0000000c popad 0x0000000d nop 0x0000000e add cx, B54Ch 0x00000013 lea eax, dword ptr [ebp+1248D3E9h] 0x00000019 cmc 0x0000001a push eax 0x0000001b jmp 00007EFDA4C418ECh 0x00000020 mov dword ptr [esp], eax 0x00000023 push 00000000h 0x00000025 push ebx 0x00000026 call 00007EFDA4C418E8h 0x0000002b pop ebx 0x0000002c mov dword ptr [esp+04h], ebx 0x00000030 add dword ptr [esp+04h], 0000001Bh 0x00000038 inc ebx 0x00000039 push ebx 0x0000003a ret 0x0000003b pop ebx 0x0000003c ret 0x0000003d add dword ptr [ebp+122D1A5Dh], esi 0x00000043 lea eax, dword ptr [ebp+1248D3A5h] 0x00000049 add di, 80DFh 0x0000004e nop 0x0000004f jmp 00007EFDA4C418F1h 0x00000054 push eax 0x00000055 jg 00007EFDA4C418F4h 0x0000005b push eax 0x0000005c push edx 0x0000005d push edx 0x0000005e pop edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10287E1 second address: 1012AA1 instructions: 0x00000000 rdtsc 0x00000002 jg 00007EFDA4C38656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b or di, 9ED5h 0x00000010 call dword ptr [ebp+122D17CCh] 0x00000016 push eax 0x00000017 push edx 0x00000018 push edi 0x00000019 pushad 0x0000001a popad 0x0000001b pop edi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1077863 second address: 1077867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10779C0 second address: 10779CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007EFDA4C38656h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10779CF second address: 10779D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10779D3 second address: 10779DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10779DB second address: 10779E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007EFDA4C418E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10779E5 second address: 10779E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10779E9 second address: 10779F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1077BAA second address: 1077BD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 push eax 0x00000008 je 00007EFDA4C38656h 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007EFDA4C38669h 0x00000017 popad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1077BD9 second address: 1077BE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007EFDA4C418E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1077BE5 second address: 1077C01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007EFDA4C38656h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007EFDA4C3865Fh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1078062 second address: 1078084 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFDA4C418F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jbe 00007EFDA4C418E6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDB1C4 second address: FDB1C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDE77D second address: FDE789 instructions: 0x00000000 rdtsc 0x00000002 je 00007EFDA4C418E6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDE789 second address: FDE78E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDE78E second address: FDE7B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFDA4C418F9h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDE7B0 second address: FDE7B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDE7B4 second address: FDE7C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E009 second address: 107E012 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E4B6 second address: 107E4BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E4BA second address: 107E4BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E4BE second address: 107E4CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007EFDA4C418E6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E9E7 second address: 107E9FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007EFDA4C3865Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107E9FB second address: 107EA32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFDA4C418F3h 0x00000007 jbe 00007EFDA4C418F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007EFDA4C418E8h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107EE0F second address: 107EE6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFDA4C38665h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007EFDA4C3865Eh 0x0000000f pushad 0x00000010 popad 0x00000011 jng 00007EFDA4C38656h 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b jnp 00007EFDA4C38656h 0x00000021 jl 00007EFDA4C38656h 0x00000027 popad 0x00000028 pushad 0x00000029 jmp 00007EFDA4C38668h 0x0000002e jmp 00007EFDA4C3865Dh 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107EE6F second address: 107EE74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107EE74 second address: 107EE79 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 107EE79 second address: 107EE7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10811DB second address: 10811DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10811DF second address: 10811EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10811EB second address: 10811FF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007EFDA4C38656h 0x00000008 jno 00007EFDA4C38656h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108448A second address: 10844C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007EFDA4C418F4h 0x0000000b popad 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f jmp 00007EFDA4C418F5h 0x00000014 jl 00007EFDA4C418E6h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1083EDD second address: 1083EE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1088F41 second address: 1088F45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1088F45 second address: 1088F49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1088245 second address: 1088249 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1088249 second address: 1088286 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007EFDA4C3865Eh 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 jnc 00007EFDA4C38656h 0x00000016 pop edx 0x00000017 pushad 0x00000018 jmp 00007EFDA4C38668h 0x0000001d pushad 0x0000001e popad 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1088429 second address: 108842D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108842D second address: 1088433 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108C896 second address: 108C89A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108C2F9 second address: 108C2FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108C2FF second address: 108C303 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108C303 second address: 108C318 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFDA4C3865Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d push esi 0x0000000e pop esi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108C318 second address: 108C325 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jo 00007EFDA4C418E6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108C325 second address: 108C32B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108C32B second address: 108C333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 108C333 second address: 108C33B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1090C83 second address: 1090C89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1090C89 second address: 1090C8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1090C8E second address: 1090C93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1028225 second address: 10282C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFDA4C3865Dh 0x00000009 popad 0x0000000a pop ebx 0x0000000b push eax 0x0000000c jne 00007EFDA4C38660h 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 call 00007EFDA4C38658h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], ecx 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc ecx 0x00000029 push ecx 0x0000002a ret 0x0000002b pop ecx 0x0000002c ret 0x0000002d mov di, 7B4Eh 0x00000031 mov ecx, dword ptr [ebp+1246837Eh] 0x00000037 mov ebx, dword ptr [ebp+1248D3E4h] 0x0000003d push 00000000h 0x0000003f push esi 0x00000040 call 00007EFDA4C38658h 0x00000045 pop esi 0x00000046 mov dword ptr [esp+04h], esi 0x0000004a add dword ptr [esp+04h], 00000015h 0x00000052 inc esi 0x00000053 push esi 0x00000054 ret 0x00000055 pop esi 0x00000056 ret 0x00000057 movzx ecx, di 0x0000005a add eax, ebx 0x0000005c sub dl, FFFFFFCFh 0x0000005f push eax 0x00000060 pushad 0x00000061 je 00007EFDA4C3866Eh 0x00000067 jmp 00007EFDA4C38668h 0x0000006c push eax 0x0000006d push edx 0x0000006e js 00007EFDA4C38656h 0x00000074 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109117E second address: 10911AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 jl 00007EFDA4C418E6h 0x0000000d popad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007EFDA4C418ECh 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jns 00007EFDA4C418E8h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1091307 second address: 109130D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1091DDB second address: 1091DF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFDA4C418F8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1091DF7 second address: 1091DFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1091DFD second address: 1091E20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007EFDA4C418EEh 0x00000008 jmp 00007EFDA4C418F0h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099E8E second address: 1099E98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007EFDA4C38656h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1097EFC second address: 1097F1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007EFDA4C418EFh 0x0000000c jmp 00007EFDA4C418ECh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1097F1E second address: 1097F22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1097F22 second address: 1097F28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1097F28 second address: 1097F33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007EFDA4C38656h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1097F33 second address: 1097F39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1098216 second address: 109821C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109821C second address: 109823C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jnc 00007EFDA4C418E6h 0x0000000d jmp 00007EFDA4C418F2h 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109823C second address: 109825F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007EFDA4C38656h 0x0000000a jmp 00007EFDA4C38669h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109825F second address: 109828B instructions: 0x00000000 rdtsc 0x00000002 js 00007EFDA4C418E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007EFDA4C418F7h 0x00000014 js 00007EFDA4C418E6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109877D second address: 