Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1532858
MD5:5447bc45a84b461600e8677f1f130cca
SHA1:1d11ff9172370a8a73b2342e9d129760eadd92a2
SHA256:1b16d450185a72ab32f6b20370fcdf53d505f77940db387355938f25ce51813d
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to detect virtual machines (SIDT)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 2452 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 5447BC45A84B461600E8677F1F130CCA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: file.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: file.exeVirustotal: Detection: 54%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6E547 CryptVerifySignatureA,0_2_00D6E547
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.2065044458.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmp

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFE00F0_2_00CFE00F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D064F80_2_00D064F8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D014FF0_2_00D014FF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFC59E0_2_00CFC59E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF98B20_2_00CF98B2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D04A830_2_00D04A83
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D0BB7A0_2_00D0BB7A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFAB030_2_00CFAB03
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C79D4C0_2_00C79D4C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D26D250_2_00D26D25
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D07F730_2_00D07F73
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00D6953C appears 35 times
Source: file.exe, 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000002.2201321857.000000000155E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeStatic PE information: Section: kcbkgpof ZLIB complexity 0.9948704154191617
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeVirustotal: Detection: 54%
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 1735680 > 1048576
Source: file.exeStatic PE information: Raw size of kcbkgpof is bigger than: 0x100000 < 0x1a1800
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.2065044458.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.b90000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kcbkgpof:EW;fpbbzirp:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x1b0f0f should be: 0x1b60d2
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: kcbkgpof
Source: file.exeStatic PE information: section name: fpbbzirp
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D1DA91 push edx; mov dword ptr [esp], eax0_2_00D1DB04
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D250D0 push edi; mov dword ptr [esp], eax0_2_00D250E8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D250D0 push edi; mov dword ptr [esp], ecx0_2_00D25119
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D200DA push 23758B9Eh; mov dword ptr [esp], eax0_2_00D2012F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D200DA push esi; mov dword ptr [esp], eax0_2_00D2113E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D1E0DB push edi; mov dword ptr [esp], 4F2FBBE1h0_2_00D1E0F5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D1E0DB push ebx; mov dword ptr [esp], 76FD5D87h0_2_00D1E103
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C270F2 push 3ADEE700h; mov dword ptr [esp], edx0_2_00C27188
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C270F2 push edi; mov dword ptr [esp], 1406F0FDh0_2_00C2719B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BCE0F9 push 41585EC6h; mov dword ptr [esp], ebx0_2_00BCE114
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BCE0F9 push 5FE4DB60h; mov dword ptr [esp], esi0_2_00BCE162
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BCE0F9 push esi; mov dword ptr [esp], esp0_2_00BCE18A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D210B7 push ecx; mov dword ptr [esp], 7D3EC3C7h0_2_00D210E3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D1D049 push eax; mov dword ptr [esp], ebp0_2_00D20F65
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D20077 push 31083204h; mov dword ptr [esp], ebp0_2_00D2105F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFE00F push ecx; mov dword ptr [esp], eax0_2_00CFE014
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFE00F push esi; mov dword ptr [esp], esp0_2_00CFE033
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFE00F push edi; mov dword ptr [esp], ecx0_2_00CFE08D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFE00F push eax; mov dword ptr [esp], 2EE83007h0_2_00CFE0A2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFE00F push esi; mov dword ptr [esp], 1FDD5AD2h0_2_00CFE0AE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFE00F push edi; mov dword ptr [esp], esi0_2_00CFE1A2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFE00F push edx; mov dword ptr [esp], eax0_2_00CFE253
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFE00F push ebp; mov dword ptr [esp], esi0_2_00CFE260
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFE00F push 391E20DEh; mov dword ptr [esp], ebx0_2_00CFE2FD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFE00F push 0E5A9E39h; mov dword ptr [esp], edi0_2_00CFE30D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFE00F push ecx; mov dword ptr [esp], 6CC6B333h0_2_00CFE31F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFE00F push edi; mov dword ptr [esp], edx0_2_00CFE4B4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFE00F push 5D10BAF4h; mov dword ptr [esp], eax0_2_00CFE4EA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFE00F push ebx; mov dword ptr [esp], edx0_2_00CFE51E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFE00F push eax; mov dword ptr [esp], esp0_2_00CFE58F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFE00F push eax; mov dword ptr [esp], esi0_2_00CFE5B3
Source: file.exeStatic PE information: section name: entropy: 7.811568321640306
Source: file.exeStatic PE information: section name: kcbkgpof entropy: 7.953227771060923

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0F769 second address: D0F784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jmp 00007FDE3CFF2274h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0F784 second address: D0F7A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FDE3D69CA47h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0F8D4 second address: D0F8E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b jne 00007FDE3CFF2268h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0F8E7 second address: D0F8ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0F8ED second address: D0F935 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FDE3CFF226Fh 0x0000000e push ecx 0x0000000f jmp 00007FDE3CFF2275h 0x00000014 jnl 00007FDE3CFF2266h 0x0000001a pop ecx 0x0000001b jmp 00007FDE3CFF226Bh 0x00000020 push eax 0x00000021 push edx 0x00000022 jng 00007FDE3CFF2266h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0FABD second address: D0FAC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0FC63 second address: D0FC77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007FDE3CFF2266h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0FC77 second address: D0FC7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0FDCF second address: D0FDDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0FF33 second address: D0FF37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D12DEB second address: D12E45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDE3CFF226Eh 0x00000009 popad 0x0000000a push eax 0x0000000b push ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pop ebx 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 js 00007FDE3CFF227Ch 0x0000001d mov eax, dword ptr [eax] 0x0000001f push edi 0x00000020 je 00007FDE3CFF226Ch 0x00000026 jno 00007FDE3CFF2266h 0x0000002c pop edi 0x0000002d mov dword ptr [esp+04h], eax 0x00000031 push eax 0x00000032 push edx 0x00000033 jng 00007FDE3CFF2268h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D12E45 second address: D12E4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D12E4B second address: D12E4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D12E4F second address: D12EA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007FDE3D69CA38h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 and esi, 2FA50C84h 0x00000029 mov ecx, dword ptr [ebp+122D393Fh] 0x0000002f push 00000003h 0x00000031 mov cx, ax 0x00000034 push 00000000h 0x00000036 mov si, 0EDBh 0x0000003a push 00000003h 0x0000003c movzx ecx, si 0x0000003f push C2C66363h 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 push esi 0x00000049 pop esi 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D12EA2 second address: D12EAC instructions: 0x00000000 rdtsc 0x00000002 je 00007FDE3CFF2266h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D12EAC second address: D12EB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D12F38 second address: D12F3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1317C second address: D13191 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FDE3D69CA36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c jl 00007FDE3D69CA3Eh 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D13191 second address: D131AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 pushad 0x0000000a jmp 00007FDE3CFF226Fh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D131AE second address: D131B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D131B2 second address: D131C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007FDE3CFF2268h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D131C5 second address: D131EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE3D69CA43h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jnc 00007FDE3D69CA36h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D131EA second address: D131F4 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FDE3CFF2266h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D248CF second address: D248D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D248D5 second address: D248DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D248DA second address: D248E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D317EB second address: D317F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D317F1 second address: D317F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D31C0B second address: D31C11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D31C11 second address: D31C15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D31C15 second address: D31C1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D31C1B second address: D31C25 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FDE3D69CA3Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D31D8F second address: D31D99 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FDE3CFF226Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D31D99 second address: D31DB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FDE3D69CA41h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D31DB6 second address: D31DBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D31DBE second address: D31DC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D31F14 second address: D31F19 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3208C second address: D32098 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FDE3D69CA36h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D32098 second address: D320AD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FDE3CFF226Bh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D320AD second address: D320B3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3239E second address: D323D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE3CFF2272h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FDE3CFF2274h 0x00000011 jo 00007FDE3CFF2266h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D33236 second address: D33240 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FDE3D69CA36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D33240 second address: D3324A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FDE3CFF2266h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3324A second address: D3324E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D33519 second address: D33521 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D388FE second address: D38902 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D38902 second address: D38927 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FDE3CFF2266h 0x00000008 jmp 00007FDE3CFF2271h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnp 00007FDE3CFF226Eh 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3AD4B second address: D3AD51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3AD51 second address: D3AD56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D39EC6 second address: D39ECC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D39ECC second address: D39ED0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3AFBA second address: D3AFBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3AFBE second address: D3AFE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007FDE3CFF2276h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3AFE1 second address: D3B026 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE3D69CA3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007FDE3D69CA43h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 jmp 00007FDE3D69CA41h 0x0000001a popad 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f push esi 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3F128 second address: D3F144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDE3CFF226Ah 0x00000009 pop ebx 0x0000000a jmp 00007FDE3CFF226Dh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3F144 second address: D3F149 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3F540 second address: D3F552 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007FDE3CFF2266h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3F552 second address: D3F560 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE3D69CA3Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3F944 second address: D3F94E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3F94E second address: D3F961 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDE3D69CA3Ch 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3F961 second address: D3F968 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D432E1 second address: D432EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FDE3D69CA36h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D435D1 second address: D435D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D435D7 second address: D435DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D43C17 second address: D43C20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D43C20 second address: D43C32 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007FDE3D69CA38h 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D43C32 second address: D43C60 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FDE3CFF226Fh 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push ecx 0x0000000d sub esi, dword ptr [ebp+122D2779h] 0x00000013 pop esi 0x00000014 add edi, dword ptr [ebp+122D263Ah] 0x0000001a push eax 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e jc 00007FDE3CFF2266h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D43D0B second address: D43D18 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D43DE0 second address: D43DF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE3CFF226Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4507C second address: D45080 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D45080 second address: D4508A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47867 second address: D4786B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4590A second address: D45926 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007FDE3CFF2271h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4786B second address: D47875 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D45926 second address: D4592B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47875 second address: D47900 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FDE3D69CA36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007FDE3D69CA48h 0x00000011 nop 0x00000012 mov esi, ebx 0x00000014 push 00000000h 0x00000016 sub dword ptr [ebp+122D2685h], edi 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push esi 0x00000021 call 00007FDE3D69CA38h 0x00000026 pop esi 0x00000027 mov dword ptr [esp+04h], esi 0x0000002b add dword ptr [esp+04h], 00000019h 0x00000033 inc esi 0x00000034 push esi 0x00000035 ret 0x00000036 pop esi 0x00000037 ret 0x00000038 pushad 0x00000039 jmp 00007FDE3D69CA47h 0x0000003e mov ecx, 4B4B23C1h 0x00000043 popad 0x00000044 xchg eax, ebx 0x00000045 jmp 00007FDE3D69CA3Bh 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d jnl 00007FDE3D69CA3Ch 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D48DEA second address: D48DEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D49965 second address: D4996F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FDE3D69CA36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4996F second address: D499FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE3CFF2272h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007FDE3CFF2268h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 mov esi, dword ptr [ebp+122D37BBh] 0x0000002a mov dword ptr [ebp+1245B429h], edx 0x00000030 push 00000000h 0x00000032 mov esi, 56D53400h 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push ebp 0x0000003c call 00007FDE3CFF2268h 0x00000041 pop ebp 0x00000042 mov dword ptr [esp+04h], ebp 0x00000046 add dword ptr [esp+04h], 00000016h 0x0000004e inc ebp 0x0000004f push ebp 0x00000050 ret 0x00000051 pop ebp 0x00000052 ret 0x00000053 add dword ptr [ebp+1245B18Fh], eax 0x00000059 jmp 00007FDE3CFF2276h 0x0000005e xchg eax, ebx 0x0000005f push ebx 0x00000060 pushad 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D499FB second address: D49A15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FDE3D69CA36h 0x0000000a popad 0x0000000b pop ebx 0x0000000c push eax 0x0000000d pushad 0x0000000e jne 00007FDE3D69CA38h 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D49A15 second address: D49A19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4A50A second address: D4A50E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4A50E second address: D4A52A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE3CFF2278h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4A52A second address: D4A534 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FDE3D69CA3Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4A534 second address: D4A545 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007FDE3CFF2266h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4A545 second address: D4A54F instructions: 0x00000000 rdtsc 0x00000002 jo 00007FDE3D69CA36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D02A83 second address: D02A89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D02A89 second address: D02AE2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FDE3D69CA46h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jnl 00007FDE3D69CA3Ah 0x00000014 pushad 0x00000015 jmp 00007FDE3D69CA44h 0x0000001a jbe 00007FDE3D69CA36h 0x00000020 jbe 00007FDE3D69CA36h 0x00000026 jmp 00007FDE3D69CA3Ah 0x0000002b popad 0x0000002c push eax 0x0000002d push edx 0x0000002e push ebx 0x0000002f pop ebx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4ECC0 second address: D4ECEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FDE3CFF2274h 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jp 00007FDE3CFF2266h 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 popad 0x00000018 push ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D500ED second address: D5015C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FDE3D69CA36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007FDE3D69CA38h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 xor dword ptr [ebp+122D2132h], eax 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push ebp 0x00000032 call 00007FDE3D69CA38h 0x00000037 pop ebp 0x00000038 mov dword ptr [esp+04h], ebp 0x0000003c add dword ptr [esp+04h], 0000001Bh 0x00000044 inc ebp 0x00000045 push ebp 0x00000046 ret 0x00000047 pop ebp 0x00000048 ret 0x00000049 mov edi, 0EB25BD3h 0x0000004e push 00000000h 0x00000050 mov bh, E7h 0x00000052 xchg eax, esi 0x00000053 push eax 0x00000054 push edx 0x00000055 jbe 00007FDE3D69CA38h 0x0000005b push ebx 0x0000005c pop ebx 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5015C second address: D50161 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D50383 second address: D50387 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D513D4 second address: D513DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FDE3CFF2266h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D522AC second address: D522B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D513DF second address: D513E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D522B1 second address: D522B6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5321D second address: D53227 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FDE3CFF2266h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54101 second address: D54107 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D513E4 second address: D513EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D522B6 second address: D522D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a jmp 00007FDE3D69CA42h 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D53227 second