Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1532866
MD5:e74b2676a77045684f8ec5f46a486da8
SHA1:49bedb5d53e2b945d77a8a1bad6ee7eea2d982a5
SHA256:e38f3aabd29c5a1225fedb0146299efa05263cf829e60b1d061d12ff7220433b
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SIDT)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6056 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E74B2676A77045684F8EC5F46A486DA8)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: file.exeAvira: detected
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001EEE24 CryptVerifySignatureA,0_2_001EEE24
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2026966986.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001B206B0_2_001B206B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0009307F0_2_0009307F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001871A80_2_001871A8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0017D1E90_2_0017D1E9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001822940_2_00182294
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001A92D70_2_001A92D7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000AD3BF0_2_000AD3BF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0017F4B80_2_0017F4B8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0007556E0_2_0007556E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001857BC0_2_001857BC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0018A7E60_2_0018A7E6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000978150_2_00097815
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001BF8230_2_001BF823
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0018084E0_2_0018084E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001A88D20_2_001A88D2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00211A0F0_2_00211A0F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000FFB3F0_2_000FFB3F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00188CEC0_2_00188CEC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0009FD510_2_0009FD51
Source: C:\Users\user\Desktop\file.exeCode function: String function: 001E9E19 appears 35 times
Source: file.exe, 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000002.2160844675.0000000000EAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeStatic PE information: Section: agswtfru ZLIB complexity 0.9949447165330959
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 1750016 > 1048576
Source: file.exeStatic PE information: Raw size of agswtfru is bigger than: 0x100000 < 0x1a5200
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2026966986.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.10000.0.unpack :EW;.rsrc:W;.idata :W; :EW;agswtfru:EW;doxgtilc:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x1b269b should be: 0x1b538a
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: agswtfru
Source: file.exeStatic PE information: section name: doxgtilc
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0019B2C5 push edi; mov dword ptr [esp], ebx0_2_0019F9F0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0024803C push 4CB2E06Eh; mov dword ptr [esp], esi0_2_0024805D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0019A003 push ebx; mov dword ptr [esp], esi0_2_0019A00E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001A2006 push 07C9C5C0h; mov dword ptr [esp], edi0_2_001A35E2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0019C006 push 46550E4Bh; mov dword ptr [esp], edi0_2_0019F3F5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001A403E push eax; ret 0_2_001A404D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001A8036 push edi; mov dword ptr [esp], 677AEBE3h0_2_001A8041
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001A8036 push 0C3B020Eh; mov dword ptr [esp], ecx0_2_001A81AF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001A805E push edi; mov dword ptr [esp], ecx0_2_001A81CB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001AB056 push 51702100h; mov dword ptr [esp], ecx0_2_001AB107
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001AB056 push 42F33BADh; mov dword ptr [esp], eax0_2_001AB12F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001AB056 push 70C90BC9h; mov dword ptr [esp], edx0_2_001AB19D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0019E044 push esi; mov dword ptr [esp], 25768676h0_2_0019FCFF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0019E044 push ebp; mov dword ptr [esp], esi0_2_0019FE0C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001B206B push 4679EA7Eh; mov dword ptr [esp], edi0_2_001B2183
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001A406B push eax; ret 0_2_001A407A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00247056 push 4EE8ED65h; mov dword ptr [esp], edx0_2_002470FD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0009307F push eax; mov dword ptr [esp], ecx0_2_000930A1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0009307F push ecx; mov dword ptr [esp], ebx0_2_000930A5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0009307F push 6CC6FD1Ah; mov dword ptr [esp], edi0_2_000930D0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001AB06C push 51702100h; mov dword ptr [esp], ecx0_2_001AB107
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001AB06C push 42F33BADh; mov dword ptr [esp], eax0_2_001AB12F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001AB06C push 70C90BC9h; mov dword ptr [esp], edx0_2_001AB19D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001A4092 push edx; ret 0_2_001A40A1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001A5095 push 2CCA1960h; mov dword ptr [esp], edx0_2_001A509E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002610B0 push ecx; mov dword ptr [esp], 2A6FCBD7h0_2_002610F1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001AB08C push 51702100h; mov dword ptr [esp], ecx0_2_001AB107
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001AB08C push 42F33BADh; mov dword ptr [esp], eax0_2_001AB12F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001AB08C push 70C90BC9h; mov dword ptr [esp], edx0_2_001AB19D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001AB0A8 push 51702100h; mov dword ptr [esp], ecx0_2_001AB107
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001AB0A8 push 42F33BADh; mov dword ptr [esp], eax0_2_001AB12F
Source: file.exeStatic PE information: section name: entropy: 7.796889109002509
Source: file.exeStatic PE information: section name: agswtfru entropy: 7.953771866704537