1098781 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1098ABC second address: 1098ADB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007EFDA4C418E6h 0x0000000a popad 0x0000000b jmp 00007EFDA4C418F4h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1098ADB second address: 1098AE0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1098AE0 second address: 1098AEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099343 second address: 1099354 instructions: 0x00000000 rdtsc 0x00000002 jl 00007EFDA4C38656h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099354 second address: 109935C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109961E second address: 1099623 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099B95 second address: 1099BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 jmp 00007EFDA4C418F1h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop edx 0x0000000f jne 00007EFDA4C418E8h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jns 00007EFDA4C418F6h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1099BD1 second address: 1099BDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109CF14 second address: 109CF2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007EFDA4C418EBh 0x0000000b jng 00007EFDA4C418E6h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109CF2C second address: 109CF33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109D722 second address: 109D73F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007EFDA4C418E6h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007EFDA4C418EEh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 109D73F second address: 109D743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A20FC second address: 10A2100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A2100 second address: 10A2105 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A97DF second address: 10A97E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A97E5 second address: 10A980C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007EFDA4C38667h 0x0000000f popad 0x00000010 pushad 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A9997 second address: 10A999C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A9B04 second address: 10A9B0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AA1F0 second address: 10AA1F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AA1F4 second address: 10AA204 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007EFDA4C38658h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AB012 second address: 10AB01A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AB01A second address: 10AB01E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10AB01E second address: 10AB022 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A8F05 second address: 10A8F0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A8F0C second address: 10A8F36 instructions: 0x00000000 rdtsc 0x00000002 jne 00007EFDA4C418E8h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007EFDA4C418F8h 0x00000011 jno 00007EFDA4C418E6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10A8F36 second address: 10A8F6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007EFDA4C38666h 0x0000000e jmp 00007EFDA4C38665h 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB8D0 second address: 10BB8D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BB8D4 second address: 10BB8F6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007EFDA4C38669h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BBA70 second address: 10BBA83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFDA4C418EDh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BBA83 second address: 10BBA90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007EFDA4C38656h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BBA90 second address: 10BBA94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BBA94 second address: 10BBAA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push edx 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10BE164 second address: 10BE17F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFDA4C418F1h 0x00000007 jno 00007EFDA4C418ECh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C246E second address: 10C2473 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C2473 second address: 10C2489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007EFDA4C418ECh 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C1E40 second address: 10C1E5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007EFDA4C38656h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007EFDA4C3865Dh 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C1E5D second address: 10C1E61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C1E61 second address: 10C1E9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007EFDA4C38656h 0x0000000d jmp 00007EFDA4C38668h 0x00000012 jbe 00007EFDA4C38656h 0x00000018 push edi 0x00000019 pop edi 0x0000001a popad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e push esi 0x0000001f push edx 0x00000020 pop edx 0x00000021 jne 00007EFDA4C38656h 0x00000027 pop esi 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10C6E7F second address: 10C6E9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007EFDA4C418F7h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DAF3A second address: 10DAF57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFDA4C38669h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DAF57 second address: 10DAF63 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007EFDA4C418E6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DAF63 second address: 10DAF69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DB215 second address: 10DB21A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DB380 second address: 10DB386 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DB386 second address: 10DB3A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFDA4C418F9h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DB855 second address: 10DB8AE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007EFDA4C3865Bh 0x0000000c pop esi 0x0000000d popad 0x0000000e pushad 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 jmp 00007EFDA4C3865Ch 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a jnc 00007EFDA4C38670h 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007EFDA4C38660h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DB8AE second address: 10DB8D2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007EFDA4C418F6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007EFDA4C418E6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DC310 second address: 10DC31E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007EFDA4C38656h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10DC31E second address: 10DC32A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007EFDA4C418E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E10F9 second address: 10E10FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E10FF second address: 10E111E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 je 00007EFDA4C418E8h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007EFDA4C418F0h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10E111E second address: 10E1134 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007EFDA4C3865Eh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEA030 second address: FEA034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEA034 second address: FEA044 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007EFDA4C3865Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEA044 second address: FEA05F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007EFDA4C418F4h 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEA05F second address: FEA074 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007EFDA4C38656h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEA074 second address: FEA07E instructions: 0x00000000 rdtsc 0x00000002 jc 00007EFDA4C418E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FEA07E second address: FEA096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007EFDA4C3865Ch 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ECEB6 second address: 10ECEC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10ECEC0 second address: 10ECEC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FA103 second address: 10FA10B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10FA10B second address: 10FA10F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE6989 second address: FE69A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a pop eax 0x0000000b jnl 00007EFDA4C418E6h 0x00000011 popad 0x00000012 jl 00007EFDA4C418ECh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11006F6 second address: 1100748 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFDA4C38662h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d jmp 00007EFDA4C38663h 0x00000012 jmp 00007EFDA4C38667h 0x00000017 pop eax 0x00000018 jmp 00007EFDA4C3865Dh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1100748 second address: 1100753 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnp 00007EFDA4C418E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1100753 second address: 110075E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11008A3 second address: 11008A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1100A28 second address: 1100A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1100BA2 second address: 1100BA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1100BA6 second address: 1100BC8 instructions: 0x00000000 rdtsc 0x00000002 jl 00007EFDA4C38656h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007EFDA4C38661h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1100BC8 second address: 1100BDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFDA4C418EFh 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1100BDC second address: 1100BE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007EFDA4C38656h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1100D2D second address: 1100D4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFDA4C418F9h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1100D4B second address: 1100D50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1100D50 second address: 1100D5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007EFDA4C418E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1100D5C second address: 1100D62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11042F6 second address: 11042FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11042FA second address: 1104300 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1104300 second address: 1104306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1104306 second address: 1104311 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007EFDA4C38656h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1104311 