address: D5322B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54107 second address: D5410B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D522D7 second address: D5235C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007FDE3CFF2268h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 push dword ptr fs:[00000000h] 0x00000029 cmc 0x0000002a mov dword ptr fs:[00000000h], esp 0x00000031 mov dword ptr [ebp+12443C30h], edi 0x00000037 mov eax, dword ptr [ebp+122D0DE5h] 0x0000003d mov di, ax 0x00000040 add edi, dword ptr [ebp+122D1867h] 0x00000046 push FFFFFFFFh 0x00000048 mov dword ptr [ebp+122D1A4Dh], edi 0x0000004e jmp 00007FDE3CFF2275h 0x00000053 nop 0x00000054 push eax 0x00000055 push edx 0x00000056 jmp 00007FDE3CFF2275h 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5322B second address: D532BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jno 00007FDE3D69CA3Ah 0x0000000f nop 0x00000010 movsx edi, si 0x00000013 push dword ptr fs:[00000000h] 0x0000001a push 00000000h 0x0000001c push ebx 0x0000001d call 00007FDE3D69CA38h 0x00000022 pop ebx 0x00000023 mov dword ptr [esp+04h], ebx 0x00000027 add dword ptr [esp+04h], 00000014h 0x0000002f inc ebx 0x00000030 push ebx 0x00000031 ret 0x00000032 pop ebx 0x00000033 ret 0x00000034 mov ebx, dword ptr [ebp+122D391Fh] 0x0000003a mov ebx, dword ptr [ebp+122D36ABh] 0x00000040 mov dword ptr fs:[00000000h], esp 0x00000047 jmp 00007FDE3D69CA3Dh 0x0000004c mov eax, dword ptr [ebp+122D1221h] 0x00000052 push 00000000h 0x00000054 push eax 0x00000055 call 00007FDE3D69CA38h 0x0000005a pop eax 0x0000005b mov dword ptr [esp+04h], eax 0x0000005f add dword ptr [esp+04h], 00000018h 0x00000067 inc eax 0x00000068 push eax 0x00000069 ret 0x0000006a pop eax 0x0000006b ret 0x0000006c push FFFFFFFFh 0x0000006e mov dword ptr [ebp+12482B3Ch], eax 0x00000074 nop 0x00000075 push eax 0x00000076 push edx 0x00000077 jnc 00007FDE3D69CA38h 0x0000007d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D55D2E second address: D55D34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5410B second address: D54171 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push edi 0x0000000a mov dword ptr [ebp+122D1BE3h], edi 0x00000010 pop ebx 0x00000011 push dword ptr fs:[00000000h] 0x00000018 sbb di, CAB8h 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 push 00000000h 0x00000026 push eax 0x00000027 call 00007FDE3D69CA38h 0x0000002c pop eax 0x0000002d mov dword ptr [esp+04h], eax 0x00000031 add dword ptr [esp+04h], 0000001Ah 0x00000039 inc eax 0x0000003a push eax 0x0000003b ret 0x0000003c pop eax 0x0000003d ret 0x0000003e add dword ptr [ebp+1246C864h], ebx 0x00000044 mov eax, dword ptr [ebp+122D16CDh] 0x0000004a pushad 0x0000004b movzx ebx, dx 0x0000004e stc 0x0000004f popad 0x00000050 push FFFFFFFFh 0x00000052 mov edi, dword ptr [ebp+122D3667h] 0x00000058 nop 0x00000059 pushad 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54171 second address: D54175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54175 second address: D5417E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5417E second address: D5419A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FDE3CFF2273h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5419A second address: D541B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDE3D69CA48h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D56D34 second address: D56D38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D56D38 second address: D56D59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FDE3D69CA48h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D56D59 second address: D56D5E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D57DCF second address: D57DD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D57DD3 second address: D57DD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D58D4E second address: D58D52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C502 second address: D5C506 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5E46A second address: D5E4AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov edi, 58963D56h 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007FDE3D69CA38h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 0000001Ah 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a push 00000000h 0x0000002c mov dword ptr [ebp+122D2FB6h], ecx 0x00000032 push eax 0x00000033 push eax 0x00000034 push edx 0x00000035 push edi 0x00000036 pushad 0x00000037 popad 0x00000038 pop edi 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5E4AB second address: D5E4B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDE3CFF226Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D60547 second address: D6058A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE3D69CA48h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jnl 00007FDE3D69CA36h 0x00000012 jbe 00007FDE3D69CA36h 0x00000018 pop esi 0x00000019 pop esi 0x0000001a pushad 0x0000001b jmp 00007FDE3D69CA40h 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6058A second address: D60593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5B5C0 second address: D5B5C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5B5C6 second address: D5B5CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5B5CA second address: D5B5CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5B5CE second address: D5B678 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jnl 00007FDE3CFF2276h 0x00000011 push dword ptr fs:[00000000h] 0x00000018 xor edi, dword ptr [ebp+122D1F9Fh] 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 push 00000000h 0x00000027 push edx 0x00000028 call 00007FDE3CFF2268h 0x0000002d pop edx 0x0000002e mov dword ptr [esp+04h], edx 0x00000032 add dword ptr [esp+04h], 0000001Ch 0x0000003a inc edx 0x0000003b push edx 0x0000003c ret 0x0000003d pop edx 0x0000003e ret 0x0000003f jmp 00007FDE3CFF226Bh 0x00000044 mov eax, dword ptr [ebp+122D1261h] 0x0000004a push 00000000h 0x0000004c push ebx 0x0000004d call 00007FDE3CFF2268h 0x00000052 pop ebx 0x00000053 mov dword ptr [esp+04h], ebx 0x00000057 add dword ptr [esp+04h], 00000019h 0x0000005f inc ebx 0x00000060 push ebx 0x00000061 ret 0x00000062 pop ebx 0x00000063 ret 0x00000064 mov edi, dword ptr [ebp+122D1A1Eh] 0x0000006a push FFFFFFFFh 0x0000006c movzx edi, cx 0x0000006f nop 0x00000070 push eax 0x00000071 push edx 0x00000072 jmp 00007FDE3CFF2271h 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5E607 second address: D5E60B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D68116 second address: D6811A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6811A second address: D68126 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D68126 second address: D6812C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFA63A second address: CFA63E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D67A32 second address: D67A38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D67B9D second address: D67BA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D67BA3 second address: D67BA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D71651 second address: D716A0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FDE3D69CA42h 0x00000008 jc 00007FDE3D69CA38h 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e jmp 00007FDE3D69CA44h 0x00000023 jnl 00007FDE3D69CA36h 0x00000029 popad 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d pop eax 0x0000002e je 00007FDE3D69CA36h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D716A0 second address: D716A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D79198 second address: D7919F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7EFF7 second address: D7F01C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE3CFF226Fh 0x00000007 jmp 00007FDE3CFF226Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jo 00007FDE3CFF2268h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0B154 second address: D0B161 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jc 00007FDE3D69CA42h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0B161 second address: D0B167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7DDDE second address: D7DDE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7DDE4 second address: D7DDEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7DDEC second address: D7DDF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7DDF9 second address: D7DDFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7EBAD second address: D7EBB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7EBB1 second address: D7EBE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE3CFF2274h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FDE3CFF2274h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D838CA second address: D838D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D838D0 second address: D838D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D89D8B second address: D89D8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D89D8F second address: D89D9F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FDE3CFF2266h 0x00000008 js 00007FDE3CFF2266h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D89D9F second address: D89DA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D89DA5 second address: D89DBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDE3CFF2272h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D89DBB second address: D89DC5 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FDE3D69CA36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D89DC5 second address: D89DD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jp 00007FDE3CFF2266h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D89DD5 second address: D89DFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FDE3D69CA49h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D89023 second address: D8902D instructions: 0x00000000 rdtsc 0x00000002 je 00007FDE3CFF2266h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8902D second address: D89036 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D89036 second address: D8903C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D89462 second address: D89466 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D89466 second address: D8946A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8946A second address: D89472 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D89472 second address: D8949D instructions: 0x00000000 rdtsc 0x00000002 ja 00007FDE3CFF226Ch 0x00000008 jmp 00007FDE3CFF2276h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8949D second address: D894AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FDE3D69CA36h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D894AC second address: D894B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D894B0 second address: D894B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D894B6 second address: D894CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FDE3CFF2266h 0x00000009 je 00007FDE3CFF2266h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D894CA second address: D894CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D894CE second address: D894D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D894D2 second address: D894D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8964F second address: D89655 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D89655 second address: D89665 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a jnc 00007FDE3D69CA36h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D89665 second address: D89669 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D89770 second address: D89776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D89776 second address: D8977A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8977A second address: D8977E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8977E second address: D89788 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2787F second address: D27887 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D27887 second address: D2788C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D89C11 second address: D89C33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE3D69CA3Eh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d pop eax 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 jp 00007FDE3D69CA36h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D884A1 second address: D884B3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FDE3CFF226Ah 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D41902 second address: D41907 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D41907 second address: D41CC1 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FDE3CFF226Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FDE3CFF2275h 0x00000010 xchg eax, ebx 0x00000011 mov cl, 28h 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov dword ptr [ebp+124472D4h], ecx 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 sub dword ptr [ebp+122D2177h], ecx 0x0000002d mov dword ptr [ebp+124775F7h], esp 0x00000033 xor dword ptr [ebp+122D2536h], edx 0x00000039 cmp dword ptr [ebp+122D37A3h], 00000000h 0x00000040 jne 00007FDE3CFF23ABh 0x00000046 cmp dword ptr [ebp+122D3907h], 00000000h 0x0000004d jne 00007FDE3CFF2333h 0x00000053 cmp dword ptr [ebp+122D36DFh], 00000000h 0x0000005a jne 00007FDE3CFF2358h 0x00000060 mov byte ptr [ebp+122D24F3h], 0000006Ch 0x00000067 mov dword ptr [ebp+122D2912h], edx 0x0000006d mov eax, DB057083h 0x00000072 push 00000000h 0x00000074 push ebp 0x00000075 call 00007FDE3CFF2268h 0x0000007a pop ebp 0x0000007b mov dword ptr [esp+04h], ebp 0x0000007f add dword ptr [esp+04h], 00000015h 0x00000087 inc ebp 0x00000088 push ebp 0x00000089 ret 0x0000008a pop ebp 0x0000008b ret 0x0000008c jns 00007FDE3CFF226Ch 0x00000092 push eax 0x00000093 push ecx 0x00000094 push esi 0x00000095 push eax 0x00000096 push edx 0x00000097 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D41E86 second address: D41E92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D41E92 second address: D41E96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D41E96 second address: D41E9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D41E9A second address: D41ECB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FDE3CFF226Ch 0x0000000c jg 00007FDE3CFF2266h 0x00000012 popad 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FDE3CFF2277h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D41ECB second address: D41EFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jmp 00007FDE3D69CA44h 0x0000000f jng 00007FDE3D69CA38h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c pushad 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D41EFA second address: D41F00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D41F00 second address: D41F49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FDE3D69CA46h 0x0000000a popad 0x0000000b pop eax 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007FDE3D69CA38h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 push E7E02F29h 0x0000002b push edi 0x0000002c push eax 0x0000002d push edx 0x0000002e jo 00007FDE3D69CA36h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D42047 second address: D42050 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D42203 second address: D42207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D42207 second address: D4220D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4220D second address: D4221C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4221C second address: D42221 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D422DC second address: D422EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007FDE3D69CA36h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D428A6 second address: D428AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D428AB second address: D428B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D428B0 second address: D428BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D42A7D second address: D42A87 instructions: 0x00000000 rdtsc 0x00000002 js 00007FDE3D69CA3Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D42A87 second address: D42AC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jl 00007FDE3CFF2270h 0x0000000d pushad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jg 00007FDE3CFF2266h 0x00000016 popad 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b jne 00007FDE3CFF2275h 0x00000021 mov eax, dword ptr [eax] 0x00000023 push eax 0x00000024 push edx 0x00000025 jc 00007FDE3CFF2268h 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D42C54 second address: D42C60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D42C60 second address: D42C75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDE3CFF2270h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D42C75 second address: D2787F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007FDE3D69CA38h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000017h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 mov dword ptr [ebp+122D1C3Ah], ecx 0x00000029 call dword ptr [ebp+122D1AB5h] 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 push esi 0x00000034 pop esi 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8E6EA second address: D8E6F0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8E6F0 second address: D8E6F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8E6F5 second address: D8E712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDE3CFF2277h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8E712 second address: D8E721 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FDE3D69CA36h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8E721 second address: D8E749 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FDE3CFF2266h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FDE3CFF2278h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8E749 second address: D8E768 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDE3D69CA49h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8EA20 second address: D8EA31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FDE3CFF226Ch 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8EA31 second address: D8EA6A instructions: 0x00000000 rdtsc 0x00000002 jo 00007FDE3D69CA43h 0x00000008 jmp 00007FDE3D69CA3Dh 0x0000000d jo 00007FDE3D69CA3Ch 0x00000013 js 00007FDE3D69CA36h 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pushad 0x0000001c jno 00007FDE3D69CA3Ch 0x00000022 pushad 0x00000023 jng 00007FDE3D69CA36h 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8EBE5 second address: D8EBF8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007FDE3CFF226Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8EBF8 second address: D8EC25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007FDE3D69CA45h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FDE3D69CA3Dh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8EC25 second address: D8EC4B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FDE3CFF2266h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FDE3CFF2278h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8EC4B second address: D8EC4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8EC4F second address: D8EC59 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FDE3CFF2266h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8ED97 second address: D8ED9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8ED9D second address: D8EDC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE3CFF2271h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jo 00007FDE3CFF2266h 0x00000010 jng 00007FDE3CFF2266h 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D939AD second address: D939D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 js 00007FDE3D69CA36h 0x0000000f jns 00007FDE3D69CA36h 0x00000015 popad 0x00000016 pushad 0x00000017 jne 00007FDE3D69CA36h 0x0000001d jnp 00007FDE3D69CA36h 0x00000023 pushad 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D93C65 second address: D93C69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D93C69 second address: D93C6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D93EF3 second address: D93EF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D93EF8 second address: D93EFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D93EFD second address: D93F0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FDE3CFF2266h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D93F0D second address: D93F24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jnp 00007FDE3D69CA3Ah 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push edx 0x00000011 pop edx 0x00000012 pushad 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9364C second address: D93663 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE3CFF2273h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D94402 second address: D94408 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF8B14 second address: CF8B2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE3CFF226Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9A0CF second address: D9A0D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9A0D4 second address: D9A0D9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9A25C second address: D9A27A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE3D69CA40h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007FDE3D69CA36h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9A27A second address: D9A27E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9A27E second address: D9A288 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9A288 second address: D9A28C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9CB59 second address: D9CB65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007FDE3D69CA36h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9CB65 second address: D9CB69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0C40 second