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 186C4B second address: 186C60 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE1CC51C006h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 186C60 second address: 186C64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18EA22 second address: 18EA26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18EBA2 second address: 18EBDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jno 00007FE1CCE8C03Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE1CCE8C03Ch 0x00000012 jmp 00007FE1CCE8C048h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18EE9B second address: 18EE9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18EE9F second address: 18EEB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c jne 00007FE1CCE8C036h 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18EEB2 second address: 18EEBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FE1CC51C006h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18EEBE second address: 18EEC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18F03C second address: 18F044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18F044 second address: 18F04A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18F04A second address: 18F06F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007FE1CC51C00Ch 0x0000000e pushad 0x0000000f jo 00007FE1CC51C006h 0x00000015 je 00007FE1CC51C006h 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18F06F second address: 18F074 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18F074 second address: 18F089 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE1CC51C00Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18F089 second address: 18F08D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1916F5 second address: 19171A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push esi 0x0000000c jmp 00007FE1CC51C010h 0x00000011 pop esi 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 19171A second address: 191724 instructions: 0x00000000 rdtsc 0x00000002 je 00007FE1CCE8C036h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 191868 second address: 191894 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007FE1CC51C00Dh 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FE1CC51C00Fh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 191894 second address: 19189A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 19189A second address: 19189E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 19189E second address: 19191B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push esi 0x0000000d push edi 0x0000000e pushad 0x0000000f popad 0x00000010 pop edi 0x00000011 pop esi 0x00000012 pop eax 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007FE1CCE8C038h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d mov dword ptr [ebp+122D1C91h], ecx 0x00000033 lea ebx, dword ptr [ebp+12447605h] 0x00000039 push 00000000h 0x0000003b push edi 0x0000003c call 00007FE1CCE8C038h 0x00000041 pop edi 0x00000042 mov dword ptr [esp+04h], edi 0x00000046 add dword ptr [esp+04h], 0000001Bh 0x0000004e inc edi 0x0000004f push edi 0x00000050 ret 0x00000051 pop edi 0x00000052 ret 0x00000053 jnc 00007FE1CCE8C040h 0x00000059 push eax 0x0000005a jl 00007FE1CCE8C044h 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 popad 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 19191B second address: 19191F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1919C3 second address: 191A27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1CCE8C042h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d xor edi, dword ptr [ebp+122D2E79h] 0x00000013 push 00000000h 0x00000015 xor dword ptr [ebp+122D1CD5h], ebx 0x0000001b call 00007FE1CCE8C039h 0x00000020 jmp 00007FE1CCE8C03Ah 0x00000025 push eax 0x00000026 jmp 00007FE1CCE8C046h 0x0000002b mov eax, dword ptr [esp+04h] 0x0000002f jp 00007FE1CCE8C055h 0x00000035 push eax 0x00000036 push edx 0x00000037 jnc 00007FE1CCE8C036h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 191A27 second address: 191A51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1CC51C013h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c jnp 00007FE1CC51C008h 0x00000012 push eax 0x00000013 push edx 0x00000014 jnp 00007FE1CC51C006h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 191A51 second address: 191B15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1CCE8C044h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push ecx 0x00000010 jmp 00007FE1CCE8C043h 0x00000015 pop ecx 0x00000016 pop eax 0x00000017 pop eax 0x00000018 jmp 00007FE1CCE8C045h 0x0000001d push 00000003h 0x0000001f pushad 0x00000020 push edi 0x00000021 mov edi, dword ptr [ebp+122D1C9Fh] 0x00000027 pop ecx 0x00000028 popad 0x00000029 push 00000000h 0x0000002b mov dword ptr [ebp+122D1F16h], edi 0x00000031 push edi 0x00000032 pushad 0x00000033 mov edi, edx 0x00000035 jc 00007FE1CCE8C036h 0x0000003b popad 0x0000003c pop edi 0x0000003d push 00000003h 0x0000003f jno 00007FE1CCE8C03Ch 0x00000045 mov si, 6EFBh 0x00000049 push 99735064h 0x0000004e ja 00007FE1CCE8C03Eh 0x00000054 add dword ptr [esp], 268CAF9Ch 0x0000005b mov edi, dword ptr [ebp+122D291Bh] 0x00000061 lea ebx, dword ptr [ebp+1244760Eh] 0x00000067 or dword ptr [ebp+122D1C5Bh], ecx 0x0000006d push eax 0x0000006e pushad 0x0000006f push edi 0x00000070 jmp 00007FE1CCE8C045h 0x00000075 pop edi 0x00000076 push esi 0x00000077 push eax 0x00000078 push edx 0x00000079 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 191C6E second address: 191CBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 add dword ptr [esp], 0F19F7E9h 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007FE1CC51C008h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 lea ebx, dword ptr [ebp+12447619h] 0x0000002d mov dword ptr [ebp+122D36A5h], esi 0x00000033 jo 00007FE1CC51C00Ch 0x00000039 sub edx, 2C1CDBDDh 0x0000003f push eax 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 jc 00007FE1CC51C006h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1A3E6A second address: 1A3E73 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1B2E87 second address: 1B2E8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 17CD6A second address: 17CD6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1B0D4D second address: 1B0D62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE1CC51C00Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1B0D62 second address: 1B0D6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1B0D6A second address: 1B0D8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FE1CC51C006h 0x0000000a jmp 00007FE1CC51C018h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1B11B5 second address: 1B11BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1B11BB second address: 1B11DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FE1CC51C018h 0x0000000a popad 0x0000000b pushad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1B11DD second address: 1B11F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE1CCE8C03Bh 0x00000009 pop edx 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1B11F2 second address: 1B1203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FE1CC51C00Ah 