second address: 110431E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110431E second address: 1104322 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1104322 second address: 1104344 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a jg 00007EFDA4C418E6h 0x00000010 pop ecx 0x00000011 jnl 00007EFDA4C418EEh 0x00000017 push ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1105C20 second address: 1105C28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1105C28 second address: 1105C30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1105C30 second address: 1105C55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFDA4C3865Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007EFDA4C3865Fh 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110DF70 second address: 110DF89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFDA4C418EFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110DF89 second address: 110DFBA instructions: 0x00000000 rdtsc 0x00000002 jno 00007EFDA4C38656h 0x00000008 jmp 00007EFDA4C38661h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnp 00007EFDA4C38666h 0x00000015 jmp 00007EFDA4C38660h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110DFBA second address: 110DFCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007EFDA4C418E6h 0x0000000a jl 00007EFDA4C418E6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 110FB0B second address: 110FB16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007EFDA4C38656h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E6B10E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 102774A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E6D94F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 10B682B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: E72778 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4CC0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4E50000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 6E50000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0105133C rdtsc 0_2_0105133C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100D25E sidt fword ptr [esp-02h]0_2_0100D25E
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1376Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0105B097 GetSystemInfo,VirtualAlloc,0_2_0105B097
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01000648 Start: 01000681 End: 010006600_2_01000648
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0105133C rdtsc 0_2_0105133C
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, file.exe, 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: _Program Manager
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01051CD4 GetSystemTime,GetFileTime,0_2_01051CD4

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
Windows Service		1
Windows Service		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Service Execution		1
DLL Side-Loading		1
Process Injection		41
Disable or Modify Tools		LSASS Memory641
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		271
Virtualization/Sandbox Evasion		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
Bypass User Account Control		1
Process Injection		NTDS271
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets24
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
Obfuscated Files or Information		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
Software Packing		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
Bypass User Account Control		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe100%AviraTR/Crypt.XPACK.Gen
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1532848
Start date and time:2024-10-14 00:59:06 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 49s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.evad.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • VT rate limit hit for: file.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File
Process:C:\Users\user\Desktop\file.exe
File Type:CSV text
Category:dropped
Size (bytes):226
Entropy (8bit):5.360398796477698
Encrypted:false
SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:3A8957C6382192B71471BD14359D0B12
SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:true
Reputation:high, very likely benign file
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.932620169172331
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:1'788'416 bytes
MD5:d5594be2f336a72d721e5975f0017a0b
SHA1:fc67fa32457fc3b6fa5c21501c19771ff4606797
SHA256:2a57b637d1d4c080203cb0410b2cae1aecf7fd0b945f75c6237d4b3a1edc402e
SHA512:c527b856575ec3275ea73943bbd126008061a0a599eefe56963fe06af1d806ec0fa461dc002cc7a5c828cadb43f1e19b2ce1eb59ffeb54622fdf935713149f1c
SSDEEP:49152:7HZAbURP2lJ5vdsFQs/WBmyz7TV+kqc3nnZ:KbUCJ5GR/WRz7M3m
TLSH:918533460FF222FDCD04C5B825D7E738676BB231D2C75F1A620BF32E62857679864891
File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............F.. ...`....@.. ........................G......L....`................................

File Icon

Icon Hash:90cececece8e8eb0

Static PE Info

General

Entrypoint:0x86c000
Entrypoint Section:.taggant
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007EFDA53B8ECAh
movaps xmm3, dqword ptr [ebx]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [edx], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], al
or al, byte ptr [eax]
add byte ptr [ebx], al
or al, byte ptr [eax]
add byte ptr [edx+ecx], al
add byte ptr [eax], al
add cl, byte ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or byte ptr [eax+00000000h], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x20000x40000x1200ffca21a70c4c92b80b06bc45914894d0False0.9314236111111112data7.787330887518301IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0xa0000x2b00000x200ef085ccc0ba7c3f9b6384a8e1d5489c8unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ktgtzmwy0x2ba0000x1b00000x1ae80081e3cd5b4e6a705708f78d23a3dfa094False0.9949067898882114data7.952952169167182IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
rcunbeor0x46a0000x20000x4004b118b79392e3ca60228e67a8a565a0aFalse0.7001953125data5.704701301077786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant0x46c0000x40000x22004e7edd97ef42fb4ee30a36df84c67cc0False0.03079044117647059DOS executable (COM)0.22937471367023748IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x60900x30cdata0.42948717948717946
RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

Imports

DLLImport
kernel32.dlllstrcpy

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:19:00:13
Start date:13/10/2024
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\file.exe"
Imagebase:0xe60000
File size:1'788'416 bytes
MD5 hash:D5594BE2F336A72D721E5975F0017A0B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:4.4%
    Dynamic/Decrypted Code Coverage:4.2%
    Signature Coverage:4.7%
    Total number of Nodes:360
    Total number of Limit Nodes:22
    execution_graph 6994 4d015d0 6995 4d0164e ChangeServiceConfigA 6994->6995 6997 4d018da 6995->6997 6998 4d01510 6999 4d01558 ControlService 6998->6999 7000 4d0158f 6999->7000 7310 4d010f0 7311 4d01131 7310->7311 7314 10508db 7311->7314 7312 4d01151 7315 104db87 2 API calls 7314->7315 7316 10508e7 7315->7316 7317 1050910 7316->7317 7318 1050900 7316->7318 7320 1050915 CloseHandle 7317->7320 7319 104f9c7 CloseHandle 7318->7319 7321 1050906 7319->7321 7320->7321 7321->7312 7322 105c0e7 7324 105c0f3 7322->7324 7325 105c105 7324->7325 7330 104f1ff 7325->7330 7327 105c114 7328 105c12d 7327->7328 7329 105bc58 GetModuleFileNameA VirtualProtect 7327->7329 7329->7328 7332 104f20b 7330->7332 7333 104f220 7332->7333 7334 104f24d 18 API calls 7333->7334 7335 104f23e 7333->7335 7334->7335 7001 1051c42 7010 104db87 GetCurrentThreadId 7001->7010 7003 1051c4e GetCurrentProcess 7004 1051c9a 7003->7004 7005 1051c5e 7003->7005 7006 1051c9f DuplicateHandle 7004->7006 7005->7004 7007 1051c89 7005->7007 7009 1051c95 7006->7009 7014 104f9df 7007->7014 7011 104db9f 7010->7011 7012 104dbe6 7011->7012 7013 104dbd5 Sleep 7011->7013 7012->7003 7013->7011 7017 104fa09 7014->7017 7015 104fa9c 7015->7009 7017->7015 7018 104f9c7 7017->7018 7021 104da32 7018->7021 7022 104da48 7021->7022 7023 104da62 7022->7023 7025 104da16 7022->7025 7023->7015 7028 104f9a0 CloseHandle 7025->7028 7027 104da26 7027->7023 7029 104f9b4 7028->7029 7029->7027 7030 1052e0e 7031 104db87 2 API calls 7030->7031 7032 1052e1a 7031->7032 7033 1052e82 MapViewOfFileEx 7032->7033 7034 1052e33 7032->7034 7033->7034 7035 1004e4b 7036 1005940 LoadLibraryA 7035->7036 7038 1007e3b 7036->7038 7039 104f849 7040 104db87 2 API calls 7039->7040 7041 104f855 7040->7041 7043 104f873 7041->7043 7046 104e299 7041->7046 7044 104f8a4 GetModuleHandleExA 7043->7044 7045 104f87b 7043->7045 7044->7045 7047 104e2e7 7046->7047 7049 104e2aa 7046->7049 7047->7043 7049->7047 7050 104e13a 7049->7050 7052 104e167 7050->7052 7051 104e26d 7051->7049 7052->7051 7053 104e195 PathAddExtensionA 7052->7053 7054 104e1b0 7052->7054 7053->7054 7058 104e1d2 7054->7058 7062 104dddb 7054->7062 7056 104e21b 7056->7051 7057 104e244 7056->7057 7060 104dddb lstrcmpiA 7056->7060 7057->7051 7061 104dddb lstrcmpiA 7057->7061 7058->7051 7058->7056 7059 104dddb lstrcmpiA 7058->7059 7059->7056 7060->7057 7061->7051 7063 104ddf9 7062->7063 7064 104de10 7063->7064 7066 104dd58 7063->7066 7064->7058 7068 104dd83 7066->7068 7067 104ddcb 7067->7064 7068->7067 7069 104ddb5 lstrcmpiA 7068->7069 7069->7067 7070 1052157 7072 1052163 7070->7072 7073 104db87 2 API calls 7072->7073 7074 105216f 7073->7074 7076 105218f 7074->7076 7077 10520ae 7074->7077 7079 10520ba 7077->7079 7080 10520ce 7079->7080 7081 104db87 2 API calls 7080->7081 7082 10520e6 7081->7082 7090 104e2eb 7082->7090 7085 104e299 2 API calls 7086 1052109 7085->7086 7087 1052111 7086->7087 7088 105212d GetFileAttributesW 7086->7088 7089 105213e GetFileAttributesA 7086->7089 7088->7087 7089->7087 7091 104e39f 7090->7091 7092 104e2ff 7090->7092 7091->7085 7091->7087 7092->7091 7093 104e13a 2 API calls 7092->7093 7093->7092 7094 105b097 GetSystemInfo 7095 105b0f5 VirtualAlloc 7094->7095 7096 105b0b7 7094->7096 7109 105b3e3 7095->7109 7096->7095 7098 105b13c 7099 105b211 7098->7099 7101 105b3e3 VirtualAlloc GetModuleFileNameA VirtualProtect 7098->7101 7100 105b22d GetModuleFileNameA VirtualProtect 7099->7100 7108 105b1d5 7099->7108 7100->7108 7102 105b166 7101->7102 7102->7099 7103 105b3e3 VirtualAlloc GetModuleFileNameA VirtualProtect 7102->7103 7104 105b190 7103->7104 7104->7099 7105 105b3e3 VirtualAlloc GetModuleFileNameA VirtualProtect 7104->7105 7106 105b1ba 7105->7106 7106->7099 7107 105b3e3 VirtualAlloc GetModuleFileNameA VirtualProtect 7106->7107 7106->7108 7107->7099 7111 105b3eb 7109->7111 7112 105b417 7111->7112 7113 105b3ff 7111->7113 7115 105b2af 2 API calls 7112->7115 7119 105b2af 7113->7119 7116 105b428 7115->7116 7121 105b43a 7116->7121 7124 105b2b7 7119->7124 7122 105b44b VirtualAlloc 7121->7122 