address: DA0C44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0C44 second address: DA0C4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0C4A second address: DA0C51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0C51 second address: DA0C59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA1395 second address: DA1399 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA1399 second address: DA139F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA139F second address: DA13C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDE3D69CA49h 0x00000008 pushad 0x00000009 popad 0x0000000a jc 00007FDE3D69CA36h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA13C8 second address: DA13CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA13CC second address: DA13EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jo 00007FDE3D69CA3Ah 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007FDE3D69CA3Bh 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA13EE second address: DA13F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FDE3CFF2266h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA5B5C second address: DA5B6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jne 00007FDE3D69CA36h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA5B6D second address: DA5B71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA5B71 second address: DA5B81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FDE3D69CA36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA5B81 second address: DA5B85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA5B85 second address: DA5BA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 js 00007FDE3D69CA70h 0x0000000d pushad 0x0000000e jmp 00007FDE3D69CA43h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA5D32 second address: DA5D41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA5D41 second address: DA5D47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA5D47 second address: DA5D4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA5FDC second address: DA5FF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDE3D69CA3Dh 0x00000009 jg 00007FDE3D69CA36h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA5FF3 second address: DA6019 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FDE3CFF2278h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA6019 second address: DA601E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA619A second address: DA61B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FDE3CFF226Eh 0x0000000e ja 00007FDE3CFF2266h 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA61B8 second address: DA61D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE3D69CA43h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA61D7 second address: DA61E1 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FDE3CFF2266h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA61E1 second address: DA61E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA61E8 second address: DA6235 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDE3CFF2270h 0x00000009 jmp 00007FDE3CFF2272h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FDE3CFF226Ch 0x00000016 jmp 00007FDE3CFF2278h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D42660 second address: D42664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D42664 second address: D4266E instructions: 0x00000000 rdtsc 0x00000002 jno 00007FDE3CFF2266h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4266E second address: D426C4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov di, 00E8h 0x0000000f mov ebx, dword ptr [ebp+124775DEh] 0x00000015 jmp 00007FDE3D69CA3Fh 0x0000001a add eax, ebx 0x0000001c push 00000000h 0x0000001e push edx 0x0000001f call 00007FDE3D69CA38h 0x00000024 pop edx 0x00000025 mov dword ptr [esp+04h], edx 0x00000029 add dword ptr [esp+04h], 00000016h 0x00000031 inc edx 0x00000032 push edx 0x00000033 ret 0x00000034 pop edx 0x00000035 ret 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007FDE3D69CA3Fh 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D426C4 second address: D426E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov cx, 5361h 0x00000011 push 00000004h 0x00000013 mov dx, 51C4h 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D426E2 second address: D426EC instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FDE3D69CA36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D094F0 second address: D094F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAA528 second address: DAA536 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FDE3D69CA36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAA536 second address: DAA540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FDE3CFF2266h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAA540 second address: DAA548 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB2C06 second address: DB2C0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB2C0F second address: DB2C19 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FDE3D69CA3Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB0C82 second address: DB0C86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB0C86 second address: DB0C8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB0C8A second address: DB0C9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FDE3CFF226Ah 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB0C9A second address: DB0CAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDE3D69CA3Bh 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB0CAB second address: DB0CAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB0CAF second address: DB0CB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB0E0B second address: DB0E10 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB1260 second address: DB1264 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB14F2 second address: DB14F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB14F6 second address: DB1511 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007FDE3D69CA3Fh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB1511 second address: DB152A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FDE3CFF2266h 0x0000000a popad 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e pushad 0x0000000f popad 0x00000010 jne 00007FDE3CFF2266h 0x00000016 push edi 0x00000017 pop edi 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB180D second address: DB1820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FDE3D69CA36h 0x0000000a pop ebx 0x0000000b jl 00007FDE3D69CA3Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB1820 second address: DB1824 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB1B3F second address: DB1B49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB1B49 second address: DB1B54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB1B54 second address: DB1B58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB1B58 second address: DB1B6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007FDE3CFF226Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB1B6E second address: DB1B72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB1E25 second address: DB1E2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB20AF second address: DB20B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FDE3D69CA36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB20B9 second address: DB20CB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FDE3CFF2266h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007FDE3CFF226Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB2941 second address: DB294F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jg 00007FDE3D69CA3Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB294F second address: DB295D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jc 00007FDE3CFF2266h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6A6A second address: DB6A94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDE3D69CA47h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007FDE3D69CA36h 0x00000012 jnc 00007FDE3D69CA36h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6A94 second address: DB6A98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB5B31 second address: DB5B35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB613D second address: DB6143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6143 second address: DB6175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDE3D69CA3Ah 0x00000009 popad 0x0000000a jmp 00007FDE3D69CA3Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FDE3D69CA47h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB630A second address: DB6310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6310 second address: DB6316 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6316 second address: DB631F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB631F second address: DB6323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6456 second address: DB645C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC1005 second address: DC1022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FDE3D69CA36h 0x0000000a jg 00007FDE3D69CA36h 0x00000010 popad 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 ja 00007FDE3D69CA36h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC1022 second address: DC1026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC1026 second address: DC102A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC0A2F second address: DC0A37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC0A37 second address: DC0A53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 js 00007FDE3D69CA42h 0x0000000d jnp 00007FDE3D69CA36h 0x00000013 jne 00007FDE3D69CA36h 0x00000019 push esi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC0A53 second address: DC0A6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 jmp 00007FDE3CFF2272h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC0A6E second address: DC0A8A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FDE3D69CA43h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC4F64 second address: DC4F95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE3CFF226Ah 0x00000007 pushad 0x00000008 jmp 00007FDE3CFF226Fh 0x0000000d jno 00007FDE3CFF2266h 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push ebx 0x00000019 ja 00007FDE3CFF2266h 0x0000001f push esi 0x00000020 pop esi 0x00000021 pop ebx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC4F95 second address: DC4F9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCB10F second address: DCB11E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jbe 00007FDE3CFF2266h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCB11E second address: DCB124 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCB124 second address: DCB135 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jng 00007FDE3CFF226Eh 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCB27B second address: DCB286 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCB3B7 second address: DCB3EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE3CFF2279h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jmp 00007FDE3CFF2274h 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDB714 second address: DDB718 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDB718 second address: DDB71E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDB24C second address: DDB261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDE3D69CA41h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE113 second address: DDE13C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FDE3CFF2266h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FDE3CFF2277h 0x00000011 push edx 0x00000012 pop edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE13C second address: DDE144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE144 second address: DDE14A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE3114 second address: DE3119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE3264 second address: DE3293 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FDE3CFF226Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push edx 0x0000000b pop edx 0x0000000c jmp 00007FDE3CFF226Bh 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push ebx 0x00000014 pushad 0x00000015 ja 00007FDE3CFF2266h 0x0000001b push edx 0x0000001c pop edx 0x0000001d jg 00007FDE3CFF2266h 0x00000023 popad 0x00000024 pushad 0x00000025 push edx 0x00000026 pop edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF6739 second address: DF674E instructions: 0x00000000 rdtsc 0x00000002 js 00007FDE3D69CA38h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d jng 00007FDE3D69CA36h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF674E second address: DF677C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDE3CFF2279h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007FDE3CFF226Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF4F83 second address: DF4F8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FDE3D69CA36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF4F8D second address: DF4FAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FDE3CFF2276h 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF5115 second address: DF514E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FDE3D69CA42h 0x0000000c pop eax 0x0000000d pushad 0x0000000e jmp 00007FDE3D69CA49h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF514E second address: DF5152 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF5152 second address: DF515F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF56E7 second address: DF5704 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE3CFF2279h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF5846 second address: DF5877 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 je 00007FDE3D69CA36h 0x0000000b push esi 0x0000000c pop esi 0x0000000d jmp 00007FDE3D69CA47h 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 jp 00007FDE3D69CA4Ah 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF5877 second address: DF587D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF59E5 second address: DF59E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF59E9 second address: DF59F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF9DA1 second address: DF9DA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFB98C second address: DFB99F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007FDE3CFF2266h 0x0000000d ja 00007FDE3CFF2266h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E065CE second address: E065D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E065D2 second address: E065D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E065D6 second address: E065DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E098CF second address: E098D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E098D4 second address: E09907 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FDE3D69CA3Ah 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FDE3D69CA40h 0x00000012 jmp 00007FDE3D69CA44h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E16495 second address: E1649B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1649B second address: E164A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E164A1 second address: E164C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDE3CFF2272h 0x00000009 popad 0x0000000a push edi 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E199D6 second address: E199FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FDE3D69CA49h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E199FA second address: E199FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E199FE second address: E19A32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE3D69CA44h 0x00000007 jng 00007FDE3D69CA36h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push edi 0x00000014 jmp 00007FDE3D69CA3Dh 0x00000019 pop edi 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1B012 second address: E1B02B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FDE3CFF226Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1B02B second address: E1B05C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007FDE3D69CA49h 0x0000000f push eax 0x00000010 jmp 00007FDE3D69CA3Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1B05C second address: E1B061 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E20DE3 second address: E20DF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 jnc 00007FDE3D69CA36h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E200D0 second address: E200D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E200D4 second address: E200D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E20533 second address: E2053F instructions: 0x00000000 rdtsc 0x00000002 jns 00007FDE3CFF2266h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2053F second address: E20572 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FDE3D69CA3Fh 0x00000010 js 00007FDE3D69CA4Dh 0x00000016 jmp 00007FDE3D69CA41h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E20572 second address: E20590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 popad 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d jmp 00007FDE3CFF226Fh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E225F4 second address: E2260D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE3D69CA3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jo 00007FDE3D69CA36h 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2C149 second address: E2C153 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FDE3CFF226Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2C153 second address: E2C160 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jc 00007FDE3D69CA36h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2695C second address: E26966 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FDE3CFF2266h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E26966 second address: E26980 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDE3D69CA46h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E26980 second address: E26984 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E254BB second address: E254C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FDE3D69CA36h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E254C7 second address: E254FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE3CFF226Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FDE3CFF226Dh 0x00000010 jmp 00007FDE3CFF2274h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E257B6 second address: E257BB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D45D5C second address: D45D60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B9DA0A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D41950 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: DCEFF1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: BA2021 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 54C0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 56E0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 54E0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D2A01F rdtsc 0_2_00D2A01F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D259B8 sidt fword ptr [esp-02h]0_2_00D259B8
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6720Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D759E5 GetSystemInfo,VirtualAlloc,0_2_00D759E5
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D2A01F rdtsc 0_2_00D2A01F
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, file.exe, 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: nXProgram Manager
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6D689 GetSystemTime,GetFileTime,0_2_00D6D689

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		41
Disable or Modify Tools		LSASS Memory641
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Bypass User Account Control		271
Virtualization/Sandbox Evasion		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS271
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets24
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
Obfuscated Files or Information		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
Software Packing		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
Bypass User Account Control		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe55%VirustotalBrowse
file.exe100%AviraTR/Crypt.XPACK.Gen
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1532858
Start date and time:2024-10-14 02:17:05 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 41s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.evad.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, ctldl.windowsupdate.com
  • Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File
Process:C:\Users\user\Desktop\file.exe
File Type:CSV text
Category:dropped
Size (bytes):226
Entropy (8bit):5.360398796477698
Encrypted:false
SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:3A8957C6382192B71471BD14359D0B12
SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:true
Reputation:high, very likely benign file
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.932645555761411
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:1'735'680 bytes
MD5:5447bc45a84b461600e8677f1f130cca
SHA1:1d11ff9172370a8a73b2342e9d129760eadd92a2
SHA256:1b16d450185a72ab32f6b20370fcdf53d505f77940db387355938f25ce51813d
SHA512:60bf2f16f8277ac8548e581f83b705aec30553211b81fae0e99480c35d8736b085d21ae7e9c65b1d9058a092f4b09ec2f133e51637931ec12ed3b68ea8cbca3f
SSDEEP:24576:hI/d7RmgSg8o1gnxaKQNhx7Y1k+QBEpokAaVE/jFdocOGCrtCbbJn7tUgoD31:OpQhIvx81jQ3koDo1G+in7fU1
TLSH:3085331667C380F7C44BF1BAB37D216FAE4A99433095F7FA861802176D72B952E83709
File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............D.. ...`....@.. ....................... E...........`................................