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1B1203 second address: 1B1207 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1B1348 second address: 1B1367 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE1CC51C006h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnl 00007FE1CC51C00Eh 0x00000012 popad 0x00000013 push edx 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1B163D second address: 1B1642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1B17A6 second address: 1B17AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1B17AA second address: 1B17AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1B1D6B second address: 1B1D8A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007FE1CC51C014h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1B201C second address: 1B2026 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE1CCE8C036h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1B2026 second address: 1B2030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1B2030 second address: 1B2034 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1B2789 second address: 1B2795 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE1CC51C00Eh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1B4FF9 second address: 1B5020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007FE1CCE8C038h 0x0000000d push esi 0x0000000e pop esi 0x0000000f pushad 0x00000010 jnp 00007FE1CCE8C036h 0x00000016 jmp 00007FE1CCE8C03Eh 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 17E8CE second address: 17E8D4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 17E8D4 second address: 17E8E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jng 00007FE1CCE8C036h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1B6566 second address: 1B657C instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE1CC51C00Ch 0x00000008 je 00007FE1CC51C006h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1B657C second address: 1B6580 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1B7781 second address: 1B7787 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1BF556 second address: 1BF55D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1837E7 second address: 1837EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1837EB second address: 1837F1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1BEB19 second address: 1BEB25 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1BEB25 second address: 1BEB3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE1CCE8C045h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1BEE08 second address: 1BEE0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1BEE0C second address: 1BEE1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FE1CCE8C036h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1BEE1C second address: 1BEE26 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1BF15D second address: 1BF166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1BF166 second address: 1BF16D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1C046B second address: 1C0471 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1C0578 second address: 1C057D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1C0A14 second address: 1C0A19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1C0A19 second address: 1C0A23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FE1CC51C006h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1C0C73 second address: 1C0C77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1C0C77 second address: 1C0C7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1C2640 second address: 1C2646 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1C429D second address: 1C42A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1C6837 second address: 1C6842 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FE1CCE8C036h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1C6842 second address: 1C6859 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007FE1CC51C00Ch 0x00000011 jo 00007FE1CC51C006h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1C6859 second address: 1C685F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1C7D1F second address: 1C7D23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CC011 second address: 1CC017 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CC5F4 second address: 1CC5F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CC5F8 second address: 1CC5FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CC5FE second address: 1CC603 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CC689 second address: 1CC68D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CC68D second address: 1CC6C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1CC51C016h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FE1CC51C019h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CDA41 second address: 1CDA47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CE892 second address: 1CE8C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FE1CC51C016h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE1CC51C00Fh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CDA47 second address: 1CDA5A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jnp 00007FE1CCE8C036h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CE8C0 second address: 1CE8C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CE8C6 second address: 1CE8CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1D078C second address: 1D079B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1CC51C00Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CE8CA second address: 1CE8CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1D2598 second address: 1D259C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1D1834 second address: 1D183A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1D259C second address: 1D25A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1D25A0 second address: 1D25C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE1CCE8C044h 0x0000000b popad 0x0000000c push eax 0x0000000d push edi 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1D34EF second address: 1D34F4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1D34F4 second address: 1D353F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007FE1CCE8C038h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000018h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 jmp 00007FE1CCE8C03Ch 0x00000027 push 00000000h 0x00000029 mov ebx, edi 0x0000002b mov ebx, eax 0x0000002d push 00000000h 0x0000002f js 00007FE1CCE8C039h 0x00000035 and bh, FFFFFFCBh 0x00000038 push eax 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1D353F second address: 1D3543 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1D5569 second address: 1D556D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1D556D