7123 105b436 7121->7123 7122->7123 7125 105b2ca 7124->7125 7127 105b30d 7125->7127 7128 105b902 7125->7128 7132 105b909 7128->7132 7130 105b953 7130->7127 7132->7130 7133 105b810 7132->7133 7137 105bac3 7132->7137 7134 105b825 7133->7134 7135 105b8af GetModuleFileNameA 7134->7135 7136 105b8e5 7134->7136 7135->7134 7136->7132 7139 105bad7 7137->7139 7138 105baef 7138->7132 7139->7138 7140 105bc12 VirtualProtect 7139->7140 7140->7139 7336 104f6f6 7338 104f702 7336->7338 7339 104f716 7338->7339 7341 104f73e 7339->7341 7342 104f757 7339->7342 7344 104f760 7342->7344 7345 104f76f 7344->7345 7346 104db87 2 API calls 7345->7346 7353 104f777 7345->7353 7349 104f781 7346->7349 7347 104f828 GetModuleHandleA 7350 104f7af 7347->7350 7348 104f81a GetModuleHandleW 7348->7350 7351 104e299 2 API calls 7349->7351 7352 104f79c 7349->7352 7351->7352 7352->7350 7352->7353 7353->7347 7353->7348 7141 10524d1 7143 10524da 7141->7143 7144 104db87 2 API calls 7143->7144 7145 10524e6 7144->7145 7146 1052536 ReadFile 7145->7146 7147 10524ff 7145->7147 7146->7147 7354 105c031 7356 105c03d 7354->7356 7357 105c04f 7356->7357 7358 105bc58 2 API calls 7357->7358 7359 105c061 7358->7359 7360 1003cb4 7362 1004018 7360->7362 7361 1006417 7362->7361 7363 10069e2 RegOpenKeyA 7362->7363 7364 1006a09 RegOpenKeyA 7362->7364 7363->7364 7365 10069ff 7363->7365 7366 1006a26 7364->7366 7365->7364 7366->7361 7367 1006a6a GetNativeSystemInfo 7366->7367 7367->7361 7368 1052cb0 7370 1052cbc 7368->7370 7371 1052cd4 7370->7371 7373 1052cfe 7371->7373 7374 1052bea 7371->7374 7376 1052bf6 7374->7376 7377 104db87 2 API calls 7376->7377 7378 1052c09 7377->7378 7379 1052c23 7378->7379 7380 1052c47 7378->7380 7381 1052c82 7378->7381 7380->7379 7384 10502c1 7380->7384 7382 1052c87 CreateFileMappingA 7381->7382 7382->7379 7386 10502d8 7384->7386 7385 1050341 CreateFileA 7388 1050386 7385->7388 7386->7385 7387 10503d5 7386->7387 7387->7379 7388->7387 7389 104f9a0 CloseHandle 7388->7389 7389->7387 7390 105c133 7392 105c13f 7390->7392 7393 105c15c 7392->7393 7394 104f4b4 18 API calls 7393->7394 7395 105c18f 7394->7395 7148 4d00d48 7149 4d00d93 OpenSCManagerW 7148->7149 7151 4d00ddc 7149->7151 7152 4d01308 7153 4d01349 ImpersonateLoggedOnUser 7152->7153 7154 4d01376 7153->7154 7155 104f39e 7158 104f1e6 7155->7158 7161 104f24d 7158->7161 7160 104f1fb 7163 104f25a 7161->7163 7165 104f270 7163->7165 7164 104f295 7169 104db87 2 API calls 7164->7169 7165->7164 7175 104f278 7165->7175 7180 105c30a 7165->7180 7166 104f345 7202 104f085 7166->7202 7167 104f358 7172 104f376 LoadLibraryExA 7167->7172 7173 104f362 LoadLibraryExW 7167->7173 7170 104f29a 7169->7170 7174 104e299 2 API calls 7170->7174 7179 104f31c 7172->7179 7173->7179 7176 104f2ab 7174->7176 7175->7166 7175->7167 7176->7175 7177 104f2d9 7176->7177 7182 104ebc5 7177->7182 7206 105c319 7180->7206 7183 104ebe1 7182->7183 7184 104ebeb 7182->7184 7183->7179 7214 104e418 7184->7214 7191 104ec3b 7192 104ec68 7191->7192 7200 104ece5 7191->7200 7224 104e5f6 7191->7224 7228 104e891 7192->7228 7195 104ec73 7195->7200 7233 104e808 7195->7233 7197 104eca0 7198 104ecc8 7197->7198 7197->7200 7237 105bf5f 7197->7237 7198->7200 7241 105bc58 7198->7241 7200->7183 7246 104f3d7 7200->7246 7203 104f090 7202->7203 7204 104f0a0 7203->7204 7205 104f0b1 LoadLibraryExA 7203->7205 7204->7179 7205->7204 7207 105c329 7206->7207 7208 104db87 2 API calls 7207->7208 7213 105c37b 7207->7213 7209 105c391 7208->7209 7210 104e299 2 API calls 7209->7210 7211 105c3a3 7210->7211 7212 104e299 2 API calls 7211->7212 7211->7213 7212->7213 7215 104e434 7214->7215 7217 104e48d 7214->7217 7216 104e464 VirtualAlloc 7215->7216 7215->7217 7216->7217 7217->7183 7218 104e4be VirtualAlloc 7217->7218 7219 104e503 7218->7219 7219->7200 7220 104e53b 7219->7220 7223 104e563 7220->7223 7221 104e5da 7221->7191 7222 104e57c VirtualAlloc 7222->7221 7222->7223 7223->7221 7223->7222 7225 104e611 7224->7225 7227 104e616 7224->7227 7225->7192 7226 104e649 lstrcmpiA 7226->7225 7226->7227 7227->7225 7227->7226 7229 104e99d 7228->7229 7231 104e8be 7228->7231 7229->7195 7231->7229 7248 104e3a3 7231->7248 7256 104f4b4 7231->7256 7234 104e831 7233->7234 7235 104e872 7234->7235 7236 104e849 VirtualProtect 7234->7236 7235->7197 7236->7234 7236->7235 7238 105c02c 7237->7238 7239 105bf7b 7237->7239 7238->7198 7239->7238 7240 105bac3 VirtualProtect 7239->7240 7240->7239 7243 105bcec 7241->7243 7244 105bc69 7241->7244 7242 105b902 2 API calls 7242->7244 7243->7200 7244->7242 7244->7243 7245 105bac3 VirtualProtect 7244->7245 7245->7244 7282 104f3e3 7246->7282 7249 104f1e6 18 API calls 7248->7249 7251 104e3b6 7249->7251 7250 104e3fc 7250->7231 7251->7250 7252 104e408 7251->7252 7254 104e3df 7251->7254 7253 104f3d7 3 API calls 7252->7253 7253->7250 7254->7250 7255 104f3d7 3 API calls 7254->7255 7255->7250 7258 104f4bd 7256->7258 7259 104f4cc 7258->7259 7260 104f4d4 7259->7260 7262 104db87 2 API calls 7259->7262 7261 104f501 GetProcAddress 7260->7261 7267 104f4f7 7261->7267 7263 104f4de 7262->7263 7264 104f4fc 7263->7264 7265 104f4ee 7263->7265 7264->7261 7268 104ef15 7265->7268 7269 104f001 7268->7269 7270 104ef34 7268->7270 7269->7267 7270->7269 7271 104ef71 lstrcmpiA 7270->7271 7272 104ef9b 7270->7272 7271->7270 7271->7272 7272->7269 7274 104ee5e 7272->7274 7276 104ee6f 7274->7276 7275 104eefa 7275->7269 7276->7275 7277 104ee9f lstrcpyn 7276->7277 7277->7275 7279 104eebb 7277->7279 7278 104e3a3 17 API calls 7280 104eee9 7278->7280 7279->7275 7279->7278 7280->7275 7281 104f4b4 17 API calls 7280->7281 7281->7275 7283 104f3f2 7282->7283 7285 104db87 2 API calls 7283->7285 7289 104f3fa 7283->7289 7284 104f448 FreeLibrary 7286 104f42f 7284->7286 7287 104f404 7285->7287 7288 104f414 7287->7288 7287->7289 7291 104edc5 7288->7291 7289->7284 7293 104ede8 7291->7293 7294 104ee28 7291->7294 7293->7294 7295 104d981 7293->7295 7294->7286 7296 104d98a 7295->7296 7297 104d9a2 7296->7297 7299 104d968 7296->7299 7297->7294 7300 104f3d7 3 API calls 7299->7300 7301 104d975 7300->7301 7301->7296 7396 10523be 7398 10523ca 7396->7398 7399 104db87 2 API calls 7398->7399 7400 10523d6 7399->7400 7402 10523f6 7400->7402 7403 10522ca 7400->7403 7405 10522d6 7403->7405 7406 10522ea 7405->7406 7407 104db87 2 API calls 7406->7407 7408 1052302 7407->7408 7409 1052317 7408->7409 7429 10521e3 7408->7429 7413 105231f 7409->7413 7421 1052288 IsBadWritePtr 7409->7421 7416 1052370 CreateFileW 7413->7416 7417 1052393 CreateFileA 7413->7417 7414 104e299 2 API calls 7415 1052352 7414->7415 7415->7413 7418 105235a 7415->7418 7420 1052360 7416->7420 7417->7420 7423 104fadd 7418->7423 7422 10522aa 7421->7422 7422->7413 7422->7414 7426 104faea 7423->7426 7424 104fbe5 7424->7420 7425 104fb23 CreateFileA 7427 104fb6f 7425->7427 7426->7424 7426->7425 7427->7424 7428 104f9a0 CloseHandle 7427->7428 7428->7424 7431 10521f2 GetWindowsDirectoryA 7429->7431 7432 105221c 7431->7432 7302 105c09b 7304 105c0a7 7302->7304 7305 105c0b9 7304->7305 7306 104f1e6 18 API calls 7305->7306 7307 105c0c8 7306->7307 7308 105c0e1 7307->7308 7309 105bc58 2 API calls 7307->7309 7309->7308

    Executed Functions

    Function 0105B097 Relevance: 3.1, APIs: 2, Instructions: 107memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 159 105b097-105b0b1 GetSystemInfo 160 105b0f5-105b13e VirtualAlloc call 105b3e3 159->160 161 105b0b7-105b0ef 159->161 165 105b224 call 105b22d 160->165 166 105b144-105b168 call 105b3e3 160->166 161->160 170 105b229 165->170 166->165 172 105b16e-105b192 call 105b3e3 166->172 173 105b22b-105b22c 170->173 172->165 176 105b198-105b1bc call 105b3e3 172->176 176->165 179 105b1c2-105b1cf 176->179 180 105b1f5-105b20c call 105b3e3 179->180 181 105b1d5-105b1f0 179->181 184 105b211-105b213 180->184 185 105b21f 181->185 184->165 186 105b219 184->186 185->173 186->185
    APIs
    • GetSystemInfo.KERNELBASE(?,-11465FEC), ref: 0105B0A3
    • VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 0105B104
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: AllocInfoSystemVirtual
    • String ID:
    • API String ID: 3440192736-0
    • Opcode ID: d77fe88b5f2940b20517af18bee85f05233d337e9fac937a6a9333e63fd03893
    • Instruction ID: 7fb5ccc2158509bfb8320dba9be631181cc7c42d59715bdc9d44f87fe90e3d24
    • Opcode Fuzzy Hash: d77fe88b5f2940b20517af18bee85f05233d337e9fac937a6a9333e63fd03893
    • Instruction Fuzzy Hash: D24116B1D40206AEF779CF68D844BA7B7DCBB55740F0050A2E746D9882D670A1F0CBA0
    Function 04D015D0 Relevance: 1.8, APIs: 1, Instructions: 299COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 342 4d015d0-4d0165a 344 4d01693-4d016b5 342->344 345 4d0165c-4d01666 342->345 352 4d016f1-4d01712 344->352 353 4d016b7-4d016c4 344->353 345->344 346 4d01668-4d0166a 345->346 347 4d0166c-4d01676 346->347 348 4d0168d-4d01690 346->348 350 4d01678 347->350 351 4d0167a-4d01689 347->351 348->344 350->351 351->351 354 4d0168b 351->354 359 4d01714-4d0171e 352->359 360 4d0174b-4d0176d 352->360 353->352 355 4d016c6-4d016c8 353->355 354->348 357 4d016ca-4d016d4 355->357 358 4d016eb-4d016ee 355->358 361 4d016d6 357->361 362 4d016d8-4d016e7 357->362 358->352 359->360 363 4d01720-4d01722 359->363 370 4d017a9-4d017ca 360->370 371 4d0176f-4d0177c 360->371 361->362 362->362 364 4d016e9 362->364 365 4d01724-4d0172e 363->365 366 4d01745-4d01748 363->366 364->358 368 4d01730 365->368 369 4d01732-4d01741 365->369 366->360 368->369 369->369 372 4d01743 369->372 377 4d01803-4d01825 370->377 378 4d017cc-4d017d6 370->378 371->370 373 4d0177e-4d01780 371->373 372->366 375 4d01782-4d0178c 373->375 376 4d017a3-4d017a6 373->376 379 4d01790-4d0179f 375->379 380 4d0178e 375->380 376->370 386 4d01861-4d018d8 ChangeServiceConfigA 377->386 387 4d01827-4d01834 377->387 378->377 382 4d017d8-4d017da 378->382 379->379 381 4d017a1 379->381 380->379 381->376 383 4d017dc-4d017e6 382->383 384 4d017fd-4d01800 382->384 388 4d017e8 383->388 389 4d017ea-4d017f9 383->389 384->377 397 4d018e1-4d01920 386->397 398 4d018da-4d018e0 386->398 387->386 390 4d01836-4d01838 387->390 388->389 389->389 391 4d017fb 389->391 392 4d0183a-4d01844 390->392 393 4d0185b-4d0185e 390->393 391->384 395 4d01846 392->395 396 4d01848-4d01857 392->396 393->386 395->396 396->396 399 4d01859 396->399 402 4d01930-4d01934 397->402 403 4d01922-4d01926 397->403 398->397 399->393 405 4d01944-4d01948 402->405 406 4d01936-4d0193a 402->406 403->402 404 4d01928-4d0192b call 4d0013c 403->404 404->402 409 4d01958-4d0195c 405->409 410 4d0194a-4d0194e 405->410 406->405 408 4d0193c-4d0193f call 4d0013c 406->408 408->405 413 4d0196c-4d01970 409->413 414 4d0195e-4d01962 409->414 410->409 412 4d01950-4d01953 call 4d0013c 410->412 412->409 417 4d01980-4d01984 413->417 418 4d01972-4d01976 413->418 414->413 416 4d01964-4d01967 call 4d0013c 414->416 416->413 420 4d01994 417->420 421 4d01986-4d0198a 417->421 418->417 419 4d01978-4d0197b call 4d0013c 418->419 419->417 426 4d01995 420->426 421->420 424 4d0198c-4d0198f call 4d0013c 421->424 424->420 426->426
    APIs