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x84e000
Entrypoint Section:.taggant
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FDE3D246A8Ah
cvtps2pd xmm3, qword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [esi-80h], bl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
and byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add eax, 0000000Ah
add byte ptr [eax], al
add byte ptr [eax], dl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx], cl
add eax, dword ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x20000x40000x120076c5d4ed06ef9f278d16327f9e553151False0.9340277777777778data7.811568321640306IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0xa0000x2a00000x200486cce44b53f1b21e57b9bf983c6ee73unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
kcbkgpof0x2aa0000x1a20000x1a1800f23e30bb9dab1484c8c1b097f24a0847False0.9948704154191617data7.953227771060923IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
fpbbzirp0x44c0000x20000x600e8b2f4bd6067939fad7f1ea8560a49baFalse0.5618489583333334data4.9404232889629975IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant0x44e0000x40000x2200dc0e49803b74c951700f9d626747f977False0.04377297794117647DOS executable (COM)0.4358641194834045IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x60900x30cdata0.42948717948717946
RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

Imports

DLLImport
kernel32.dlllstrcpy

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:20:17:57
Start date:13/10/2024
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\file.exe"
Imagebase:0xb90000
File size:1'735'680 bytes
MD5 hash:5447BC45A84B461600E8677F1F130CCA
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:4.8%
    Dynamic/Decrypted Code Coverage:3.4%
    Signature Coverage:3.9%
    Total number of Nodes:356
    Total number of Limit Nodes:20
    execution_graph 6952 d1da91 6953 d1dae5 LoadLibraryA 6952->6953 6954 d1ec3a 6953->6954 7195 d1c031 7196 d1c05e 7195->7196 7197 d1c094 RegOpenKeyA 7196->7197 7198 d1c06d RegOpenKeyA 7196->7198 7200 d1c0b1 7197->7200 7198->7197 7199 d1c08a 7198->7199 7199->7197 7201 d1c0f5 GetNativeSystemInfo 7200->7201 7202 d1c100 7200->7202 7201->7202 7202->7202 7203 d6d5f7 7204 d6953c 2 API calls 7203->7204 7205 d6d603 GetCurrentProcess 7204->7205 7206 d6d64f 7205->7206 7208 d6d613 7205->7208 7207 d6d654 DuplicateHandle 7206->7207 7211 d6d64a 7207->7211 7208->7206 7209 d6d63e 7208->7209 7212 d6b394 7209->7212 7214 d6b3be 7212->7214 7213 d6b451 7213->7211 7214->7213 7216 d6b37c 7214->7216 7219 d693e7 7216->7219 7220 d693fd 7219->7220 7221 d69417 7220->7221 7223 d693cb 7220->7223 7221->7213 7226 d6b355 CloseHandle 7223->7226 7225 d693db 7225->7221 7227 d6b369 7226->7227 7227->7225 7228 d76a35 7230 d76a41 7228->7230 7231 d76a53 7230->7231 7236 d6abb4 7231->7236 7233 d76a62 7234 d76a7b 7233->7234 7235 d765a6 GetModuleFileNameA VirtualProtect 7233->7235 7235->7234 7238 d6abc0 7236->7238 7239 d6abd5 7238->7239 7240 d6ac02 18 API calls 7239->7240 7241 d6abf3 7239->7241 7240->7241 6955 54c0d48 6957 54c0d93 OpenSCManagerW 6955->6957 6958 54c0ddc 6957->6958 6959 54c1308 6960 54c1349 ImpersonateLoggedOnUser 6959->6960 6961 54c1376 6960->6961 6962 d6ad53 6965 d6ab9b 6962->6965 6968 d6ac02 6965->6968 6967 d6abb0 6970 d6ac0f 6968->6970 6971 d6ac25 6970->6971 6972 d6ac4a 6971->6972 6983 d6ac2d 6971->6983 6995 d76c58 6971->6995 6987 d6953c GetCurrentThreadId 6972->6987 6975 d6ad0d 6979 d6ad17 LoadLibraryExW 6975->6979 6980 d6ad2b LoadLibraryExA 6975->6980 6976 d6acfa 7017 d6aa3a 6976->7017 6977 d6ac4f 6991 d69c4e 6977->6991 6982 d6acd1 6979->6982 6980->6982 6983->6975 6983->6976 6986 d6ac8e 6997 d6a57a 6986->6997 6988 d69554 6987->6988 6989 d6959b 6988->6989 6990 d6958a Sleep 6988->6990 6989->6977 6990->6988 6992 d69c9c 6991->6992 6994 d69c5f 6991->6994 6992->6983 6992->6986 6994->6992 7021 d69aef 6994->7021 7041 d76c67 6995->7041 6998 d6a596 6997->6998 6999 d6a5a0 6997->6999 6998->6982 7049 d69dcd 6999->7049 7006 d6a5f0 7007 d6a61d 7006->7007 7015 d6a69a 7006->7015 7059 d69fab 7006->7059 7063 d6a246 7007->7063 7010 d6a628 7010->7015 7068 d6a1bd 7010->7068 7012 d6a655 7013 d6a67d 7012->7013 7012->7015 7072 d768ad 7012->7072 7013->7015 7076 d765a6 7013->7076 7015->6998 7081 d6ad8c 7015->7081 7018 d6aa45 7017->7018 7019 d6aa66 LoadLibraryExA 7018->7019 7020 d6aa55 7018->7020 7019->7020 7020->6982 7022 d69b1c 7021->7022 7023 d69b65 7022->7023 7024 d69b4a PathAddExtensionA 7022->7024 7031 d69c22 7022->7031 7025 d69b87 7023->7025 7033 d69790 7023->7033 7024->7023 7027 d69bd0 7025->7027 7029 d69790 lstrcmpiA 7025->7029 7025->7031 7028 d69bf9 7027->7028 7030 d69790 lstrcmpiA 7027->7030 7027->7031 7028->7031 7032 d69790 lstrcmpiA 7028->7032 7029->7027 7030->7028 7031->6994 7032->7031 7034 d697ae 7033->7034 7035 d697c5 7034->7035 7037 d6970d 7034->7037 7035->7025 7039 d69738 7037->7039 7038 d69780 7038->7035 7039->7038 7040 d6976a lstrcmpiA 7039->7040 7040->7038 7042 d76c77 7041->7042 7043 d6953c 2 API calls 7042->7043 7048 d76cc9 7042->7048 7044 d76cdf 7043->7044 7045 d69c4e 2 API calls 7044->7045 7046 d76cf1 7045->7046 7047 d69c4e 2 API calls 7046->7047 7046->7048 7047->7048 7050 d69e42 7049->7050 7051 d69de9 7049->7051 7050->6998 7053 d69e73 VirtualAlloc 7050->7053 7051->7050 7052 d69e19 VirtualAlloc 7051->7052 7052->7050 7054 d69eb8 7053->7054 7054->7015 7055 d69ef0 7054->7055 7058 d69f18 7055->7058 7056 d69f8f 7056->7006 7057 d69f31 VirtualAlloc 7057->7056 7057->7058 7058->7056 7058->7057 7060 d69fc6 7059->7060 7062 d69fcb 7059->7062 7060->7007 7061 d69ffe lstrcmpiA 7061->7060 7061->7062 7062->7060 7062->7061 7064 d6a273 7063->7064 7065 d6a352 7063->7065 7064->7065 7083 d69d58 7064->7083 7091 d6ae69 7064->7091 7065->7010 7071 d6a1e6 7068->7071 7069 d6a227 7069->7012 7070 d6a1fe VirtualProtect 7070->7069 7070->7071 7071->7069 7071->7070 7073 d7697a 7072->7073 7074 d768c9 7072->7074 7073->7013 7074->7073 7117 d76411 7074->7117 7077 d765b7 7076->7077 7079 d7663a 7076->7079 7077->7079 7080 d76411 VirtualProtect 7077->7080 7121 d76250 7077->7121 7079->7015 7080->7077 7130 d6ad98 7081->7130 7084 d6ab9b 18 API calls 7083->7084 7086 d69d6b 7084->7086 7085 d69db1 7085->7064 7086->7085 7087 d69dbd 7086->7087 7089 d69d94 7086->7089 7088 d6ad8c 3 API calls 7087->7088 7088->7085 7089->7085 7090 d6ad8c 3 API calls 7089->7090 7090->7085 7093 d6ae72 7091->7093 7094 d6ae81 7093->7094 7095 d6ae89 7094->7095 7097 d6953c 2 API calls 7094->7097 7096 d6aeb6 GetProcAddress 7095->7096 7102 d6aeac 7096->7102 7098 d6ae93 7097->7098 7099 d6aea3 7098->7099 7100 d6aeb1 7098->7100 7103 d6a8ca 7099->7103 7100->7096 7104 d6a8e9 7103->7104 7108 d6a9b6 7103->7108 7105 d6a950 7104->7105 7106 d6a926 lstrcmpiA 7104->7106 7104->7108 7105->7108 7109 d6a813 7105->7109 7106->7104 7106->7105 7108->7102 7110 d6a824 7109->7110 7111 d6a854 lstrcpyn 7110->7111 7116 d6a8af 7110->7116 7113 d6a870 7111->7113 7111->7116 7112 d69d58 17 API calls 7114 d6a89e 7112->7114 7113->7112 7113->7116 7115 d6ae69 17 API calls 7114->7115 7114->7116 7115->7116 7116->7108 7119 d76425 7117->7119 7118 d7643d 7118->7074 7119->7118 7120 d76560 VirtualProtect 7119->7120 7120->7119 7124 d76257 7121->7124 7123 d762a1 7123->7077 7124->7123 7125 d76411 VirtualProtect 7124->7125 7126 d7615e 7124->7126 7125->7124 7129 d76173 7126->7129 7127 d76233 7127->7124 7128 d761fd GetModuleFileNameA 7128->7129 7129->7127 7129->7128 7131 d6ada7 7130->7131 7132 d6adaf 7131->7132 7134 d6953c 2 API calls 7131->7134 7133 d6adfd FreeLibrary 7132->7133 7138 d6ade4 7133->7138 7135 d6adb9 7134->7135 7135->7132 7136 d6adc9 7135->7136 7139 d6a77a 7136->7139 7140 d6a7dd 7139->7140 7141 d6a79d 7139->7141 7140->7138 7141->7140 7143 d69336 7141->7143 7144 d6933f 7143->7144 7145 d69357 7144->7145 7147 d6931d 7144->7147 7145->7140 7148 d6ad8c 3 API calls 7147->7148 7149 d6932a 7148->7149 7149->7144 7242 d6dd73 7244 d6dd7f 7242->7244 7245 d6953c 2 API calls 7244->7245 7246 d6dd8b 7245->7246 7248 d6ddab 7246->7248 7249 d6dc7f 7246->7249 7251 d6dc8b 7249->7251 7252 d6dc9f 7251->7252 7253 d6953c 2 API calls 7252->7253 7254 d6dcb7 7253->7254 7255 d6dccc 7254->7255 7275 d6db98 7254->7275 7259 d6dcd4 7255->7259 7267 d6dc3d IsBadWritePtr 7255->7267 7262 d6dd25 CreateFileW 7259->7262 7263 d6dd48 CreateFileA 7259->7263 7260 d69c4e 2 API calls 7261 d6dd07 7260->7261 7261->7259 7264 d6dd0f 7261->7264 7265 d6dd15 7262->7265 7263->7265 7269 d6b492 7264->7269 7268 d6dc5f 7267->7268 7268->7259 7268->7260 7271 d6b49f 7269->7271 7270 d6b4d8 CreateFileA 7273 d6b524 7270->7273 7271->7270 7272 d6b59a 7271->7272 7272->7265 7273->7272 7274 d6b355 CloseHandle 7273->7274 7274->7272 7277 d6dba7 GetWindowsDirectoryA 7275->7277 7278 d6dbd1 7277->7278 7279 d6b1fe 7280 d6953c 2 API calls 7279->7280 7281 d6b20a 7280->7281 7282 d6b228 7281->7282 7283 d69c4e 2 API calls 7281->7283 7284 d6b259 GetModuleHandleExA 7282->7284 7285 d6b230 7282->7285 7283->7282 7284->7285 7286 d7697f 7288 d7698b 7286->7288 7289 d7699d 7288->7289 7290 d765a6 2 API calls 7289->7290 7291 d769af 7290->7291 7150 d6de86 7152 d6de8f 7150->7152 7153 d6953c 2 API calls 7152->7153 7154 d6de9b 7153->7154 7155 d6deb4 7154->7155 7156 d6deeb ReadFile 7154->7156 7156->7155 7292 d759e5 GetSystemInfo 7293 d75a43 VirtualAlloc 7292->7293 7296 d75a05 7292->7296 7307 d75d31 7293->7307 7295 d75a8a 7297 d75d31 VirtualAlloc GetModuleFileNameA VirtualProtect 7295->7297 7305 d75b5f 7295->7305 7296->7293 7299 d75ab4 7297->7299 7298 d75b7b GetModuleFileNameA VirtualProtect 7306 d75b23 7298->7306 7300 d75d31 VirtualAlloc GetModuleFileNameA VirtualProtect 7299->7300 7299->7305 7301 d75ade 7300->7301 7302 d75d31 VirtualAlloc GetModuleFileNameA VirtualProtect 7301->7302 7301->7305 7303 d75b08 7302->7303 7304 d75d31 VirtualAlloc