second address: 1D5578 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1D5B63 second address: 1D5B67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1D7B9D second address: 1D7BA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1D7BA1 second address: 1D7BA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1D9C23 second address: 1D9C2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1D6F42 second address: 1D6F46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1D7D64 second address: 1D7D68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1D5DFA second address: 1D5E00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1D7D68 second address: 1D7D86 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE1CC51C016h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1D5E00 second address: 1D5E04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1DA172 second address: 1DA177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1D5E04 second address: 1D5E20 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FE1CCE8C036h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 jng 00007FE1CCE8C03Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1DA354 second address: 1DA376 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE1CC51C006h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007FE1CC51C00Dh 0x00000012 push eax 0x00000013 push edx 0x00000014 jns 00007FE1CC51C006h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1DB32E second address: 1DB332 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1DB40D second address: 1DB412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1DB412 second address: 1DB42F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007FE1CCE8C042h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1DE2F0 second address: 1DE2FF instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE1CC51C006h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1DE2FF second address: 1DE317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 je 00007FE1CCE8C038h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007FE1CCE8C036h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1DE317 second address: 1DE31B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1DE31B second address: 1DE381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 jns 00007FE1CCE8C03Ch 0x0000000e sub dword ptr [ebp+122D229Fh], ebx 0x00000014 push 00000000h 0x00000016 jl 00007FE1CCE8C03Ch 0x0000001c mov edi, dword ptr [ebp+122D33D6h] 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push edi 0x00000027 call 00007FE1CCE8C038h 0x0000002c pop edi 0x0000002d mov dword ptr [esp+04h], edi 0x00000031 add dword ptr [esp+04h], 00000014h 0x00000039 inc edi 0x0000003a push edi 0x0000003b ret 0x0000003c pop edi 0x0000003d ret 0x0000003e xchg eax, esi 0x0000003f jmp 00007FE1CCE8C046h 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 jbe 00007FE1CCE8C03Ch 0x0000004d jnc 00007FE1CCE8C036h 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1DE513 second address: 1DE518 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1E195E second address: 1E1964 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1E1964 second address: 1E1968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1E1968 second address: 1E199A instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE1CCE8C044h 0x00000008 jmp 00007FE1CCE8C03Eh 0x0000000d ja 00007FE1CCE8C042h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 pushad 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1E199A second address: 1E19AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FE1CC51C006h 0x0000000a popad 0x0000000b pushad 0x0000000c jnp 00007FE1CC51C006h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1E19AE second address: 1E19B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 181E60 second address: 181E66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 181E66 second address: 181E7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE1CCE8C043h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 181E7F second address: 181E87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 181E87 second address: 181E8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1E3CC6 second address: 1E3CCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1E80FE second address: 1E8103 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1E859E second address: 1E85A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1E85A5 second address: 1E85AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F4ACE second address: 1F4AE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1CC51C016h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1F4AE8 second address: 1F4AF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FE1CCE8C036h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FA113 second address: 1FA121 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FE1CC51C006h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 200217 second address: 200223 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FE1CCE8C036h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 200223 second address: 200227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FF64A second address: 1FF650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FF650 second address: 1FF654 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FF654 second address: 1FF658 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FF658 second address: 1FF66D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 jg 00007FE1CC51C033h 0x0000000d push eax 0x0000000e push edx 0x0000000f jo 00007FE1CC51C006h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FF7E7 second address: 1FF7EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1FFB06 second address: 1FFB2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jmp 00007FE1CC51C00Dh 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pop edx 0x0000000e ja 00007FE1CC51C012h 0x00000014 jp 00007FE1CC51C006h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 20380F second address: 203820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007FE1CCE8C036h 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 203820 second address: 203824 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 203824 second address: 20382A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CA3BE second address: 1CA3C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CA3C2 second address: 1CA3CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CA3CB second address: 1CA42D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 jbe 00007FE1CC51C024h 0x0000000d nop 0x0000000e mov dh, bl 0x00000010 lea eax, dword ptr [ebp+124800DBh] 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007FE1CC51C008h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 00000016h 