    • ChangeServiceConfigA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 04D018C8
    Memory Dump Source
    • Source File: 00000000.00000002.1977356738.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4d00000_file.jbxd
    Similarity
    • API ID: ChangeConfigService
    • String ID:
    • API String ID: 3849694230-0
    • Opcode ID: 2a97e294b99d02e45f99e279684a836c19a052909a3f5e264438f4c0b99adc27
    • Instruction ID: e31c4093d10e66601ca536fe597e359f032a71b6f2b2f059c5f5995ec92490a3
    • Opcode Fuzzy Hash: 2a97e294b99d02e45f99e279684a836c19a052909a3f5e264438f4c0b99adc27
    • Instruction Fuzzy Hash: 65C16870D006199FDB10CFA8CC857AEBBF1FF49314F148629E855E7284D775A985CB82
    Function 0104F25A Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • LoadLibraryExW.KERNEL32(?,?,?), ref: 0104F36B
    • LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 0104F37F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: .dll$.exe$1002
    • API String ID: 1029625771-847511843
    • Opcode ID: 6885be57f9736629aadf4e0f70869eb19df09a2e0558bf5b4ef4e36749363620
    • Instruction ID: 223a865d2fad32d409be47a7e8c46581fe11df0a0219f25d0aae7691b9e723c9
    • Opcode Fuzzy Hash: 6885be57f9736629aadf4e0f70869eb19df09a2e0558bf5b4ef4e36749363620
    • Instruction Fuzzy Hash: 76318BB550420BEFDF55EF58D988AAD7FB9FF18251F008175F98196020C73199A0DB91
    Function 0104F760 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 40 104f760-104f771 call 104f0c4 43 104f777 40->43 44 104f77c-104f785 call 104db87 40->44 45 104f810-104f814 43->45 51 104f7b9-104f7c0 44->51 52 104f78b-104f797 call 104e299 44->52 47 104f828-104f82b GetModuleHandleA 45->47 48 104f81a-104f823 GetModuleHandleW 45->48 50 104f831 47->50 48->50 54 104f83b-104f83d 50->54 55 104f7c6-104f7cd 51->55 56 104f80b call 104dc32 51->56 58 104f79c-104f79e 52->58 55->56 59 104f7d3-104f7da 55->59 56->45 58->56 60 104f7a4-104f7a9 58->60 59->56 61 104f7e0-104f7e7 59->61 60->56 62 104f7af-104f836 call 104dc32 60->62 61->56 63 104f7ed-104f801 61->63 62->54 63->56
    APIs
    • GetModuleHandleW.KERNEL32(?,?,?,?,0104F6F2,?,00000000,00000000), ref: 0104F81D
    • GetModuleHandleA.KERNEL32(00000000,?,?,?,0104F6F2,?,00000000,00000000), ref: 0104F82B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: HandleModule
    • String ID: .dll
    • API String ID: 4139908857-2738580789
    • Opcode ID: af43df28dbc2c5a47cb3a9832524a5bed8d37723b880ac1430480b9bedf3a0b6
    • Instruction ID: 431f24ad45a7870944054e54506daa85817d615136616d1ace0b269a89864aee
    • Opcode Fuzzy Hash: af43df28dbc2c5a47cb3a9832524a5bed8d37723b880ac1430480b9bedf3a0b6
    • Instruction Fuzzy Hash: AC1118B014562BEBFB75DF1CC8887997EB4BF50345F00827AE981984A0CBB9A594CA91
    Function 010520BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetFileAttributesW.KERNELBASE(0088518C,-11465FEC), ref: 01052133
    • GetFileAttributesA.KERNEL32(00000000,-11465FEC), ref: 01052141
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: 84009241013362e4ee20263ac95d0e3386a85e7ccb03256787bd54379cf77206
    • Instruction ID: bc7bc8da7a78c3694281e7eb5f0f3b5a3025f333c3d6f7862117451faa4cf730
    • Opcode Fuzzy Hash: 84009241013362e4ee20263ac95d0e3386a85e7ccb03256787bd54379cf77206
    • Instruction Fuzzy Hash: 2D0186B4104205FBEF61DF59C90979FBEB1BF60344F108060EF8165091C7B59691D788
    Function 01003CB4 Relevance: 4.6, APIs: 3, Instructions: 101registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 88 1003cb4-10059f3 91 10069a0-10069e0 88->91 92 1006417-100668d 88->92 95 10069e2-10069fd RegOpenKeyA 91->95 96 1006a09-1006a24 RegOpenKeyA 91->96 95->96 97 10069ff 95->97 98 1006a26-1006a30 96->98 99 1006a3c-1006a68 96->99 97->96 98->99 102 1006a75-1006a7f 99->102 103 1006a6a-1006a73 GetNativeSystemInfo 99->103 104 1006a81 102->104 105 1006a8b-1006a99 102->105 103->102 104->105 107 1006aa5-1006aac 105->107 108 1006a9b 105->108 109 1006ab2-1006ab9 107->109 110 1006abf 107->110 108->107 109->110 111 10075b3-10075ba 109->111 110->111 111->92 112 10075c0-10075ca 111->112
    APIs
    • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 010069F5
    • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 01006A1C
    • GetNativeSystemInfo.KERNELBASE(?), ref: 01006A73
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: Open$InfoNativeSystem
    • String ID:
    • API String ID: 1247124224-0
    • Opcode ID: 44b1fe79a00851cc74fcacb4f83b9bb4fe1694a0ce218cc178c7d5e2183c7963
    • Instruction ID: d4f4baa9027c2711831ee7eb3697a78341d28f99344670be73005f0182f16822
    • Opcode Fuzzy Hash: 44b1fe79a00851cc74fcacb4f83b9bb4fe1694a0ce218cc178c7d5e2183c7963
    • Instruction Fuzzy Hash: 18413AB690410E9FFF12EF54C844BEE3BE9EB04305F004829E98586A80D7765DB4CF99
    Function 0104E13A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 113 104e13a-104e16a 115 104e295-104e296 113->115 116 104e170-104e185 113->116 116->115 118 104e18b-104e18f 116->118 119 104e195-104e1a7 PathAddExtensionA 118->119 120 104e1b1-104e1b8 118->120 123 104e1b0 119->123 121 104e1be-104e1cd call 104dddb 120->121 122 104e1da-104e1e1 120->122 127 104e1d2-104e1d4 121->127 125 104e1e7-104e1ee 122->125 126 104e223-104e22a 122->126 123->120 128 104e1f4-104e1fd 125->128 129 104e207-104e216 call 104dddb 125->129 130 104e230-104e246 call 104dddb 126->130 131 104e24c-104e253 126->131 127->115 127->122 128->129 134 104e203 128->134 140 104e21b-104e21d 129->140 130->115 130->131 132 104e275-104e27c 131->132 133 104e259-104e26f call 104dddb 131->133 132->115 139 104e282-104e28f call 104de14 132->139 133->115 133->132 134->129 139->115 140->115 140->126
    APIs
    • PathAddExtensionA.KERNELBASE(?,00000000), ref: 0104E19C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: ExtensionPath
    • String ID: \\?\
    • API String ID: 158807944-4282027825
    • Opcode ID: 1bb00a41a0cec4dae382a0f03f28fe7fba8873ab2c41c23a515b990d9daceb32
    • Instruction ID: 901add392c7bb23caa4100489b5412ea57fb000f08d2a6229e3542ae1209eaf5
    • Opcode Fuzzy Hash: 1bb00a41a0cec4dae382a0f03f28fe7fba8873ab2c41c23a515b990d9daceb32
    • Instruction Fuzzy Hash: 40314DB5A0020ABFDF62DFD8C948F9EBFB6BF48704F0011A1FA4095061D3769161DB60
    Function 0104F849 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 144 104f849-104f85c call 104db87 147 104f862-104f86e call 104e299 144->147 148 104f89f-104f8b3 call 104dc32 GetModuleHandleExA 144->148 151 104f873-104f875 147->151 154 104f8bd-104f8bf 148->154 151->148 153 104f87b-104f882 151->153 155 104f888 153->155 156 104f88b-104f8b8 call 104dc32 153->156 155->156 156->154
    APIs
      • Part of subcall function 0104DB87: GetCurrentThreadId.KERNEL32 ref: 0104DB96
      • Part of subcall function 0104DB87: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 0104DBD9
    • GetModuleHandleExA.KERNELBASE(?,?,?), ref: 0104F8AD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: CurrentHandleModuleSleepThread
    • String ID: .dll
    • API String ID: 683542999-2738580789
    • Opcode ID: 3e8bc3fb79b46385470bb5eb15ea8ece2c91f9f029dc04ddf19e97d110237432
    • Instruction ID: 6c19eea8a1254080274f64a476a367e47dd6a1feeeaa1214aa5ff73e94e616b1
    • Opcode Fuzzy Hash: 3e8bc3fb79b46385470bb5eb15ea8ece2c91f9f029dc04ddf19e97d110237432
    • Instruction Fuzzy Hash: 35F01DF220021BAFEF11DF58D988AAD7BA4BF64350F008079FE4849151C775D5619B61
    Function 010522D6 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 187 10522d6-10522e4 188 10522f6 187->188 189 10522ea-10522f1 187->189 190 10522fd-1052309 call 104db87 188->190 189->190 193 1052324-1052334 call 1052288 190->193 194 105230f-1052319 call 10521e3 190->194 199 1052346-1052354 call 104e299 193->199 200 105233a-1052341 193->200 194->193 201 105231f 194->201 202 1052365-105236a 199->202 207 105235a-105235b call 104fadd 199->207 200->202 201->202 205 1052370-105238e CreateFileW 202->205 206 1052393-10523a8 CreateFileA 202->206 208 10523ae-10523af 205->208 206->208 211 1052360 207->211 210 10523b4-10523bb call 104dc32 208->210 211->210
    APIs
    • CreateFileW.KERNELBASE(0088518C,?,?,-11465FEC,?,?,?,-11465FEC,?), ref: 01052388
      • Part of subcall function 01052288: IsBadWritePtr.KERNEL32(?,00000004), ref: 01052296
    • CreateFileA.KERNEL32(?,?,?,-11465FEC,?,?,?,-11465FEC,?), ref: 010523A8
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: CreateFile$Write
    • String ID:
    • API String ID: 1125675974-0
    • Opcode ID: c3a8cec4965a0c7dc6aa46b377fba66fbd359254c502b4287334d4a2048ffe66
    • Instruction ID: eac26b22bd0b8e042ee54e2bda56219cfb8c4f05b530b5b862620f08c6f2ecf4
    • Opcode Fuzzy Hash: c3a8cec4965a0c7dc6aa46b377fba66fbd359254c502b4287334d4a2048ffe66
    • Instruction Fuzzy Hash: A611147510060AFBDF929F98CD08BEE3EB2BF18344F048065BE81240A1C77689B1EB81
    Function 01051C42 Relevance: 3.0, APIs: 2, Instructions: 41COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 214 1051c42-1051c58 call 104db87 GetCurrentProcess 217 1051c5e-1051c61 214->217 218 1051c9a-1051cbc call 104dc32 DuplicateHandle 214->218 217->218 219 1051c67-1051c6a 217->219 224 1051cc6-1051cc8 218->224 219->218 221 1051c70-1051c83 call 104d9e1 219->221 221->218 226 1051c89-1051cc1 call 104f9df call 104dc32 221->226 226->224
    APIs
      • Part of subcall function 0104DB87: GetCurrentThreadId.KERNEL32 ref: 0104DB96
      • Part of subcall function 0104DB87: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 0104DBD9
    • GetCurrentProcess.KERNEL32(-11465FEC), ref: 01051C4F
    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01051CB5
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: Current$DuplicateHandleProcessSleepThread
    • String ID:
    • API String ID: 2846201637-0
    • Opcode ID: 841c8a73d1260dd15bd30c3e19006a814ca758aba12065e8f84a6c3830c816f0
    • Instruction ID: ba048a074e034d19f94ff081e9520952b958fcc1237302323ae2130e5da8d777
    • Opcode Fuzzy Hash: 841c8a73d1260dd15bd30c3e19006a814ca758aba12065e8f84a6c3830c816f0
    • Instruction Fuzzy Hash: 0A01967210014FFB8F52AFA8DD48DEE3FAABFA8354B004525F99595110C736D462EB61
    Function 0104DB87 Relevance: 3.0, APIs: 2, Instructions: 33sleepthreadCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 231 104db87-104db9d GetCurrentThreadId 232 104db9f-104dbab 231->232 233 104dbe6-104dbf3 call 1054a06 232->233 234 104dbb1-104dbb3 232->234 234->233 235 104dbb9-104dbc0 234->235 237 104dbd5-104dbe1 Sleep 235->237 238 104dbc6-104dbcd 235->238 237->232 238->237 240 104dbd3 238->240 240->237
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 0104DB96
    • Sleep.KERNELBASE(00000005,00050000,00000000), ref: 0104DBD9
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: CurrentSleepThread
    • String ID:
    • API String ID: 1164918020-0
    • Opcode ID: 2765cbd748e5a7824a55313b62fab344e088a1d7612ec5236f29be764b1c992d
    • Instruction ID: b5b31a9ec22f4745b286d1abe760b1090b73a15d3d8ec4b73941a8b37ae6b168
    • Opcode Fuzzy Hash: 2765cbd748e5a7824a55313b62fab344e088a1d7612ec5236f29be764b1c992d