GetModuleFileNameA VirtualProtect 7303->7304 7303->7305 7303->7306 7304->7305 7305->7298 7305->7306 7309 d75d39 7307->7309 7310 d75d65 7309->7310 7311 d75d4d 7309->7311 7313 d75bfd 2 API calls 7310->7313 7317 d75bfd 7311->7317 7314 d75d76 7313->7314 7319 d75d88 7314->7319 7322 d75c05 7317->7322 7320 d75d99 VirtualAlloc 7319->7320 7321 d75d84 7319->7321 7320->7321 7323 d75c18 7322->7323 7324 d76250 2 API calls 7323->7324 7325 d75c5b 7323->7325 7324->7325 7326 d6e665 7328 d6e671 7326->7328 7329 d6e689 7328->7329 7331 d6e6b3 7329->7331 7332 d6e59f 7329->7332 7334 d6e5ab 7332->7334 7335 d6953c 2 API calls 7334->7335 7336 d6e5be 7335->7336 7337 d6e637 7336->7337 7338 d6e5fc 7336->7338 7341 d6e5d8 7336->7341 7339 d6e63c CreateFileMappingA 7337->7339 7338->7341 7342 d6bc76 7338->7342 7339->7341 7344 d6bc8d 7342->7344 7343 d6bcf6 CreateFileA 7345 d6bd3b 7343->7345 7344->7343 7346 d6bd8a 7344->7346 7345->7346 7347 d6b355 CloseHandle 7345->7347 7346->7341 7347->7346 7157 d6e7c3 7158 d6953c 2 API calls 7157->7158 7159 d6e7cf 7158->7159 7160 d6e837 MapViewOfFileEx 7159->7160 7161 d6e7e8 7159->7161 7160->7161 7162 d76a81 7164 d76a8d 7162->7164 7165 d76aaa 7164->7165 7166 d6ae69 18 API calls 7165->7166 7167 d76add 7166->7167 7168 d6db0c 7170 d6db18 7168->7170 7171 d6953c 2 API calls 7170->7171 7172 d6db24 7171->7172 7174 d6db44 7172->7174 7175 d6da63 7172->7175 7177 d6da6f 7175->7177 7178 d6da83 7177->7178 7179 d6953c 2 API calls 7178->7179 7180 d6da9b 7179->7180 7188 d69ca0 7180->7188 7183 d69c4e 2 API calls 7184 d6dabe 7183->7184 7185 d6dac6 7184->7185 7186 d6dae2 GetFileAttributesW 7184->7186 7187 d6daf3 GetFileAttributesA 7184->7187 7186->7185 7187->7185 7189 d69d54 7188->7189 7191 d69cb4 7188->7191 7189->7183 7189->7185 7190 d69aef 2 API calls 7190->7191 7191->7189 7191->7190 7192 54c1510 7193 54c1558 ControlService 7192->7193 7194 54c158f 7193->7194 7348 54c10f0 7349 54c1131 7348->7349 7352 d6c290 7349->7352 7350 54c1151 7353 d6953c 2 API calls 7352->7353 7354 d6c29c 7353->7354 7355 d6c2c5 7354->7355 7356 d6c2b5 7354->7356 7358 d6c2ca CloseHandle 7355->7358 7357 d6b37c CloseHandle 7356->7357 7359 d6c2bb 7357->7359 7358->7359 7359->7350 7360 d6b0ab 7362 d6b0b7 7360->7362 7363 d6b0cb 7362->7363 7365 d6b0f3 7363->7365 7366 d6b10c 7363->7366 7368 d6b115 7366->7368 7369 d6b124 7368->7369 7370 d6b12c 7369->7370 7371 d6953c 2 API calls 7369->7371 7372 d6b1cf GetModuleHandleW 7370->7372 7373 d6b1dd GetModuleHandleA 7370->7373 7374 d6b136 7371->7374 7377 d6b164 7372->7377 7373->7377 7375 d6b151 7374->7375 7376 d69c4e 2 API calls 7374->7376 7375->7370 7375->7377 7376->7375 7378 d769e9 7380 d769f5 7378->7380 7381 d76a07 7380->7381 7382 d6ab9b 18 API calls 7381->7382 7383 d76a16 7382->7383 7384 d76a2f 7383->7384 7385 d765a6 2 API calls 7383->7385 7385->7384

    Executed Functions

    Function 00D759E5 Relevance: 3.1, APIs: 2, Instructions: 107memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 154 d759e5-d759ff GetSystemInfo 155 d75a05-d75a3d 154->155 156 d75a43-d75a8c VirtualAlloc call d75d31 154->156 155->156 160 d75b72 call d75b7b 156->160 161 d75a92-d75ab6 call d75d31 156->161 165 d75b77 160->165 161->160 168 d75abc-d75ae0 call d75d31 161->168 167 d75b79-d75b7a 165->167 168->160 171 d75ae6-d75b0a call d75d31 168->171 171->160 174 d75b10-d75b1d 171->174 175 d75b43-d75b5a call d75d31 174->175 176 d75b23-d75b3e 174->176 179 d75b5f-d75b61 175->179 180 d75b6d 176->180 179->160 181 d75b67 179->181 180->167 181->180
    APIs
    • GetSystemInfo.KERNELBASE(?,-11735FEC), ref: 00D759F1
    • VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 00D75A52
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID: AllocInfoSystemVirtual
    • String ID:
    • API String ID: 3440192736-0
    • Opcode ID: 0d47c8626abbf43e52116e2c24cd99cd7c0aaf6f8e808e91b9d28a1a4a8a6c51
    • Instruction ID: 9c401ab31116ef67491fdb8628fc01f6710598829b6513548bebdd9da73a7a32
    • Opcode Fuzzy Hash: 0d47c8626abbf43e52116e2c24cd99cd7c0aaf6f8e808e91b9d28a1a4a8a6c51
    • Instruction Fuzzy Hash: 0E4112B2940606AED725CFA0DC49FAAB7ACFF18740F044867B207DD582F7B095D487A5
    Function 00D6AC0F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • LoadLibraryExW.KERNEL32(?,?,?), ref: 00D6AD20
    • LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 00D6AD34
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: .dll$.exe$1002
    • API String ID: 1029625771-847511843
    • Opcode ID: 7f4e5317841ac8059484a7b185a1fa555cf1bf7f95f19158b18ced33be2f428b
    • Instruction ID: 9793ddf2118ee58b0a575e07655e90927cccf3b6b8d96d452fa18fc969ffac10
    • Opcode Fuzzy Hash: 7f4e5317841ac8059484a7b185a1fa555cf1bf7f95f19158b18ced33be2f428b
    • Instruction Fuzzy Hash: 8F319A75500109FFCF21AF68D904AAD7B75FF48301F15806AF982AA161E732D9A0DFB2
    Function 00D6B115 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 40 d6b115-d6b126 call d6aa79 43 d6b131-d6b13a call d6953c 40->43 44 d6b12c 40->44 51 d6b140-d6b14c call d69c4e 43->51 52 d6b16e-d6b175 43->52 45 d6b1c5-d6b1c9 44->45 47 d6b1cf-d6b1d8 GetModuleHandleW 45->47 48 d6b1dd-d6b1e0 GetModuleHandleA 45->48 50 d6b1e6 47->50 48->50 56 d6b1f0-d6b1f2 50->56 59 d6b151-d6b153 51->59 53 d6b1c0 call d695e7 52->53 54 d6b17b-d6b182 52->54 53->45 54->53 57 d6b188-d6b18f 54->57 57->53 60 d6b195-d6b19c 57->60 59->53 61 d6b159-d6b15e 59->61 60->53 62 d6b1a2-d6b1b6 60->62 61->53 63 d6b164-d6b1eb call d695e7 61->63 62->53 63->56
    APIs
    • GetModuleHandleW.KERNEL32(?,?,?,?,00D6B0A7,?,00000000,00000000), ref: 00D6B1D2
    • GetModuleHandleA.KERNEL32(00000000,?,?,?,00D6B0A7,?,00000000,00000000), ref: 00D6B1E0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID: HandleModule
    • String ID: .dll
    • API String ID: 4139908857-2738580789
    • Opcode ID: 299d2eb61fa7063dc722f9bd4cd4bbe4d2dbf678b5b2898d7e17819e24964c78
    • Instruction ID: c8076f4b5a55b8c1204ae235c3687136d2b4d957765411c66ad44eaa3488e65a
    • Opcode Fuzzy Hash: 299d2eb61fa7063dc722f9bd4cd4bbe4d2dbf678b5b2898d7e17819e24964c78
    • Instruction Fuzzy Hash: F2111870204B09BBEB319F24C82DB697BA5FF11355F040127E902844A0D77ED9E4DAB2
    Function 00D6DA6F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 67 d6da6f-d6da7d 68 d6da83-d6da8a 67->68 69 d6da8f 67->69 70 d6da96-d6daac call d6953c call d69ca0 68->70 69->70 75 d6dab2-d6dac0 call d69c4e 70->75 76 d6dacb 70->76 82 d6dac6 75->82 83 d6dad7-d6dadc 75->83 78 d6dacf-d6dad2 76->78 79 d6db02-d6db09 call d695e7 78->79 82->78 84 d6dae2-d6daee GetFileAttributesW 83->84 85 d6daf3-d6daf6 GetFileAttributesA 83->85 87 d6dafc-d6dafd 84->87 85->87 87->79
    APIs
    • GetFileAttributesW.KERNELBASE(0158A294,-11735FEC), ref: 00D6DAE8
    • GetFileAttributesA.KERNEL32(00000000,-11735FEC), ref: 00D6DAF6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: 9ad787e7611c6faea9712a125cf07f31c6ebc9f7fd97d2bb1353ce2b6a154679
    • Instruction ID: b3b4af53b7d272d051bf6682f2437675ef41d30a8536c24c963eb71895eadfeb
    • Opcode Fuzzy Hash: 9ad787e7611c6faea9712a125cf07f31c6ebc9f7fd97d2bb1353ce2b6a154679
    • Instruction Fuzzy Hash: 3D018130B0C205FBDF26DF94E90979CBE76FF10340F248165E54265091D7B29A94EB70
    Function 00D1C031 Relevance: 4.6, APIs: 3, Instructions: 67registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 88 d1c031-d1c06b 90 d1c094-d1c0af RegOpenKeyA 88->90 91 d1c06d-d1c088 RegOpenKeyA 88->91 92 d1c0b1-d1c0bb 90->92 93 d1c0c7-d1c0f3 90->93 91->90 94 d1c08a 91->94 92->93 97 d1c100-d1c10a 93->97 98 d1c0f5-d1c0fe GetNativeSystemInfo 93->98 94->90 99 d1c116-d1c124 97->99 100 d1c10c 97->100 98->97 102 d1c130-d1c137 99->102 103 d1c126 99->103 100->99 104 d1c14a-d20f2c 102->104 105 d1c13d-d1c144 102->105 103->102 107 d20f2d 104->107 105->104 107->107
    APIs
    • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00D1C080
    • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00D1C0A7
    • GetNativeSystemInfo.KERNELBASE(?), ref: 00D1C0FE
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID: Open$InfoNativeSystem
    • String ID:
    • API String ID: 1247124224-0
    • Opcode ID: c16f007a13765c4d834b3da41ecc748b92a1b86f27dff519852f349ada0339a0
    • Instruction ID: e4e245c933c14e0a9d7410fb7f8a5316a548e4da018528d2c736d40f9b16b1b4
    • Opcode Fuzzy Hash: c16f007a13765c4d834b3da41ecc748b92a1b86f27dff519852f349ada0339a0
    • Instruction Fuzzy Hash: 593116B505460EAEEF11DF90C848BEE3AA8EF08305F140425E98682D50EBB65CE4DF6D
    Function 00D69AEF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 108 d69aef-d69b1f 110 d69b25-d69b3a 108->110 111 d69c4a-d69c4b 108->111 110->111 113 d69b40-d69b44 110->113 114 d69b66-d69b6d 113->114 115 d69b4a-d69b5c PathAddExtensionA 113->115 116 d69b73-d69b82 call d69790 114->116 117 d69b8f-d69b96 114->117 121 d69b65 115->121 122 d69b87-d69b89 116->122 119 d69b9c-d69ba3 117->119 120 d69bd8-d69bdf 117->120 123 d69bbc-d69bcb call d69790 119->123 124 d69ba9-d69bb2 119->124 125 d69be5-d69bfb call d69790 120->125 126 d69c01-d69c08 120->126 121->114 122->111 122->117 134 d69bd0-d69bd2 123->134 124->123 127 d69bb8 124->127 125->111 125->126 130 d69c0e-d69c24 call d69790 126->130 131 d69c2a-d69c31 126->131 127->123 130->111 130->131 131->111 133 d69c37-d69c44 call d697c9 131->133 133->111 134->111 134->120
    APIs
    • PathAddExtensionA.KERNELBASE(?,00000000), ref: 00D69B51
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID: ExtensionPath
    • String ID: \\?\
    • API String ID: 158807944-4282027825
    • Opcode ID: 236148f55e04054b14aafd1d11c57e043819f5f4bdc45cd56bf498a7cf2f1bac
    • Instruction ID: e5ca2350bd144cc78f5d652469c9f46643a59c2cf81ea57fee0558e860ee04e5
    • Opcode Fuzzy Hash: 236148f55e04054b14aafd1d11c57e043819f5f4bdc45cd56bf498a7cf2f1bac
    • Instruction Fuzzy Hash: 02312C35A0020AFFDF21DF99CC19B9EB7BAFF59715F041065FA00A5060E7729A61DB60