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 cld 0x00000031 nop 0x00000032 push eax 0x00000033 push edx 0x00000034 jg 00007FE1CC51C00Ch 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CA42D second address: 1CA448 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FE1CCE8C038h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007FE1CCE8C03Ch 0x00000013 jp 00007FE1CCE8C036h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CA448 second address: 1CA452 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE1CC51C00Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CA452 second address: 1A7DA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebp 0x0000000a call 00007FE1CCE8C038h 0x0000000f pop ebp 0x00000010 mov dword ptr [esp+04h], ebp 0x00000014 add dword ptr [esp+04h], 00000016h 0x0000001c inc ebp 0x0000001d push ebp 0x0000001e ret 0x0000001f pop ebp 0x00000020 ret 0x00000021 call dword ptr [ebp+12447AF8h] 0x00000027 pushad 0x00000028 push ebx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CAA5A second address: 1CAA64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FE1CC51C006h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CAA64 second address: 1CAA8D instructions: 0x00000000 rdtsc 0x00000002 je 00007FE1CCE8C036h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 jg 00007FE1CCE8C047h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CAA8D second address: 1CAAD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007FE1CC51C00Fh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f push ecx 0x00000010 pushad 0x00000011 push edx 0x00000012 pop edx 0x00000013 jbe 00007FE1CC51C006h 0x00000019 popad 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f jmp 00007FE1CC51C00Ah 0x00000024 pop eax 0x00000025 mov edx, dword ptr [ebp+1246AA62h] 0x0000002b push 8EF91420h 0x00000030 pushad 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CABB8 second address: 1CABF1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE1CCE8C036h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007FE1CCE8C03Ch 0x00000010 popad 0x00000011 push eax 0x00000012 jmp 00007FE1CCE8C049h 0x00000017 xchg eax, esi 0x00000018 nop 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push edx 0x0000001e pop edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CABF1 second address: 1CABF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CABF5 second address: 1CABFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CABFB second address: 1CAC00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CAF25 second address: 1CAF35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE1CCE8C03Bh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CB5FA second address: 1CB5FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CB5FF second address: 1CB605 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CB720 second address: 1CB736 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1CC51C012h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1A88AB second address: 1A88B5 instructions: 0x00000000 rdtsc 0x00000002 je 00007FE1CCE8C036h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1A88B5 second address: 1A88BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1A88BC second address: 1A88C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 203B0E second address: 203B37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE1CC51C018h 0x00000008 jp 00007FE1CC51C006h 0x0000000e jne 00007FE1CC51C006h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 203B37 second address: 203B44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pushad 0x0000000b popad 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 203B44 second address: 203B51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CA3DB second address: 1CA42D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE1CCE8C046h 0x00000009 popad 0x0000000a nop 0x0000000b mov dh, bl 0x0000000d lea eax, dword ptr [ebp+124800DBh] 0x00000013 push 00000000h 0x00000015 push edi 0x00000016 call 00007FE1CCE8C038h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], edi 0x00000020 add dword ptr [esp+04h], 00000016h 0x00000028 inc edi 0x00000029 push edi 0x0000002a ret 0x0000002b pop edi 0x0000002c ret 0x0000002d cld 0x0000002e nop 0x0000002f push eax 0x00000030 push edx 0x00000031 jg 00007FE1CCE8C03Ch 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 203DA4 second address: 203DA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 203DA8 second address: 203DB0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 203DB0 second address: 203DB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CB79B second address: 1CB79F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CB79F second address: 1A88AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1CC51C013h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a adc cx, 2FB0h 0x0000000f lea eax, dword ptr [ebp+124800DBh] 0x00000015 push 00000000h 0x00000017 push esi 0x00000018 call 00007FE1CC51C008h 0x0000001d pop esi 0x0000001e mov dword ptr [esp+04h], esi 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc esi 0x0000002b push esi 0x0000002c ret 0x0000002d pop esi 0x0000002e ret 0x0000002f and dh, FFFFFFDAh 0x00000032 push eax 0x00000033 push eax 0x00000034 jc 00007FE1CC51C00Ch 0x0000003a jno 00007FE1CC51C006h 0x00000040 pop eax 0x00000041 mov dword ptr [esp], eax 0x00000044 push 00000000h 0x00000046 push esi 0x00000047 call 00007FE1CC51C008h 0x0000004c pop esi 0x0000004d mov dword ptr [esp+04h], esi 0x00000051 add dword ptr [esp+04h], 0000001Ah 0x00000059 inc esi 0x0000005a push esi 0x0000005b ret 0x0000005c pop esi 0x0000005d ret 0x0000005e call dword ptr [ebp+122D1CF8h] 0x00000064 push eax 0x00000065 push edx 0x00000066 push eax 0x00000067 push edx 0x00000068 jnc 00007FE1CC51C006h 0x0000006e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 204527 second address: 20452C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 20452C second address: 20454A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 js 00007FE1CC51C012h 0x0000000e jo 00007FE1CC51C006h 0x00000014 jg 00007FE1CC51C006h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 20B877 second address: 20B892 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FE1CCE8C046h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 20B892 second address: 20B8AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1CC51C014h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 20B8AF second address: 20B8CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FE1CCE8C046h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 20B8CC second address: 20B8D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 20B8D2 second address: 20B8D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 20A8CD second address: 20A90A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1CC51C019h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c