    • Instruction Fuzzy Hash: 93F0BEB210510AEBE761CFA8C88C7AEBBF8FF5131AF2040BAD24196150D7755986CBC1
    Function 04D015CF Relevance: 1.8, APIs: 1, Instructions: 299COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 257 4d015cf-4d0165a 259 4d01693-4d016b5 257->259 260 4d0165c-4d01666 257->260 267 4d016f1-4d01712 259->267 268 4d016b7-4d016c4 259->268 260->259 261 4d01668-4d0166a 260->261 262 4d0166c-4d01676 261->262 263 4d0168d-4d01690 261->263 265 4d01678 262->265 266 4d0167a-4d01689 262->266 263->259 265->266 266->266 269 4d0168b 266->269 274 4d01714-4d0171e 267->274 275 4d0174b-4d0176d 267->275 268->267 270 4d016c6-4d016c8 268->270 269->263 272 4d016ca-4d016d4 270->272 273 4d016eb-4d016ee 270->273 276 4d016d6 272->276 277 4d016d8-4d016e7 272->277 273->267 274->275 278 4d01720-4d01722 274->278 285 4d017a9-4d017ca 275->285 286 4d0176f-4d0177c 275->286 276->277 277->277 279 4d016e9 277->279 280 4d01724-4d0172e 278->280 281 4d01745-4d01748 278->281 279->273 283 4d01730 280->283 284 4d01732-4d01741 280->284 281->275 283->284 284->284 287 4d01743 284->287 292 4d01803-4d01825 285->292 293 4d017cc-4d017d6 285->293 286->285 288 4d0177e-4d01780 286->288 287->281 290 4d01782-4d0178c 288->290 291 4d017a3-4d017a6 288->291 294 4d01790-4d0179f 290->294 295 4d0178e 290->295 291->285 301 4d01861-4d01867 292->301 302 4d01827-4d01834 292->302 293->292 297 4d017d8-4d017da 293->297 294->294 296 4d017a1 294->296 295->294 296->291 298 4d017dc-4d017e6 297->298 299 4d017fd-4d01800 297->299 303 4d017e8 298->303 304 4d017ea-4d017f9 298->304 299->292 309 4d01871-4d018d8 ChangeServiceConfigA 301->309 302->301 305 4d01836-4d01838 302->305 303->304 304->304 306 4d017fb 304->306 307 4d0183a-4d01844 305->307 308 4d0185b-4d0185e 305->308 306->299 310 4d01846 307->310 311 4d01848-4d01857 307->311 308->301 312 4d018e1-4d01920 309->312 313 4d018da-4d018e0 309->313 310->311 311->311 314 4d01859 311->314 317 4d01930-4d01934 312->317 318 4d01922-4d01926 312->318 313->312 314->308 320 4d01944-4d01948 317->320 321 4d01936-4d0193a 317->321 318->317 319 4d01928-4d0192b call 4d0013c 318->319 319->317 324 4d01958-4d0195c 320->324 325 4d0194a-4d0194e 320->325 321->320 323 4d0193c-4d0193f call 4d0013c 321->323 323->320 328 4d0196c-4d01970 324->328 329 4d0195e-4d01962 324->329 325->324 327 4d01950-4d01953 call 4d0013c 325->327 327->324 332 4d01980-4d01984 328->332 333 4d01972-4d01976 328->333 329->328 331 4d01964-4d01967 call 4d0013c 329->331 331->328 335 4d01994 332->335 336 4d01986-4d0198a 332->336 333->332 334 4d01978-4d0197b call 4d0013c 333->334 334->332 341 4d01995 335->341 336->335 339 4d0198c-4d0198f call 4d0013c 336->339 339->335 341->341
    APIs
    • ChangeServiceConfigA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 04D018C8
    Memory Dump Source
    • Source File: 00000000.00000002.1977356738.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4d00000_file.jbxd
    Similarity
    • API ID: ChangeConfigService
    • String ID:
    • API String ID: 3849694230-0
    • Opcode ID: 6dc5fd66161229b8cf0ca441af318ff840cb08db2e68562c02035d80dee3d416
    • Instruction ID: ce90f72577542ba037cfdf5aba33fd5460b26a5626a59aebc28fb7614f67bc54
    • Opcode Fuzzy Hash: 6dc5fd66161229b8cf0ca441af318ff840cb08db2e68562c02035d80dee3d416
    • Instruction Fuzzy Hash: 30C17870D006199FDB10CFA8CC857AEBBF1FF49314F048629E858E7284D775A981CB82
    Function 0105BAC3 Relevance: 1.6, APIs: 1, Instructions: 112COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 427 105bac3-105bad1 428 105baf4-105bafe call 105b958 427->428 429 105bad7-105bae9 427->429 434 105bb04 428->434 435 105bb09-105bb12 428->435 429->428 433 105baef 429->433 436 105bc53-105bc55 433->436 434->436 437 105bb18-105bb1f 435->437 438 105bb2a-105bb31 435->438 437->438 439 105bb25 437->439 440 105bb37 438->440 441 105bb3c-105bb4c 438->441 439->436 440->436 441->436 442 105bb52-105bb5e call 105ba2d 441->442 445 105bb61-105bb65 442->445 445->436 446 105bb6b-105bb75 445->446 447 105bb9c-105bb9f 446->447 448 105bb7b-105bb8e 446->448 449 105bba2-105bba5 447->449 448->447 453 105bb94-105bb96 448->453 451 105bc4b-105bc4e 449->451 452 105bbab-105bbb2 449->452 451->445 454 105bbe0-105bbf9 452->454 455 105bbb8-105bbbe 452->455 453->447 453->451 461 105bc12-105bc1a VirtualProtect 454->461 462 105bbff-105bc0d 454->462 456 105bbc4-105bbc9 455->456 457 105bbdb 455->457 456->457 459 105bbcf-105bbd5 456->459 460 105bc43-105bc46 457->460 459->454 459->457 460->449 463 105bc20-105bc23 461->463 462->463 463->460 465 105bc29-105bc42 463->465 465->460
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f8d6959427da5ee75e2298c8faabdbc014c81c6e8a40cf21a989a9baea56f90e
    • Instruction ID: cfd4571dd4256def5ddfc07408a433b489fe81c2e2d7afe0e335848bef9fb839
    • Opcode Fuzzy Hash: f8d6959427da5ee75e2298c8faabdbc014c81c6e8a40cf21a989a9baea56f90e
    • Instruction Fuzzy Hash: C6417F7190410ADFEBB5CF18D944BAFBBF6FB40311F108095E982AA191C7B1B990CB55
    Function 010502C1 Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 01050376
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 33c79b101319a0dd202fb88a6daf24961acb8424d4bbbe03c69b678c522f3f5e
    • Instruction ID: c17ffe27587d56fb5dcba63712dbcb568d61ac8953cd769fa34073afcdcad78d
    • Opcode Fuzzy Hash: 33c79b101319a0dd202fb88a6daf24961acb8424d4bbbe03c69b678c522f3f5e
    • Instruction Fuzzy Hash: C9316C71900209FFEB60DF59DC89F9FBBBCEB44314F208265F955AA191C7B19951CB10
    Function 0104FADD Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 0104FB5F
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 1c7cdc85eb927ef293e032983fa3db79197dcdce56abfc05f855e073ee4f7004
    • Instruction ID: ae06c54b2b887ae5d8a5b59f744dc982c77088cd2bc64b749bac914c4c021227
    • Opcode Fuzzy Hash: 1c7cdc85eb927ef293e032983fa3db79197dcdce56abfc05f855e073ee4f7004
    • Instruction Fuzzy Hash: A7318FB5600206BFEB21DF6CDC85F9977B8FB09724F2082A5F650EA1D1C7B1A9428B54
    Function 0105B810 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,?), ref: 0105B8BD
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: FileModuleName
    • String ID:
    • API String ID: 514040917-0
    • Opcode ID: 3839c34ab7b0c6537827aa869a474d3b9240228327ce5f8f0785af14c8b75856
    • Instruction ID: 098a95fd3b34d5fa3fce87f035125afd50acd7000ff179433ab87320b072e032
    • Opcode Fuzzy Hash: 3839c34ab7b0c6537827aa869a474d3b9240228327ce5f8f0785af14c8b75856
    • Instruction Fuzzy Hash: F5118E71E01229AFEBA15A098C48BFBB7ADAB04714F1460E5ED85A2042D770E980CEA5
    Function 04D00D47 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04D00DCD
    Memory Dump Source
    • Source File: 00000000.00000002.1977356738.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4d00000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 7219b068a61aed5b956caa41342b8391c3486e64dd142cb13a776df2ba529b38
    • Instruction ID: 3e8019266d32cc949d127e34cf8a119d7da7e1065e09c24bae30e2940034fd08
    • Opcode Fuzzy Hash: 7219b068a61aed5b956caa41342b8391c3486e64dd142cb13a776df2ba529b38
    • Instruction Fuzzy Hash: 8C2135B6C012089FCB10CF99E884BDEFBF0FB88310F14822AD808AB245D734A544CBB0
    Function 04D00D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04D00DCD
    Memory Dump Source
    • Source File: 00000000.00000002.1977356738.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4d00000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: e23b372f4c98c6bfca992a56ba7301dfe664289c9cdaf671ceefa38899361ed2
    • Instruction ID: 6a898656f4ad365c4fb7f83533b79389068666412d93d45bd9f7f5080222e44a
    • Opcode Fuzzy Hash: e23b372f4c98c6bfca992a56ba7301dfe664289c9cdaf671ceefa38899361ed2
    • Instruction Fuzzy Hash: F72135B6C002089FCB10CF99D884BDEFBF4FB88310F14822AD808AB245D734A544CBB4
    Function 04D01510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 04D01580
    Memory Dump Source
    • Source File: 00000000.00000002.1977356738.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4d00000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 3dfb93594585829d75a909741f608ee35308e95696bd5a4a2d842f287e7a8961
    • Instruction ID: 81c5402d813781264d0274a1532273097e104877123ed622704637a12c6d9957
    • Opcode Fuzzy Hash: 3dfb93594585829d75a909741f608ee35308e95696bd5a4a2d842f287e7a8961
    • Instruction Fuzzy Hash: 111114B19003499FDB10CF9AC888BDEFBF4FB48320F108029E559A7240D378A644CFA5
    Function 04D0150F Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 04D01580
    Memory Dump Source
    • Source File: 00000000.00000002.1977356738.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4d00000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 8b21e2187d45d112688bed705d320024a33a6b4f257762384d06eb81b8fd94da
    • Instruction ID: 15a818b683404720e65dd4a4776ce9ffe4fc32ce00b5e86f8a0777d57e97702a
    • Opcode Fuzzy Hash: 8b21e2187d45d112688bed705d320024a33a6b4f257762384d06eb81b8fd94da
    • Instruction Fuzzy Hash: 2C1114B19002499FDB10CF9AC488BDEFBF4FB48320F108029E559A7240D378A644CFA1
    Function 01052E0E Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0104DB87: GetCurrentThreadId.KERNEL32 ref: 0104DB96
      • Part of subcall function 0104DB87: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 0104DBD9
    • MapViewOfFileEx.KERNELBASE(?,?,?,?,?,?,-11465FEC), ref: 01052E95
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: CurrentFileSleepThreadView
    • String ID:
    • API String ID: 2270672837-0
    • Opcode ID: 3c302493969f64a6102d9d8c31cdda0419c11762a02a2a62c958b07287850e0e
    • Instruction ID: 1a1b41c0379b033575728bf73cb4e4e230e9cdbd741e41c6cb4493936d326e17
    • Opcode Fuzzy Hash: 3c302493969f64a6102d9d8c31cdda0419c11762a02a2a62c958b07287850e0e
    • Instruction Fuzzy Hash: 0011907250010AEFCF92AFA8CC48D9F3AA6BF69344B048561FA8155024C73698B2EB61
    Function 01052BF6 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: CurrentSleepThread
    • String ID:
    • API String ID: 1164918020-0
    • Opcode ID: 4b72d324a88554bc2fa8f7d54efe28cc1a866285f2508ad463e5ce0e6570c583
    • Instruction ID: 34695594519c80c085a604edfd34bd300979fef1f0157337b61bc1837f64c51d
    • Opcode Fuzzy Hash: 4b72d324a88554bc2fa8f7d54efe28cc1a866285f2508ad463e5ce0e6570c583
    • Instruction Fuzzy Hash: 4D11277610010EEBDF92AFE8C908E9F7EA6BF69240F148461FE8195061C775C561DB61
    Function 01004E4B Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 672182fa41f816f6b3fff2bcca67b8a557039db0af50c1c0b879451b8c4a04ad
    • Instruction ID: 6e8317ce889585d1581b6c8cd77156c94d06955d6c3c95013277e9fd88486b03
    • Opcode Fuzzy Hash: 672182fa41f816f6b3fff2bcca67b8a557039db0af50c1c0b879451b8c4a04ad
    • Instruction Fuzzy Hash: 4901A7B251C600EFF70A5E54DC99A3EB7E4FF14220F15091EF6C287A80E9715C108757
    Function 04D01301 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 04D01367
    Memory Dump Source
    • Source File: 00000000.00000002.1977356738.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4d00000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: d1cafa7bb8bb464bf862c4d795a171ca5e4a4cc4c2b520becce816848e84db3a