    Function 00D6B1FE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 139 d6b1fe-d6b211 call d6953c 142 d6b217-d6b223 call d69c4e 139->142 143 d6b254-d6b268 call d695e7 GetModuleHandleExA 139->143 146 d6b228-d6b22a 142->146 149 d6b272-d6b274 143->149 146->143 148 d6b230-d6b237 146->148 150 d6b240-d6b26d call d695e7 148->150 151 d6b23d 148->151 150->149 151->150
    APIs
      • Part of subcall function 00D6953C: GetCurrentThreadId.KERNEL32 ref: 00D6954B
      • Part of subcall function 00D6953C: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00D6958E
    • GetModuleHandleExA.KERNELBASE(?,?,?), ref: 00D6B262
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID: CurrentHandleModuleSleepThread
    • String ID: .dll
    • API String ID: 683542999-2738580789
    • Opcode ID: 02cabd6863b0dd5d8a6f3836d5e937be2a5d3c8f29384a3cd9fe973116f24c08
    • Instruction ID: 88e194366a620796d750893c3763628433f2f6f9d2d7064eecc7e6e76260e874
    • Opcode Fuzzy Hash: 02cabd6863b0dd5d8a6f3836d5e937be2a5d3c8f29384a3cd9fe973116f24c08
    • Instruction Fuzzy Hash: E8F09072200204AFDF12DF54D865B6EBBE8FF18360F108022FE1586052D731C5A09A31
    Function 00D6DC8B Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 182 d6dc8b-d6dc99 183 d6dc9f-d6dca6 182->183 184 d6dcab 182->184 185 d6dcb2-d6dcbe call d6953c 183->185 184->185 188 d6dcc4-d6dcce call d6db98 185->188 189 d6dcd9-d6dce9 call d6dc3d 185->189 188->189 194 d6dcd4 188->194 195 d6dcef-d6dcf6 189->195 196 d6dcfb-d6dd09 call d69c4e 189->196 197 d6dd1a-d6dd1f 194->197 195->197 196->197 202 d6dd0f-d6dd10 call d6b492 196->202 200 d6dd25-d6dd43 CreateFileW 197->200 201 d6dd48-d6dd5d CreateFileA 197->201 203 d6dd63-d6dd64 200->203 201->203 207 d6dd15 202->207 205 d6dd69-d6dd70 call d695e7 203->205 207->205
    APIs
    • CreateFileW.KERNELBASE(0158A294,?,?,-11735FEC,?,?,?,-11735FEC,?), ref: 00D6DD3D
      • Part of subcall function 00D6DC3D: IsBadWritePtr.KERNEL32(?,00000004), ref: 00D6DC4B
    • CreateFileA.KERNEL32(?,?,?,-11735FEC,?,?,?,-11735FEC,?), ref: 00D6DD5D
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID: CreateFile$Write
    • String ID:
    • API String ID: 1125675974-0
    • Opcode ID: fa72365555026ac5d6710127727481ebe6e31c625ec12bbe2cf9da40067c984b
    • Instruction ID: dedce1a43313d9b5d3ef171dc77e3afc57cdf1ee0a314570366858c45ba6706e
    • Opcode Fuzzy Hash: fa72365555026ac5d6710127727481ebe6e31c625ec12bbe2cf9da40067c984b
    • Instruction Fuzzy Hash: 0E111431A0024AFBCF22AF90EC05B9D7B72FF18344F194126B98215061C772C9A5EBB1
    Function 00D6D5F7 Relevance: 3.0, APIs: 2, Instructions: 41COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 209 d6d5f7-d6d60d call d6953c GetCurrentProcess 212 d6d613-d6d616 209->212 213 d6d64f-d6d671 call d695e7 DuplicateHandle 209->213 212->213 215 d6d61c-d6d61f 212->215 218 d6d67b-d6d67d 213->218 215->213 217 d6d625-d6d638 call d69396 215->217 217->213 221 d6d63e-d6d676 call d6b394 call d695e7 217->221 221->218
    APIs
      • Part of subcall function 00D6953C: GetCurrentThreadId.KERNEL32 ref: 00D6954B
      • Part of subcall function 00D6953C: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00D6958E
    • GetCurrentProcess.KERNEL32(-11735FEC), ref: 00D6D604
    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D6D66A
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID: Current$DuplicateHandleProcessSleepThread
    • String ID:
    • API String ID: 2846201637-0
    • Opcode ID: 4ca66452b59c616756c5719c4e6d15b98556291a18cf770353c4f80c163e39d3
    • Instruction ID: ff819d0a268f52ee055698b809376cc8c9712f40fe7f520dcd65a3681370a4ac
    • Opcode Fuzzy Hash: 4ca66452b59c616756c5719c4e6d15b98556291a18cf770353c4f80c163e39d3
    • Instruction Fuzzy Hash: ED01197260014EBB8F22AFA4EC04D9E7F7AFF98750B048512FA0A94011D732D162EB71
    Function 00D6953C Relevance: 3.0, APIs: 2, Instructions: 33sleepthreadCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 226 d6953c-d69552 GetCurrentThreadId 227 d69554-d69560 226->227 228 d69566-d69568 227->228 229 d6959b-d695a8 call d703bb 227->229 228->229 231 d6956e-d69575 228->231 233 d6958a-d69596 Sleep 231->233 234 d6957b-d69582 231->234 233->227 234->233 235 d69588 234->235 235->233
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00D6954B
    • Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00D6958E
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID: CurrentSleepThread
    • String ID:
    • API String ID: 1164918020-0
    • Opcode ID: ddb64248b0a70661cceee43e4dc0b5e3b8cf1f7efb6786b4db44758f90e268f8
    • Instruction ID: f8490e7b6d4332fc89e56802b4a989f264d5f6e3e9638ac7363b420f732726e4
    • Opcode Fuzzy Hash: ddb64248b0a70661cceee43e4dc0b5e3b8cf1f7efb6786b4db44758f90e268f8
    • Instruction Fuzzy Hash: 9BF0E931101605EFEB329F64C95875EF7B8FF4572DF200179D50241181D7715D95DAE2
    Function 00D76411 Relevance: 1.6, APIs: 1, Instructions: 112COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 252 d76411-d7641f 253 d76425-d76437 252->253 254 d76442-d7644c call d762a6 252->254 253->254 258 d7643d 253->258 259 d76457-d76460 254->259 260 d76452 254->260 261 d765a1-d765a3 258->261 262 d76466-d7646d 259->262 263 d76478-d7647f 259->263 260->261 262->263 264 d76473 262->264 265 d76485 263->265 266 d7648a-d7649a 263->266 264->261 265->261 266->261 267 d764a0-d764ac call d7637b 266->267 270 d764af-d764b3 267->270 270->261 271 d764b9-d764c3 270->271 272 d764ea-d764ed 271->272 273 d764c9-d764dc 271->273 274 d764f0-d764f3 272->274 273->272 280 d764e2-d764e4 273->280 275 d76599-d7659c 274->275 276 d764f9-d76500 274->276 275->270 278 d76506-d7650c 276->278 279 d7652e-d76547 276->279 281 d76512-d76517 278->281 282 d76529 278->282 286 d76560-d76568 VirtualProtect 279->286 287 d7654d-d7655b 279->287 280->272 280->275 281->282 283 d7651d-d76523 281->283 284 d76591-d76594 282->284 283->279 283->282 284->274 288 d7656e-d76571 286->288 287->288 288->284 290 d76577-d76590 288->290 290->284
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 23be7e148a56f18962ff0a2f2dbcc3e79591bea3ea112637df9f7456bf9d904e
    • Instruction ID: f21bdf95d5e45490510d7d6a40a91b079132f2e8ec85ad6708155af9a9f200b9
    • Opcode Fuzzy Hash: 23be7e148a56f18962ff0a2f2dbcc3e79591bea3ea112637df9f7456bf9d904e
    • Instruction Fuzzy Hash: D4418AB1904A05EFDB31CF10C944BAD7BB1FB04314F28C455E84AAA195F371ED90EB61
    Function 00D6BC76 Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 292 d6bc76-d6bc87 293 d6bcb6-d6bcbf call d6961a 292->293 294 d6bc8d-d6bca1 call d6961a 292->294 298 d6bcc5-d6bcd6 call d6b458 293->298 299 d6bd9c-d6bd9f call d6963f 293->299 305 d6bda4 294->305 306 d6bca7-d6bcb5 294->306 307 d6bcf6-d6bd35 CreateFileA 298->307 308 d6bcdc-d6bce0 298->308 299->305 309 d6bdab-d6bdaf 305->309 306->293 312 d6bd3b-d6bd58 307->312 313 d6bd59-d6bd5c 307->313 310 d6bce6-d6bcf2 call d704e0 308->310 311 d6bcf3 308->311 310->311 311->307 312->313 316 d6bd62-d6bd79 call d6935c 313->316 317 d6bd8f-d6bd97 call d6b2e7 313->317 316->309 324 d6bd7f-d6bd8a call d6b355 316->324 317->305 324->305
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 00D6BD2B
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 9928a0ed1f43e681fd67da68b0b2fab4fe9900ac46f722725928833bb7532635
    • Instruction ID: 8a72f1736b16663da56ce75747df0fa0b5e7c06f4955ae1c24254cd134bf1624
    • Opcode Fuzzy Hash: 9928a0ed1f43e681fd67da68b0b2fab4fe9900ac46f722725928833bb7532635
    • Instruction Fuzzy Hash: 7C313D71600204BBDB209F65DC45F9DBBB8EF48724F24816AF605EA191C771AA91CF20
    Function 00D6B492 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 327 d6b492-d6b4a1 call d6961a 330 d6b5a7 327->330 331 d6b4a7-d6b4b8 call d6b458 327->331 333 d6b5ae-d6b5b2 330->333 335 d6b4be-d6b4c2 331->335 336 d6b4d8-d6b51e CreateFileA 331->336 337 d6b4d5 335->337 338 d6b4c8-d6b4d4 call d704e0 335->338 339 d6b524-d6b545 336->339 340 d6b569-d6b56c 336->340 337->336 338->337 339->340 349 d6b54b-d6b568 339->349 341 d6b572-d6b589 call d6935c 340->341 342 d6b59f-d6b5a2 call d6b2e7 340->342 341->333 350 d6b58f-d6b59a call d6b355 341->350 342->330 349->340 350->330
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 00D6B514
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: a0377691686ac0d7c7a0f6b6c90780d7ac338aee908b69a61745d55a208dd9b9
    • Instruction ID: 944a860ea3cb05543f9a5fc618bfb947b1f05abe880be087e2c33f38a2bb2304
    • Opcode Fuzzy Hash: a0377691686ac0d7c7a0f6b6c90780d7ac338aee908b69a61745d55a208dd9b9
    • Instruction Fuzzy Hash: C1318171640204BFEB309F64DC45F99B7B8EB04738F20826AF611EA1D1D7B2A681CB64
    Function 00D7615E Relevance: 1.6, APIs: 1, Instructions: 65COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,?), ref: 00D7620B
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID: FileModuleName
    • String ID:
    • API String ID: 514040917-0
    • Opcode ID: d3a8562bd35cd36f6c74b17a99398e5dce368a723e39743053883c264e471247
    • Instruction ID: a6939ba34eb568dca4d34b3f713d5c4bcb7a5854237c1681abbb61826d5472ff
    • Opcode Fuzzy Hash: d3a8562bd35cd36f6c74b17a99398e5dce368a723e39743053883c264e471247
    • Instruction Fuzzy Hash: C211E972E01A249FEBB05A058C48BEA777CEF19B58F14C0A5EC4D9A442F770DD808BB5
    Function 054C0D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 054C0DCD
    Memory Dump Source
    • Source File: 00000000.00000002.2202987761.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_54c0000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 97ab503cb9b3d9b4b3a6120dde49de01095586dff46b427400880bce91edf33d
    • Instruction ID: 4281ef1bca794bad1d97a6960345714219c754b9c809ecc0b145417c14193a11
    • Opcode Fuzzy Hash: 97ab503cb9b3d9b4b3a6120dde49de01095586dff46b427400880bce91edf33d