jg 00007FE1CC51C043h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FE1CC51C015h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 20B31A second address: 20B320 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 20B320 second address: 20B326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 20B326 second address: 20B33E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1CCE8C042h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 20B33E second address: 20B342 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 20FF3A second address: 20FF40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 20FF40 second address: 20FF4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 210522 second address: 210577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE1CCE8C049h 0x00000009 popad 0x0000000a jnp 00007FE1CCE8C04Ch 0x00000010 jmp 00007FE1CCE8C048h 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 210973 second address: 210978 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 210978 second address: 21098F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 jl 00007FE1CCE8C036h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 210C5C second address: 210C62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 210C62 second address: 210C66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 210DA8 second address: 210DAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 210DAE second address: 210DB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 210DB2 second address: 210DBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 210DBB second address: 210DD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE1CCE8C043h 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 210DD3 second address: 210DE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE1CC51C012h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 210DE9 second address: 210DF8 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE1CCE8C036h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 20FC5E second address: 20FC76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007FE1CC51C010h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 20FC76 second address: 20FC7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 20FC7D second address: 20FC85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 214DA1 second address: 214DA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 18881A second address: 188843 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1CC51C012h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FE1CC51C00Dh 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 217C90 second address: 217C96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 217C96 second address: 217C9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 217C9E second address: 217CBD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1CCE8C03Ah 0x00000007 push edi 0x00000008 jmp 00007FE1CCE8C040h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 21BF24 second address: 21BF30 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 21C0B0 second address: 21C0C5 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE1CCE8C036h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FE1CCE8C03Bh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 21C0C5 second address: 21C104 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1CC51C016h 0x00000007 push ecx 0x00000008 je 00007FE1CC51C006h 0x0000000e jnl 00007FE1CC51C006h 0x00000014 pop ecx 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c jmp 00007FE1CC51C00Eh 0x00000021 pushad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 21C104 second address: 21C109 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 21E900 second address: 21E917 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE1CC51C006h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007FE1CC51C008h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 21E917 second address: 21E937 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jbe 00007FE1CCE8C036h 0x00000009 jmp 00007FE1CCE8C03Bh 0x0000000e pop edi 0x0000000f pushad 0x00000010 ja 00007FE1CCE8C036h 0x00000016 push esi 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 222C34 second address: 222C48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FE1CC51C00Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 222C48 second address: 222C52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2230EA second address: 223107 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1CC51C018h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 223107 second address: 22312A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jnp 00007FE1CCE8C036h 0x00000016 pop ebx 0x00000017 jmp 00007FE1CCE8C03Ch 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22341F second address: 223438 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE1CC51C014h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 223438 second address: 223467 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE1CCE8C046h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE1CCE8C042h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 223467 second address: 22346B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 229B12 second address: 229B1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 229D99 second address: 229DA1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 229DA1 second address: 229DB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1CCE8C03Eh 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CB0A9 second address: 1CB0CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1CC51C019h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CB0CD second address: 1CB0D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CB0D1 second address: 1CB0D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CB0D5 second address: 1CB0DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CB0DB second address: 1CB113 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jnl 00007FE1CC51C006h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f mov edi, dword ptr [ebp+122D2EBAh] 0x00000015 mov ebx, dword ptr [ebp+1248011Ah] 0x0000001b sub dword ptr [ebp+122D1CBAh], ecx 0x00000021 add eax, ebx 0x00000023 pushad 0x00000024 sbb ecx, 0FD5960Fh 0x0000002a mov dword ptr [ebp+122D2DEAh], esi 0x00000030 popad 0x00000031 nop 0x00000032 pushad 0x00000033 pushad 0x00000034 push edi 0x00000035 pop edi 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CB113 second address: 1CB132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pop ecx 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push esi 0x0000000d jmp 00007FE1CCE8C03Dh 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1CB132 second address: 1CB14E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov ecx, 