    • Instruction ID: 11510e64cc7cdb818180f645a100ac57e92c6608921617974a1c69bee94d2908
    • Opcode Fuzzy Hash: d1cafa7bb8bb464bf862c4d795a171ca5e4a4cc4c2b520becce816848e84db3a
    • Instruction Fuzzy Hash: AF1166B1800249CFDB10CF9AC985BDEFBF4EF48320F14842AD558A3680C738A545CFA1
    Function 04D01308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 04D01367
    Memory Dump Source
    • Source File: 00000000.00000002.1977356738.0000000004D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4d00000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: d9bc3c43981fd5b0c8017bf49d85fb2fa1a1eab320239dd9ef2c1a61e66dcd09
    • Instruction ID: 52570a2e19751d42b7d1e2418c164bb5257db9f8c682cb2cbf0b8f138ca7f8a4
    • Opcode Fuzzy Hash: d9bc3c43981fd5b0c8017bf49d85fb2fa1a1eab320239dd9ef2c1a61e66dcd09
    • Instruction Fuzzy Hash: DC1136B1800349CFDB10CF9AC845BDEFBF4EB48320F14842AD558A3280D778A544CFA5
    Function 010524DA Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0104DB87: GetCurrentThreadId.KERNEL32 ref: 0104DB96
      • Part of subcall function 0104DB87: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 0104DBD9
    • ReadFile.KERNELBASE(?,00000000,?,00000400,?,-11465FEC,?,?,01050209,?,?,00000400,?,00000000,?,00000000), ref: 01052546
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: CurrentFileReadSleepThread
    • String ID:
    • API String ID: 1253362762-0
    • Opcode ID: 4b3b921b0d9df32ba3764d565f76c73c11dfc1621f72da7697b5094b81b01203
    • Instruction ID: e16de44072504b740fb1446e65c1423813cf5eaaf780126bac4cca848fd9716e
    • Opcode Fuzzy Hash: 4b3b921b0d9df32ba3764d565f76c73c11dfc1621f72da7697b5094b81b01203
    • Instruction Fuzzy Hash: D7F0C97220010AEBCF52AFA8D948DDE3F66AF68354F408125FE4699020C736C862EB61
    Function 0104F4BD Relevance: 1.5, APIs: 1, Instructions: 27libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetProcAddress.KERNEL32(0104EC73,0104EC73), ref: 0104F508
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: AddressProc
    • String ID:
    • API String ID: 190572456-0
    • Opcode ID: de4e1ba384145e4e45666a4b85b6a5f140be1b200c285bef39c21d582f22887e
    • Instruction ID: ae32ab0a6b1ca9834556076c6d8bfb27ad73306c43eba0c9da74ada6f93371bc
    • Opcode Fuzzy Hash: de4e1ba384145e4e45666a4b85b6a5f140be1b200c285bef39c21d582f22887e
    • Instruction Fuzzy Hash: 9AE0E5F220010BBB9F117FBCDD8899E7E65AFA1294B00C131BEC698024CE75C551DBA1
    Function 0104DD58 Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: lstrcmpi
    • String ID:
    • API String ID: 1586166983-0
    • Opcode ID: 41a040669a8e54397d4972dbab640f1204742dccbe49f8b5f00189d7d7dab1ad
    • Instruction ID: 366f55f7b90f2aa5b599079e45759250d8cea19ca4a97679f0204e6fe3ac65b4
    • Opcode Fuzzy Hash: 41a040669a8e54397d4972dbab640f1204742dccbe49f8b5f00189d7d7dab1ad
    • Instruction Fuzzy Hash: B701E476A0010ABFDF11AFE9CC44DDEBFB6EF58341F4001B1A985A4460D7328662DB60
    Function 0105B43A Relevance: 1.3, APIs: 1, Instructions: 37memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,?,0105B436,?,?,0105B13C,?,?,0105B13C,?,?,0105B13C), ref: 0105B45A
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 6552031eddb49e2b1068e3d061ee699456633ca3a5991af84b0c7ca024109ffc
    • Instruction ID: 67d20da2342ec34afa7842e304b094daad0334f8dbedbf3779541b08502c047a
    • Opcode Fuzzy Hash: 6552031eddb49e2b1068e3d061ee699456633ca3a5991af84b0c7ca024109ffc
    • Instruction Fuzzy Hash: DDF0D1B1900206EFE7B48F09C804B5ABFE1FF46311F108069F98A9B192D770A4D0CF50
    Function 010508DB Relevance: 1.3, APIs: 1, Instructions: 25COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0104DB87: GetCurrentThreadId.KERNEL32 ref: 0104DB96
      • Part of subcall function 0104DB87: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 0104DBD9
    • CloseHandle.KERNELBASE(0105029E,-11465FEC,?,?,0105029E,?), ref: 01050919
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: CloseCurrentHandleSleepThread
    • String ID:
    • API String ID: 4003616898-0
    • Opcode ID: 180849ac5626d93756e600f6bb6d0fe1b2f7532266db45ac80712c6d5d1e29bf
    • Instruction ID: ac3093ae4a5b0c52e31f0e2e5198227490110f863ad9bfa5f845512a7d7bf2a4
    • Opcode Fuzzy Hash: 180849ac5626d93756e600f6bb6d0fe1b2f7532266db45ac80712c6d5d1e29bf
    • Instruction Fuzzy Hash: 9AE04FB660004BB7DF50BABCC84CECF6B7DAFB5344B008532F98195058DA65C496C765
    Function 0104F9A0 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNELBASE(?,?,0104DA26,?,?), ref: 0104F9A6
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: df18c8aa26714511221133cde8d3fd56d8981af9d83d2ffd832a5734de7a0743
    • Instruction ID: 111f6633951003900372ff413cdb5726d0f4abff0f543a720bba85e9703346eb
    • Opcode Fuzzy Hash: df18c8aa26714511221133cde8d3fd56d8981af9d83d2ffd832a5734de7a0743
    • Instruction Fuzzy Hash: 55B0923100010ABBCB01FF59EC0688EBF6AFF2A298B008121F956444208B72E962ABD4

    Non-executed Functions

    Function 00FEA55F Relevance: 10.3, Strings: 7, Instructions: 1579COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID: !)-~$,5'?$::w}$A,w]$^m$^m$n;sq
    • API String ID: 0-754930921
    • Opcode ID: 0a7cd37d6b79fe110a5cbaba161c8d36ba92f0bc0324fef665291f4d6c62e867
    • Instruction ID: a1f4962f9ae25b0e4ea9179680a8844e04f7e1a39e111deb10392feb5b7538c8
    • Opcode Fuzzy Hash: 0a7cd37d6b79fe110a5cbaba161c8d36ba92f0bc0324fef665291f4d6c62e867
    • Instruction Fuzzy Hash: 86B207F3A0C2009FE3146E2DEC8577ABBE5EB94720F1A493DEAC4C7744E63598058697
    Function 00FDB70A Relevance: 9.1, Strings: 6, Instructions: 1639COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID: &F$/Dm$A!~$DnS{$Fv$swo
    • API String ID: 0-2071566091
    • Opcode ID: 9150a7d048a520a8eb07d53796b3a31b802d19749d8ab47901e4effa398a19bf
    • Instruction ID: 7fcc93f0d5f8e4d4780c976a3a11a1d165719c6f5350b05b632d086c1330ab43
    • Opcode Fuzzy Hash: 9150a7d048a520a8eb07d53796b3a31b802d19749d8ab47901e4effa398a19bf
    • Instruction Fuzzy Hash: 34B23BF3A0C2049FE3046E2DEC8567ABBE9EF94720F16463DEAC4C7744EA3558058697
    Function 00FE6E7F Relevance: 9.1, Strings: 6, Instructions: 1637COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID: *H{^$2s>4$W9+}$Z~'$`^m$orlib.resources
    • API String ID: 0-2287714673
    • Opcode ID: 80cc9c1076ef2cfb46213031f38335ad3006f545b771cffe27ba65539065738e
    • Instruction ID: cdac80a2a96ae8ca6ffc547e3a7939fb798199528a7561dba7e4e3a83af42821
    • Opcode Fuzzy Hash: 80cc9c1076ef2cfb46213031f38335ad3006f545b771cffe27ba65539065738e
    • Instruction Fuzzy Hash: 7FB216F3A0C2149FE304AE2DEC8567ABBE9EF98320F16493DEAC4D7744E53558018697
    Function 00FEC074 Relevance: 9.1, Strings: 6, Instructions: 1636COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID: Btnu$E=s|$^.O>$g"r$p?m$]{
    • API String ID: 0-360384516
    • Opcode ID: 8989575d7adfdc0288d3c15730b5b2e5e41ed3501c7586ce32a87f335e9ae6f0
    • Instruction ID: 325203b511d59fb81907be829c6359c1a65c1e7f2272e57f46db84ab8ff4906f
    • Opcode Fuzzy Hash: 8989575d7adfdc0288d3c15730b5b2e5e41ed3501c7586ce32a87f335e9ae6f0
    • Instruction Fuzzy Hash: 19B2F8F3A082049FE304AE2DEC8567ABBE5EFD4720F1A893DEAC4C7744E53558058697
    Function 00FE89AC Relevance: 9.1, Strings: 6, Instructions: 1635COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID: *zbQ$C|?;$D_}$IG}$qb#1$"
    • API String ID: 0-4169439036
    • Opcode ID: 4b4a2c3f29cee5dc549d1b6bb7b498819962d29192d03eeb6d32cdc7ba804c56
    • Instruction ID: 5120a55c08374e8628ff0b8cf2a32560c8f588a828ac38bd40008864ef064b7a
    • Opcode Fuzzy Hash: 4b4a2c3f29cee5dc549d1b6bb7b498819962d29192d03eeb6d32cdc7ba804c56
    • Instruction Fuzzy Hash: 6FB2F8F360C2009FE308AF2DEC8567ABBE5EF94720F1A493DE6C5C7344E63598458696
    Function 00FDEC7A Relevance: 7.9, Strings: 5, Instructions: 1601COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID: RD}}$qS~^$rdL$$z*~$Lk
    • API String ID: 0-4090537140
    • Opcode ID: 6d3ec6defee7e006ac5ae4e1a4224b587d46f1a3333ea77e2784d06958c0331e
    • Instruction ID: e1a725594015386c1330dead3a2a199d084a39b3632f9835e5f90fefde5fb98d
    • Opcode Fuzzy Hash: 6d3ec6defee7e006ac5ae4e1a4224b587d46f1a3333ea77e2784d06958c0331e
    • Instruction Fuzzy Hash: 75B206F3A0C604AFE304AE2DDC8567AFBE5EF94720F1A893DE6C483744E67558018697
    Function 00FEF743 Relevance: 7.8, Strings: 5, Instructions: 1600COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID: {_w${_w$15:$4xw$cSVk
    • API String ID: 0-520374379
    • Opcode ID: e21ada817258bd4d14242f58c0bed5d8e7fd9ba86fd5f339103218a8125e08a0
    • Instruction ID: ebe97be7ef5baf63b0f4b260224a95b362f492ac6ba575ba56d6774bfc024241
    • Opcode Fuzzy Hash: e21ada817258bd4d14242f58c0bed5d8e7fd9ba86fd5f339103218a8125e08a0
    • Instruction Fuzzy Hash: D8B2E2F360C2009FE304AF2DDC8567ABBE9EF94720F1A892DE6C4C7744E63598458697
    Function 00FE3A64 Relevance: 7.8, Strings: 5, Instructions: 1538COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID: *H`$jf3$qX7w$uX7w$uo}|
    • API String ID: 0-839499072
    • Opcode ID: 5a987a1ffaafa8046a116e141a3014e5848afcb2fe72653a17354dfe880d479d
    • Instruction ID: 62e78c8a4a4041ff69cc85ebcfa381c864fc5754f06c4d95c898af425ea5a71b
    • Opcode Fuzzy Hash: 5a987a1ffaafa8046a116e141a3014e5848afcb2fe72653a17354dfe880d479d
    • Instruction Fuzzy Hash: 1DA2E5F3A082109FE3046F2DEC8567AFBE9EF94720F1A493DEAC4C7744E63558058696
    Function 00FEDC02 Relevance: 5.4, Strings: 3, Instructions: 1644COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID: jnf$r{y,$}6K`
    • API String ID: 0-3069699730
    • Opcode ID: 3d793c4b4288a9bada143ff36d9302fce4b6c6838d1b2905bb29e438d9401911
    • Instruction ID: 66b32a5d6da08eb16f466f445d7d104a2f4d2aa42ed22f787ca3cec4c0bb2e21
    • Opcode Fuzzy Hash: 3d793c4b4288a9bada143ff36d9302fce4b6c6838d1b2905bb29e438d9401911
    • Instruction Fuzzy Hash: 07B2F8F3A0C2009FE304AE2DEC9577ABBE9EB94320F1A453DE6C5C7744EA3558058697
    Function 00FE20D4 Relevance: 5.3, Strings: 3, Instructions: 1539COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID: "$y_$hO$hzz
    • API String ID: 0-3495556195
    • Opcode ID: ed6ed6ef7710f49b4ae5a669a070f7904c388c06af63dd0b4c142c6e0d808ea1
    • Instruction ID: 27047d43c59df8c6852083081ee30efa585fcef7a150b4b91fd3fedaf1b07f8f
    • Opcode Fuzzy Hash: ed6ed6ef7710f49b4ae5a669a070f7904c388c06af63dd0b4c142c6e0d808ea1
    • Instruction Fuzzy Hash: 0FA2D5F3A0C204AFE3046E29EC8577ABBE5EF94720F1A493DEAC483744E63558158797
    Function 00FF1235 Relevance: 4.1, Strings: 2, Instructions: 1631COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID: AC/$v:{.
    • API String ID: 0-389637090
    • Opcode ID: 5cb6b8dab7bf9c2310941014bc93509e0bbdb4a6c51faf95e8d999242b72360f
    • Instruction ID: 9584a70199eb0524676922d5d6bad7f5eb0f564fb2618c0a27101cbd2cdbd21a
    • Opcode Fuzzy Hash: 5cb6b8dab7bf9c2310941014bc93509e0bbdb4a6c51faf95e8d999242b72360f
    • Instruction Fuzzy Hash: 18B213F360C2049FE7046E2DEC8567ABBE5EF94320F1A493DE6C4C3744EA3598458697
    Function 00FD9B79 Relevance: 4.1, Strings: 2, Instructions: 1591COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID: vwq$ ?