    • Instruction Fuzzy Hash: A821F0BA805218DBCB50DF99D888ADEBBB4FB88310F14815AD909AB204D774A940CBA5
    Function 054C0D42 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 054C0DCD
    Memory Dump Source
    • Source File: 00000000.00000002.2202987761.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_54c0000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 30339d7525485c6adc9af45dd58b734c94dc88ae20f7eb035b3cfc35ea21148d
    • Instruction ID: df79a26a0200ae5d0ab4cf2fbf065b326998f0f2c3d23eb51749791203a7729a
    • Opcode Fuzzy Hash: 30339d7525485c6adc9af45dd58b734c94dc88ae20f7eb035b3cfc35ea21148d
    • Instruction Fuzzy Hash: 6B2132BAC00218CFCB50CF99D988ADEBBB4FF88310F14825AD909AB304D734A540CBA1
    Function 054C1509 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 054C1580
    Memory Dump Source
    • Source File: 00000000.00000002.2202987761.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_54c0000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: aebc808c78a4b26427055cac8ff33bfc8c16d59a0e6e742ecf4a35ddb402baae
    • Instruction ID: e0c47ebbeaf7c1adf651dbfb0f6fac648d83c02717e94a07b776e1cdaf885baa
    • Opcode Fuzzy Hash: aebc808c78a4b26427055cac8ff33bfc8c16d59a0e6e742ecf4a35ddb402baae
    • Instruction Fuzzy Hash: 962100B59002498FDB10CFAAC584BDEBBF4FF48320F14842AE559A3250D378AA44CFA1
    Function 054C1510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 054C1580
    Memory Dump Source
    • Source File: 00000000.00000002.2202987761.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_54c0000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 97a0672f4ab7d634bdc149ff4043d7196dd70b726369d9128f0d12c2b5d6ae8d
    • Instruction ID: 5ebac32cd3ba53ab082d82c1c587e9b2c30715472affd2417de20fbecaeae7f0
    • Opcode Fuzzy Hash: 97a0672f4ab7d634bdc149ff4043d7196dd70b726369d9128f0d12c2b5d6ae8d
    • Instruction Fuzzy Hash: 1111D0B59002499FDB10DF9AC584BDEFBF4EB48320F10846AE959A3251D378AA44CFA5
    Function 00D6E7C3 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00D6953C: GetCurrentThreadId.KERNEL32 ref: 00D6954B
      • Part of subcall function 00D6953C: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00D6958E
    • MapViewOfFileEx.KERNELBASE(?,?,?,?,?,?,-11735FEC), ref: 00D6E84A
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID: CurrentFileSleepThreadView
    • String ID:
    • API String ID: 2270672837-0
    • Opcode ID: db732a7e8e6769bc57e766a7f524f10c1f2a9d22c28d6be891aa71f0db4df2f1
    • Instruction ID: 0b4fb8401babc4a43bee16f110ab564ac3c7f7a1f600231ec5b17a8b54eef420
    • Opcode Fuzzy Hash: db732a7e8e6769bc57e766a7f524f10c1f2a9d22c28d6be891aa71f0db4df2f1
    • Instruction Fuzzy Hash: 9F11DB3650014AFBCF12AFA5DC05C9E7F6AFF98344B444421FA1156062D736C572EBB1
    Function 00D6E5AB Relevance: 1.6, APIs: 1, Instructions: 50COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID: CurrentSleepThread
    • String ID:
    • API String ID: 1164918020-0
    • Opcode ID: 6854038a52939e220ff6ae6f0595400732f4d2dfe6834a732dd8109c74800cac
    • Instruction ID: 1b8e863c0ad3e047ac37bb846a640a8c46337b07adb23a0e5f681d089c184d00
    • Opcode Fuzzy Hash: 6854038a52939e220ff6ae6f0595400732f4d2dfe6834a732dd8109c74800cac
    • Instruction Fuzzy Hash: EB112D7610020AEBCF129FE4C909E9E7BB9EF54344F044915F9129A061D736C661EFB0
    Function 054C1308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 054C1367
    Memory Dump Source
    • Source File: 00000000.00000002.2202987761.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_54c0000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 9f389b951b317d2888da749c919fd8ae3a8919e094b9ad77ebd01667000a3e44
    • Instruction ID: 6dd15916ae35630798985e59bf29199f3a4fed4dabcdf00369274f98eeb116b1
    • Opcode Fuzzy Hash: 9f389b951b317d2888da749c919fd8ae3a8919e094b9ad77ebd01667000a3e44
    • Instruction Fuzzy Hash: CB1122B5800249CFDB10DF9AC585BEEBBF8EF48324F20846AD518A3250C778A944CBA5
    Function 054C1301 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 054C1367
    Memory Dump Source
    • Source File: 00000000.00000002.2202987761.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_54c0000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 081ca82a934c2e7e270ee872d192fa8421b30cd83104bd29d522caa533829ad0
    • Instruction ID: 007dad5eaa4dc5ccd8529f96898d00593df68fc587e6b1e5a1fdd6e7c0728e14
    • Opcode Fuzzy Hash: 081ca82a934c2e7e270ee872d192fa8421b30cd83104bd29d522caa533829ad0
    • Instruction Fuzzy Hash: A11122B5800209CFDB10DF9AC589BEEBBF4EF48324F24846AD558A3651D378A944CFA5
    Function 00D6DE8F Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00D6953C: GetCurrentThreadId.KERNEL32 ref: 00D6954B
      • Part of subcall function 00D6953C: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00D6958E
    • ReadFile.KERNELBASE(?,00000000,?,00000400,?,-11735FEC,?,?,00D6BBBE,?,?,00000400,?,00000000,?,00000000), ref: 00D6DEFB
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID: CurrentFileReadSleepThread
    • String ID:
    • API String ID: 1253362762-0
    • Opcode ID: 479b9843e258742193eab5246fd3a2a1363a0754b70b7956b9d15d7746dde04d
    • Instruction ID: aad96b046fde41ff80bdd4d81566468a414c9b4a4b4b7b369136750a5dd0c45b
    • Opcode Fuzzy Hash: 479b9843e258742193eab5246fd3a2a1363a0754b70b7956b9d15d7746dde04d
    • Instruction Fuzzy Hash: 1CF0E73260014AFBCF12AFA8EC19D9E7F6AEF58340F044451FA428A022D732C5A1EB71
    Function 00D1DA91 Relevance: 1.5, APIs: 1, Instructions: 37libraryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 216250f55e84f3dd934b4bc772c7e8c78995f72349c0764fc73261300a5d32a6
    • Instruction ID: 985c560a08f2a15d6094853b1a18731b0e35d335a4f192831fba8751c3ebcd72
    • Opcode Fuzzy Hash: 216250f55e84f3dd934b4bc772c7e8c78995f72349c0764fc73261300a5d32a6
    • Instruction Fuzzy Hash: C801E4B250C600DFD7062F28E8495BEFBE9EF98710F02482EE5C586250D7754890CB53
    Function 00D6AE72 Relevance: 1.5, APIs: 1, Instructions: 27libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetProcAddress.KERNEL32(00D6A628,00D6A628), ref: 00D6AEBD
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID: AddressProc
    • String ID:
    • API String ID: 190572456-0
    • Opcode ID: 996cac1e3c4c34e2063fba79ea812d8df03ba3211051b8ef61b2532dd4f8b3de
    • Instruction ID: d66d815c7410cafbdc021a86abe3bfcc4d3091e2c3fe711b8c0be0cc466eca00
    • Opcode Fuzzy Hash: 996cac1e3c4c34e2063fba79ea812d8df03ba3211051b8ef61b2532dd4f8b3de
    • Instruction Fuzzy Hash: A2E0ED31200904B78E127F7CC91985E7B16EE95350B158022B99774053DB33C651EE73
    Function 00D6970D Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID: lstrcmpi
    • String ID:
    • API String ID: 1586166983-0
    • Opcode ID: 758efeaa7446c7664a8fc7f4e75d3098c9142ee0bb438b0b77a5a4da949220a2
    • Instruction ID: 628b7e47840c760a3ea39f30f6f903c047101522500847e4856d4afeeb5572a2
    • Opcode Fuzzy Hash: 758efeaa7446c7664a8fc7f4e75d3098c9142ee0bb438b0b77a5a4da949220a2
    • Instruction Fuzzy Hash: DA01E436A00109BFCF219FA5CC14DDEBFBAEF88381F040271B911A5061D7328A62DBA4
    Function 00D75D88 Relevance: 1.3, APIs: 1, Instructions: 37memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,?,00D75D84,?,?,00D75A8A,?,?,00D75A8A,?,?,00D75A8A), ref: 00D75DA8
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 2a6cd0fbd7c26dddef65640125cb581686f3ab1aeb746763385f91005c7b3b3a
    • Instruction ID: 5cbfaeed22fed10c5ff57dcee7d07b380a4997af2b9073ff557bc9a83db94d48
    • Opcode Fuzzy Hash: 2a6cd0fbd7c26dddef65640125cb581686f3ab1aeb746763385f91005c7b3b3a
    • Instruction Fuzzy Hash: C7F081B1A00606EFE7218F15CD08B59BBA5FF54751F208069F44B9F591F3B198E0CB65
    Function 00D6C290 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00D6953C: GetCurrentThreadId.KERNEL32 ref: 00D6954B
      • Part of subcall function 00D6953C: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00D6958E
    • CloseHandle.KERNELBASE(00D6BC53,-11735FEC,?,?,00D6BC53,?), ref: 00D6C2CE
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID: CloseCurrentHandleSleepThread
    • String ID:
    • API String ID: 4003616898-0
    • Opcode ID: 46f086e89755fe5f8354ae8dcea92d574f26286435b9ce54d68cc8cc803b0b21
    • Instruction ID: 7623cc2545b924cca3c9f5d92acdfc32df170002c6e753713824cfa7e02adbd9
    • Opcode Fuzzy Hash: 46f086e89755fe5f8354ae8dcea92d574f26286435b9ce54d68cc8cc803b0b21
    • Instruction Fuzzy Hash: 04E04F72200541A7CE22BAB8D829D6E7F6CDFA9354B000132F94295152EB32D195D675
    Function 00D6B355 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNELBASE(?,?,00D693DB,?,?), ref: 00D6B35B
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: 5afdbdd940ae162ad3f9fd86629b4e51cd4e888cd2e1c2eed61c03d846e2f9e0
    • Instruction ID: 700cb69598b1b496620ce44600f27f988e49d332e3d9f28e674073fd81740e88
    • Opcode Fuzzy Hash: 5afdbdd940ae162ad3f9fd86629b4e51cd4e888cd2e1c2eed61c03d846e2f9e0
    • Instruction Fuzzy Hash: EEB09B31100508BBCF11BF51DC05C4D7F65FF153547008111F50544031C776D5619BA5

    Non-executed Functions

    Function 00D04A83 Relevance: 7.9, Strings: 5, Instructions: 1623COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID:
    • String ID: @9y$AUZv$GToo$rzoo$Ij_
    • API String ID: 0-1263636462
    • Opcode ID: 21600636ce7d7608d0ed1b32a286c1e5ea2a5995051635c4e449907f5eecae34
    • Instruction ID: 8886e82e01644512f1d926f8d1d0e3e5c96441a066eb5bd38aedc5cba44c5292
    • Opcode Fuzzy Hash: 21600636ce7d7608d0ed1b32a286c1e5ea2a5995051635c4e449907f5eecae34
    • Instruction Fuzzy Hash: EAB206F360C2009FE308AE29EC8567AFBE5EF94720F16893DEAC5C3744E63558158697
    Function 00CFAB03 Relevance: 7.8, Strings: 5, Instructions: 1571COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID:
    • String ID: 6^$L?/$j7$l|o$zyG|
    • API String ID: 0-2736753875
    • Opcode ID: 8a37610bda5e98ee7f6bfb8b06d9f2d40594dcff47660d013782ba3ca613c8b1