742A6E9Eh 0x0000000d push 00000004h 0x0000000f movzx edx, bx 0x00000012 push eax 0x00000013 pushad 0x00000014 jc 00007FE1CC51C00Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22AA6F second address: 22AA8B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE1CCE8C042h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22E3C8 second address: 22E3D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 ja 00007FE1CC51C006h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22E513 second address: 22E534 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1CCE8C03Bh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f jmp 00007FE1CCE8C03Ah 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22E534 second address: 22E563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007FE1CC51C019h 0x0000000b jmp 00007FE1CC51C00Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22E563 second address: 22E568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 22E70A second address: 22E714 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 234F89 second address: 234FA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FE1CCE8C03Bh 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e push esi 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 235134 second address: 23513A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23513A second address: 235140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 235140 second address: 23515B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE1CC51C017h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23582E second address: 235840 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE1CCE8C03Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 235840 second address: 23585C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1CC51C018h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 235B0A second address: 235B23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE1CCE8C041h 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2360BF second address: 2360D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1CC51C012h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 236C4A second address: 236C64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE1CCE8C044h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 236C64 second address: 236C90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE1CC51C013h 0x00000009 popad 0x0000000a jmp 00007FE1CC51C00Ah 0x0000000f jc 00007FE1CC51C00Eh 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23F66C second address: 23F6A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FE1CCE8C044h 0x0000000a jmp 00007FE1CCE8C03Dh 0x0000000f jmp 00007FE1CCE8C03Ah 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23F6A0 second address: 23F6D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FE1CC51C014h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007FE1CC51C013h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23F6D5 second address: 23F707 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FE1CCE8C036h 0x0000000a jmp 00007FE1CCE8C049h 0x0000000f popad 0x00000010 jmp 00007FE1CCE8C03Eh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23F707 second address: 23F70C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23E980 second address: 23E99A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 jmp 00007FE1CCE8C043h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23E99A second address: 23E9A4 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE1CC51C012h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23E9A4 second address: 23E9AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23E9AA second address: 23E9B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23E9B2 second address: 23E9B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23EDA0 second address: 23EDA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23EDA4 second address: 23EDAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23EDAA second address: 23EDE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FE1CC51C02Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23EDE4 second address: 23EDE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23F0D0 second address: 23F0D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23F0D4 second address: 23F0E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FE1CCE8C036h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23F21A second address: 23F21E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23F350 second address: 23F356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 23F356 second address: 23F37B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FE1CC51C006h 0x0000000a popad 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push edx 0x00000010 pop edx 0x00000011 jmp 00007FE1CC51C011h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 246B46 second address: 246B4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 246B4A second address: 246B5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE1CC51C00Ah 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 246B5A second address: 246B5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 246B5F second address: 246B7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FE1CC51C00Ch 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 246CD7 second address: 246CDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 246CDB second address: 246CF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1CC51C014h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 246CF7 second address: 246D16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1CCE8C040h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007FE1CCE8C036h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 246D16 second address: 246D1C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 246D1C second address: 246D4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FE1CCE8C03Bh 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jmp 00007FE1CCE8C043h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 pop eax 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 246D4A second address: 246D64 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE1CC51C006h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007FE1CC51C00Bh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 246EC5 second address: 246ED7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jo 00007FE1CCE8C036h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24E94A second address: 24E94E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24E94E second address: 24E954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24E954 second address: 24E95C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 24E95C second address: 24E971 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE1CCE8C036h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f