    • API String ID: 0-2645152858
    • Opcode ID: 67eee2d6a9aaa44202018c97fa57adc1760175d9b7593b33201bd745316fa3ac
    • Instruction ID: d511965ff33bf18e0867d5f56761f720a31c992e6f98048f01327331a04dbb10
    • Opcode Fuzzy Hash: 67eee2d6a9aaa44202018c97fa57adc1760175d9b7593b33201bd745316fa3ac
    • Instruction Fuzzy Hash: E9B218F3A0C2049FE3046E29EC8567ABBE5EF94320F1A863DE6C5C7744E67598018797
    Function 0105133C Relevance: 3.8, Strings: 3, Instructions: 66COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID: %$shell32.dll$x
    • API String ID: 0-999810496
    • Opcode ID: 7aa4a6c20e7b01a6de5b05b911781876e0cdee7e837cf29c7d74ecf0db873235
    • Instruction ID: 052b73dc4696ffa7fe129a4059c9ec781f547ae4b288d754a584a8f31f5e96dc
    • Opcode Fuzzy Hash: 7aa4a6c20e7b01a6de5b05b911781876e0cdee7e837cf29c7d74ecf0db873235
    • Instruction Fuzzy Hash: 6411B472A00206EBE764CF65D888BAFBBFCFFC4700F109055F90299542E7B585D48751
    Function 01051CD4 Relevance: 3.0, APIs: 2, Instructions: 43timeCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0104DB87: GetCurrentThreadId.KERNEL32 ref: 0104DB96
      • Part of subcall function 0104DB87: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 0104DBD9
    • GetSystemTime.KERNEL32(?,-11465FEC), ref: 01051D09
    • GetFileTime.KERNEL32(?,?,?,?,-11465FEC), ref: 01051D4C
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: Time$CurrentFileSleepSystemThread
    • String ID:
    • API String ID: 3818558864-0
    • Opcode ID: bc654e2cd350fb5fcfa1343b2b31ee35934ff06faa5370a2172a9c25bdb95330
    • Instruction ID: 5aef92bddcbeed9079a1997b8fb82e4f5ae367436dd1638c16824252cf319c86
    • Opcode Fuzzy Hash: bc654e2cd350fb5fcfa1343b2b31ee35934ff06faa5370a2172a9c25bdb95330
    • Instruction Fuzzy Hash: 8B01D63220448AFBCF61BF69DC08E9F7F76EFE5310B008521F84195060C77699A2DB61
    Function 00EF0C94 Relevance: 2.6, Strings: 2, Instructions: 146COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID: 2m$WVgW
    • API String ID: 0-799237516
    • Opcode ID: 8aa6875832e87a668eb31af32ce4e6a079b1da0881b9521aa13551ffa85967c0
    • Instruction ID: 62fd0ac1b026a686a3d699a6b6714535f931755950cf6b89233c4c2987c131e4
    • Opcode Fuzzy Hash: 8aa6875832e87a668eb31af32ce4e6a079b1da0881b9521aa13551ffa85967c0
    • Instruction Fuzzy Hash: F0416DF3E086245FE31C6E18EC557BAB2DADB94320F2B412DEBC5A7781ED75480186C6
    Function 01052B92 Relevance: 1.5, APIs: 1, Instructions: 24encryptionCOMMON
    Download Yara Rule
    APIs
    • CryptVerifySignatureA.ADVAPI32(?,?,?,?,?,?), ref: 01052BD9
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: CryptSignatureVerify
    • String ID:
    • API String ID: 1015439381-0
    • Opcode ID: a47a1a8beb208ffd4159aed0d2a62a476124572dbca5133884369b3fbf634fc3
    • Instruction ID: 429873a6e34b6215cb19caf685ae0601fa28a597c405f3bb680178a1bc1f4118
    • Opcode Fuzzy Hash: a47a1a8beb208ffd4159aed0d2a62a476124572dbca5133884369b3fbf634fc3
    • Instruction Fuzzy Hash: C8F0F23260420EEFDF41CFA4C944A8D7BB2FF08344B108129FA05A6260C3769AA1EF50
    Function 00F95DC3 Relevance: 1.4, Strings: 1, Instructions: 166COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID: /H?>
    • API String ID: 0-1042516891
    • Opcode ID: 5432936475a6a78bc0c095ad742c262c91c9036a3c5741fa55ea9475149b3de6
    • Instruction ID: f50f51ea075861b09efceb20d6a95cf98262b49d8b04f2ed9d869a9e5c4c9bc4
    • Opcode Fuzzy Hash: 5432936475a6a78bc0c095ad742c262c91c9036a3c5741fa55ea9475149b3de6
    • Instruction Fuzzy Hash: 8B418BF360C3185BE704BE6DEC85676BBD5DB94260F12863DEA8487744FA72590482C6
    Function 00EDF1DE Relevance: 1.4, Strings: 1, Instructions: 159COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID: g/5g
    • API String ID: 0-3309512502
    • Opcode ID: fdbadd90260fe252dc361c883418dfb1a980044dcea63630fb87f5e254718534
    • Instruction ID: b9af114ab62f16f25a4c4fbac028f970192e675a03143c2e9b5c9bbdf5cd0d7f
    • Opcode Fuzzy Hash: fdbadd90260fe252dc361c883418dfb1a980044dcea63630fb87f5e254718534
    • Instruction Fuzzy Hash: A54116B321D704AFE3046E3AECC5B7ABBD9EB84324F120A3EE6C0C7740DA7558018656
    Function 00E8813F Relevance: .2, Instructions: 187COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 6a1df537e689fd45a76b5db81003aac94b33a931cdcdbbc8d5cec2250597c765
    • Instruction ID: 3a2f103c46a11233783c6ab8a6cc17427d980e2b855fd588170b7a5c96628425
    • Opcode Fuzzy Hash: 6a1df537e689fd45a76b5db81003aac94b33a931cdcdbbc8d5cec2250597c765
    • Instruction Fuzzy Hash: 46517CF3E052089BE3042E3DDD45766B6DADFE4321F2B463ED79443B88ED3658058196
    Function 010D1711 Relevance: .2, Instructions: 181COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 86a1b1756e44877e67c66437b6baccbb72fc907188ae59e9bce8c04c9fdc56ae
    • Instruction ID: d282ba9342dc8896f1c8a77f5ae82f989c43c08cfc76fa9765e2c318cde42710
    • Opcode Fuzzy Hash: 86a1b1756e44877e67c66437b6baccbb72fc907188ae59e9bce8c04c9fdc56ae
    • Instruction Fuzzy Hash: 915117B3A0C318EFD704AA29EC4557EBBE9EF84660F16493EE5C5CB700EA715841C792
    Function 00E9CE48 Relevance: .2, Instructions: 179COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: eb91997e1f5773e9ddf4c28cb37cc23a5bb59d3d5d2acca4c286272bcdf2bf77
    • Instruction ID: 3d603acaa87491b24d8a20212e72c28f3e0a8f4497ce986222041cc24ec96fe3
    • Opcode Fuzzy Hash: eb91997e1f5773e9ddf4c28cb37cc23a5bb59d3d5d2acca4c286272bcdf2bf77
    • Instruction Fuzzy Hash: 9C515AB3A082004BF308AE2DDD85776B7D6DB84310F2A823DDB85D77C4EAB96D154386
    Function 0100E74D Relevance: .2, Instructions: 158COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9f9e307870781909883bdc7b285d45fb8b4a19653122905c9414172a794bad92
    • Instruction ID: 78247919ed9d264853ab021d906742821af3659657d8058d0c3b335cc9e43ead
    • Opcode Fuzzy Hash: 9f9e307870781909883bdc7b285d45fb8b4a19653122905c9414172a794bad92
    • Instruction Fuzzy Hash: 9541BCB650C2049FE315BE19D9817BEFBE9FFD4720F12882EE7C583A10EA3454458A97
    Function 010891E7 Relevance: .2, Instructions: 155COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a86837364883aed79725dac5f6fcb7ed969d0306e462120779cb0a087155bf60
    • Instruction ID: 688c5b37eddce3d39c1c1be8565340072b13073cb45a08ee8678bd8ea9447a0a
    • Opcode Fuzzy Hash: a86837364883aed79725dac5f6fcb7ed969d0306e462120779cb0a087155bf60
    • Instruction Fuzzy Hash: 0C51A0B390C600CFD310BE29D88577EF7E5EBD4324F16862DE6D583684D63458418783
    Function 00FF3F44 Relevance: .1, Instructions: 146COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 595408b61b2c6b619bb4eabcf854bcbcc1eb5e6c82210036d1909f8accd52d98
    • Instruction ID: de4b86bbe39a7f8aff31fcc8d2379f196c5509fc3a7f9873558c6fc0728cc279
    • Opcode Fuzzy Hash: 595408b61b2c6b619bb4eabcf854bcbcc1eb5e6c82210036d1909f8accd52d98
    • Instruction Fuzzy Hash: 8B41D4B390C3089FE304BE29DC0562AF7E9EFD4720F1A852DEAC4D3754FA3958158696
    Function 01000648 Relevance: .1, Instructions: 128COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2b7b98d3366a966d29c4f8b7afc05049f5589f3e56b46f57b9b61de0c4816b1e
    • Instruction ID: a7b0b31a978e215a6328a04d0db46f275314b29aa6d4b9920e307d66d65cf1ea
    • Opcode Fuzzy Hash: 2b7b98d3366a966d29c4f8b7afc05049f5589f3e56b46f57b9b61de0c4816b1e
    • Instruction Fuzzy Hash: 6C4137F210C300AFE306AF29D88167AFBF9EF54720F26482DE6C486651E7355594CB57
    Function 010105D9 Relevance: .1, Instructions: 116COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b76372acf1a52beed04263fc84b22e8640d8dc3af4212acf850ca1042451ce38
    • Instruction ID: cf198ff7bae0c5e55033ab32703f7417387cdc0cfc1047f4701d36a7aa876678
    • Opcode Fuzzy Hash: b76372acf1a52beed04263fc84b22e8640d8dc3af4212acf850ca1042451ce38
    • Instruction Fuzzy Hash: 47319AB650C6049FE309BF19C88267EFBE8EF98310F16092DE6C283350EA7564548B97
    Function 00FBB17E Relevance: .1, Instructions: 109COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 73bb643c34ba59072a75482dd6db1350f50eb7184c4c65276503d72e861522f4
    • Instruction ID: b88d2f24da7949e8c90a8f45d150d9910db766d450200f247d23b0ce56003945
    • Opcode Fuzzy Hash: 73bb643c34ba59072a75482dd6db1350f50eb7184c4c65276503d72e861522f4
    • Instruction Fuzzy Hash: AB3126F3E245200BF7585978ED593A32286D784330F2E423D9E45EB7C5EC3E5D090295
    Function 010DBA97 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e49273a86b4af197b099d7709c2b4eb84d21023335909c2d243e435b42e27d8c
    • Instruction ID: f6652af70135ab7b95305fd7557e86ad1b3023e568d5659e5a11e7ebf1d4d0ed
    • Opcode Fuzzy Hash: e49273a86b4af197b099d7709c2b4eb84d21023335909c2d243e435b42e27d8c
    • Instruction Fuzzy Hash: CA3138B350C600AFE709BE29D89277EFBE5FB58310F16092DE6D683740EA356400CA97
    Function 01010B31 Relevance: .1, Instructions: 81COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a6b50a1fc41279192d4fbec62c3a7dcb20023e432f53c4b00eb01cb076207c13
    • Instruction ID: 1fa1910c77ad31697a751f1f5a79b5291ae549b0ccbbe90754ae65a0f6e15eb7
    • Opcode Fuzzy Hash: a6b50a1fc41279192d4fbec62c3a7dcb20023e432f53c4b00eb01cb076207c13
    • Instruction Fuzzy Hash: 0A21F8B320C6059FE2046E29DC8593FB7D7FBD4710F25442DF2C18721CDA7468828A56
    Function 0100D25E Relevance: .0, Instructions: 34COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 1d79cb81c5aab3c40537ad060e3a6937c6310caddb58a4eddffd93b9ed738384
    • Instruction ID: 9c8ec85aa9b6bd7fcbfbd123c44ebd81d555a4b2141d278b2ed416145610680f
    • Opcode Fuzzy Hash: 1d79cb81c5aab3c40537ad060e3a6937c6310caddb58a4eddffd93b9ed738384
    • Instruction Fuzzy Hash: DD01467615428A8BEB04CF84C1056EBBBB4FF48720F2582AAD8016BB50D3706CD0CB89
    Function 0105120A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0104DB87: GetCurrentThreadId.KERNEL32 ref: 0104DB96
      • Part of subcall function 0104DB87: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 0104DBD9
      • Part of subcall function 01052288: IsBadWritePtr.KERNEL32(?,00000004), ref: 01052296
    • wsprintfA.USER32 ref: 01051250
    • LoadImageA.USER32(?,?,?,?,?,?), ref: 01051314
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: CurrentImageLoadSleepThreadWritewsprintf
    • String ID: %8x$%8x
    • API String ID: 2375920415-2046107164
    • Opcode ID: a60c4950696e48c4fedf65c2bf18422a1729b82e30bf176b5d290ff124e3b754
    • Instruction ID: e419f16b48df4f81d68f44d9d6c1bde3943d20c97cf6db6ddf6352d8e6efc48f
    • Opcode Fuzzy Hash: a60c4950696e48c4fedf65c2bf18422a1729b82e30bf176b5d290ff124e3b754
    • Instruction Fuzzy Hash: 4231D27590010AFBDF11DF98DC49EEEBBB9FF98310F108125F911A61A0C7719A61DB60
    Function 01051DDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesExW.KERNEL32(0088518C,00004020,00000000,-11465FEC), ref: 01051EC8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1975258440.0000000001000000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E60000, based on PE: true
    • Associated: 00000000.00000002.1975203925.0000000000E60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975221223.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975240292.0000000000E66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.0000000000E6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000110A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975258440.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975538125.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975695145.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1975716944.00000000012CC000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_e60000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: 3aab28712d1c5cfbaf6970eff9a6b6c2c5317cfdefc9761ec4158c920a6de74a
    • Instruction ID: 206c1daf03caf1cbaccac331e23113f72789c9826aa25f0da427c919ef5a2e0e
    • Opcode Fuzzy Hash: 3aab28712d1c5cfbaf6970eff9a6b6c2c5317cfdefc9761ec4158c920a6de74a
    • Instruction Fuzzy Hash: 66317CB1504706EFDB25CF59D884B9FBFB4FF04310F008629E99567690C3B4A6A5DB90