    • Instruction ID: dac0b2c3036a6bea15c1a62f40ef51ac1a61136460ff2f0c97a19ad9b68aec31
    • Opcode Fuzzy Hash: 8a37610bda5e98ee7f6bfb8b06d9f2d40594dcff47660d013782ba3ca613c8b1
    • Instruction Fuzzy Hash: 62B2F7F3A0C2009FE3086F29DC8567ABBE5EB94720F16893DEAC5C7744EA3558058797
    Function 00D07F73 Relevance: 7.8, Strings: 5, Instructions: 1547COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID:
    • String ID: ++wr$5*m{$Fcw{$c=?$o0r
    • API String ID: 0-1232880388
    • Opcode ID: 4bb9b0efdc03c20d15d4e0225d03b20581631e0d8d0d8ad6d1a119636bdf9c89
    • Instruction ID: 0ca34bcd0c2a1fce007c9da69d1ac3b459bf175427fb25b42e8a8e41345f082d
    • Opcode Fuzzy Hash: 4bb9b0efdc03c20d15d4e0225d03b20581631e0d8d0d8ad6d1a119636bdf9c89
    • Instruction Fuzzy Hash: EFB225F3A0C2149FE3046E29EC8567AFBE9EF94720F164A3DEAC487744E63558058793
    Function 00CF98B2 Relevance: 5.9, Strings: 4, Instructions: 901COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID:
    • String ID: ![n$A;]$U$?'$[O
    • API String ID: 0-2531317425
    • Opcode ID: 29cd38c0649f8706658ee8295455d241f9313b34329f1013813955fd0496ff2c
    • Instruction ID: 38d0df6e18068d760fb5662b1147ee78961143147dbb0c1db2d2b1468b3fa878
    • Opcode Fuzzy Hash: 29cd38c0649f8706658ee8295455d241f9313b34329f1013813955fd0496ff2c
    • Instruction Fuzzy Hash: 7352F7F3A0C2009FE704AE19EC8577AB7E6EF94720F1A853DEAC487744E63558058797
    Function 00D064F8 Relevance: 5.4, Strings: 3, Instructions: 1633COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID:
    • String ID: <f?a$hG;?$zT3A
    • API String ID: 0-2058493188
    • Opcode ID: 7a5f393d76a2ec3fa9b96d70f240498b0c8d28f4cc69dbbab9bbf86d1aca3196
    • Instruction ID: 8e0c8a30428fb0c725d3a26301ff1310cb4360db4e8d7eee93ff7a9d95512447
    • Opcode Fuzzy Hash: 7a5f393d76a2ec3fa9b96d70f240498b0c8d28f4cc69dbbab9bbf86d1aca3196
    • Instruction Fuzzy Hash: DAB2D7F3A0C204AFE304AE29EC8577AB7E9EF94720F1A453DE6C4C3744EA7558058697
    Function 00CFC59E Relevance: 5.3, Strings: 3, Instructions: 1573COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID:
    • String ID: kl$xotS$S>}
    • API String ID: 0-2235579807
    • Opcode ID: df66787a40ba02097799537fabaeadb7e916dda1aa9dbd57b11727e0256dcb53
    • Instruction ID: 6fd95561d834eb38062ae6c641e40d127833c1d774c469b79784b7c9d74960f2
    • Opcode Fuzzy Hash: df66787a40ba02097799537fabaeadb7e916dda1aa9dbd57b11727e0256dcb53
    • Instruction Fuzzy Hash: 73B2E2F260C2049FE304AF29EC8567AFBE6EF94720F16893DE6C487744EA3558418B57
    Function 00CFE00F Relevance: 4.1, Strings: 2, Instructions: 1552COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID:
    • String ID: uD7>$}.f
    • API String ID: 0-4004473597
    • Opcode ID: 0447e4238955cd38a59e3db49edc6a10157bc6e935da5951c46b275f222440ee
    • Instruction ID: b7987681aa9b8ed39fa269e38b776e90a8efbb5d1d8aa17e46e70c77e762960d
    • Opcode Fuzzy Hash: 0447e4238955cd38a59e3db49edc6a10157bc6e935da5951c46b275f222440ee
    • Instruction Fuzzy Hash: BDB213F3A0C214AFD304AE29EC4567AFBE9EF94720F16892DE6C4C3744E63598458787
    Function 00D0BB7A Relevance: 3.7, Strings: 2, Instructions: 1236COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID:
    • String ID: }IzO$[1
    • API String ID: 0-3602291861
    • Opcode ID: 5617991fe90971845e012c34c6da2d04f63fe7970b9765254b4d08f46ff621df
    • Instruction ID: 8156f66722544f6afa51b8fe26cb705a22ca48582f8a0380c9c06605ea75d9b7
    • Opcode Fuzzy Hash: 5617991fe90971845e012c34c6da2d04f63fe7970b9765254b4d08f46ff621df
    • Instruction Fuzzy Hash: 2A8229F360C204AFE3046E2DEC8577ABBE5EF94720F1A493DE6C5C3744EA3598058696
    Function 00D6D689 Relevance: 3.0, APIs: 2, Instructions: 43timeCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00D6953C: GetCurrentThreadId.KERNEL32 ref: 00D6954B
      • Part of subcall function 00D6953C: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00D6958E
    • GetSystemTime.KERNEL32(?,-11735FEC), ref: 00D6D6BE
    • GetFileTime.KERNEL32(?,?,?,?,-11735FEC), ref: 00D6D701
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID: Time$CurrentFileSleepSystemThread
    • String ID:
    • API String ID: 3818558864-0
    • Opcode ID: f2cb7f257badc4202252540a03205105f034f502184f79ae27fdf01e85c2bc86
    • Instruction ID: cfc6f131bfca6ca3054cd3743ec309b6d0c25bb1d123ae2eb4f8cfbad9f95d86
    • Opcode Fuzzy Hash: f2cb7f257badc4202252540a03205105f034f502184f79ae27fdf01e85c2bc86
    • Instruction Fuzzy Hash: 8701E832600549FBCF226F69EC08E9EBF7AEF95311B044126F50645061D736D5A1DA71
    Function 00D014FF Relevance: 2.8, Strings: 1, Instructions: 1563COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID:
    • String ID: )j
    • API String ID: 0-3375017247
    • Opcode ID: 4273cba76ca8980a36a1c8ce075b5a84612e56600da8ece2c47de0bf87b6c08c
    • Instruction ID: 9a6684a1eb2c07d1132dc7dc111e0f507e90c6715074a8fd1410ee45a9a9dee8
    • Opcode Fuzzy Hash: 4273cba76ca8980a36a1c8ce075b5a84612e56600da8ece2c47de0bf87b6c08c
    • Instruction Fuzzy Hash: C8B218F390C6009FE304AF29EC8567AFBE5EF94720F1A893DEAC487744E63558058697
    Function 00D6E547 Relevance: 1.5, APIs: 1, Instructions: 24encryptionCOMMON
    Download Yara Rule
    APIs
    • CryptVerifySignatureA.ADVAPI32(?,?,?,?,?,?), ref: 00D6E58E
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID: CryptSignatureVerify
    • String ID:
    • API String ID: 1015439381-0
    • Opcode ID: 06169d79b973a9c31ce2d7a3deedda5fe35b15e530fca3a07346680ca5e9ded8
    • Instruction ID: 332b263d377d6edfeaf2d1093887d9c0a9f78466c53e644e352fc435be925079
    • Opcode Fuzzy Hash: 06169d79b973a9c31ce2d7a3deedda5fe35b15e530fca3a07346680ca5e9ded8
    • Instruction Fuzzy Hash: CAF0D43660420AEFCF11CFA4C90498C7BB1FF19348B108125A90696110D375D661EF80
    Function 00C79D4C Relevance: .2, Instructions: 180COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e22d8900c191182aed64f915b6e08b9f2cda8e0249f8f392bb121e9ac26ac2bb
    • Instruction ID: 6a73aa5b2a498a93e4a1dfd67ea67acaa2fb3e245cf50e1b1555096489926a5b
    • Opcode Fuzzy Hash: e22d8900c191182aed64f915b6e08b9f2cda8e0249f8f392bb121e9ac26ac2bb
    • Instruction Fuzzy Hash: 1C51F9F39083049FF310AD29EC8577BB7D9DB84720F16863DEAC4C7B84E53998059696
    Function 00D2A01F Relevance: .1, Instructions: 144COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 6417ebb28cede65e9907f2a43ea49d1fe2187190dba6e530d3e0489045a84619
    • Instruction ID: 3868425e32162e3d5d6990ecf59ef609ee3e624c7e7ac5a79fc962ebd183f1bd
    • Opcode Fuzzy Hash: 6417ebb28cede65e9907f2a43ea49d1fe2187190dba6e530d3e0489045a84619
    • Instruction Fuzzy Hash: 0041A3F250C310AFE3156E08EC81BBAF7E8FF94334F25492EE6C582240E77558448AA7
    Function 00D26D25 Relevance: .1, Instructions: 88COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2d08bcc131d4574418bdf164dd2b4aad51f1dbcaa859c87d5c43255cfeac22c2
    • Instruction ID: 75c572f703e1213ec4e2ca56debe3317745af8a05e82777a1e7e6c00a51b3f8b
    • Opcode Fuzzy Hash: 2d08bcc131d4574418bdf164dd2b4aad51f1dbcaa859c87d5c43255cfeac22c2
    • Instruction Fuzzy Hash: 3E3145B250C200AFE715AF28D8816BEFBE6FF98310F16882DE2C582250D7356890DB57
    Function 00D259B8 Relevance: .0, Instructions: 34COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9f1eec6b456c0a996315df7a91686ff2e566f6363d83b073aab642367601bec9
    • Instruction ID: 8f481296340e663dcc5b6977a309f9aab26cbc54ee4d7346a61f09b87541151d
    • Opcode Fuzzy Hash: 9f1eec6b456c0a996315df7a91686ff2e566f6363d83b073aab642367601bec9
    • Instruction Fuzzy Hash: 7001467A50120ACACB04CF04D104A9EF774FF48364F1692A9E8491BB14E3746DD0CF89
    Function 00D6CBBF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00D6953C: GetCurrentThreadId.KERNEL32 ref: 00D6954B
      • Part of subcall function 00D6953C: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00D6958E
      • Part of subcall function 00D6DC3D: IsBadWritePtr.KERNEL32(?,00000004), ref: 00D6DC4B
    • wsprintfA.USER32 ref: 00D6CC05
    • LoadImageA.USER32(?,?,?,?,?,?), ref: 00D6CCC9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID: CurrentImageLoadSleepThreadWritewsprintf
    • String ID: %8x$%8x
    • API String ID: 2375920415-2046107164
    • Opcode ID: 729b3df3f9e1b4d055f0143feb0630c922e46f5ba1fa45a1aed29b675edddc80
    • Instruction ID: d02124ec310a219641e8d11fce54987961abcaa770594cde4fa7d25b8c7aae64
    • Opcode Fuzzy Hash: 729b3df3f9e1b4d055f0143feb0630c922e46f5ba1fa45a1aed29b675edddc80
    • Instruction Fuzzy Hash: A631E671A0010AFFCF11DF94DC49EAEBB79FF88710F108126BA15A61A1D7719A61DBA0
    Function 00D6D790 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesExW.KERNEL32(0158A294,00004020,00000000,-11735FEC), ref: 00D6D87D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2199766235.0000000000D17000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B90000, based on PE: true
    • Associated: 00000000.00000002.2198776112.0000000000B90000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2198963075.0000000000B92000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199733456.0000000000B96000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2199766235.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2200825127.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201144676.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2201161413.0000000000FDF000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_b90000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: 98a1bac6830882c7a07b1a265a1bd169da57aeb4ab5f2fc486bd551b92822de5
    • Instruction ID: 08906a6846e854f1680022651e7f9033cddc658f8c1dcf53b64954ce63631205
    • Opcode Fuzzy Hash: 98a1bac6830882c7a07b1a265a1bd169da57aeb4ab5f2fc486bd551b92822de5
    • Instruction Fuzzy Hash: 48316DB5A04705EFDF25CF44D848B9ABFB5FF08340F108569E99667250C371EAA4DBA0