je 00007FE1CCE8C036h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25A585 second address: 25A5B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007FE1CC51C012h 0x0000000c jng 00007FE1CC51C00Ah 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FE1CC51C00Eh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 25A5B7 second address: 25A5DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007FE1CCE8C036h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f jns 00007FE1CCE8C036h 0x00000015 jg 00007FE1CCE8C036h 0x0000001b jnp 00007FE1CCE8C036h 0x00000021 popad 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2651D6 second address: 265216 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1CC51C016h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b jnl 00007FE1CC51C008h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FE1CC51C018h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 265216 second address: 26524E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FE1CCE8C053h 0x0000000c pushad 0x0000000d jnp 00007FE1CCE8C036h 0x00000013 ja 00007FE1CCE8C036h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2653B9 second address: 2653C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2689A5 second address: 2689AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2689AB second address: 2689C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e jg 00007FE1CC51C006h 0x00000014 popad 0x00000015 push edi 0x00000016 jng 00007FE1CC51C006h 0x0000001c pop edi 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2689C8 second address: 2689E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE1CCE8C047h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 272AA8 second address: 272AAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 272AAC second address: 272ABB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 278A60 second address: 278A66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 278BA6 second address: 278BAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 278BAA second address: 278BC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FE1CC51C00Fh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 278BC3 second address: 278BE0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FE1CCE8C03Fh 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007FE1CCE8C036h 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 278BE0 second address: 278BE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27E54F second address: 27E553 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27E553 second address: 27E55B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27E55B second address: 27E565 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE1CCE8C042h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27E565 second address: 27E56B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 27E56B second address: 27E57D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FE1CCE8C03Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 282C3D second address: 282C59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jmp 00007FE1CC51C00Eh 0x0000000e push ebx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 282C59 second address: 282C79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE1CCE8C048h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2844E3 second address: 2844E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2980E3 second address: 2980E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2980E7 second address: 298102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE1CC51C00Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push edi 0x0000000d pop edi 0x0000000e pushad 0x0000000f popad 0x00000010 pop ebx 0x00000011 popad 0x00000012 pushad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 298102 second address: 29811D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE1CCE8C03Dh 0x00000009 jg 00007FE1CCE8C036h 0x0000000f popad 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 297FB3 second address: 297FB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 297FB9 second address: 297FBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29A871 second address: 29A875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29A875 second address: 29A87A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29A9D5 second address: 29A9F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007FE1CC51C006h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FE1CC51C00Fh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29A9F0 second address: 29AA1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1CCE8C03Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FE1CCE8C05Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FE1CCE8C042h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 29AA1B second address: 29AA1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A1C94 second address: 2A1C9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A0EFD second address: 2A0F05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A0F05 second address: 2A0F14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007FE1CCE8C03Eh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A13A4 second address: 2A13AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A1698 second address: 2A169E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A169E second address: 2A16A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A19A2 second address: 2A19A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A19A8 second address: 2A19AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A19AE second address: 2A19CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE1CCE8C047h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A339E second address: 2A33A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A33A2 second address: 2A33C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1CCE8C03Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007FE1CCE8C03Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A6062 second address: 2A6066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A8EA2 second address: 2A8EA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A8EA6 second address: 2A8EAC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AE51C second address: 2AE53D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FE1CCE8C036h 0x0000000a popad 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FE1CCE8C03Ch 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AE53D second address: 2AE543 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AFED6 second address: 2AFEDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AFEDA second address: 2AFEF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FE1CC51C006h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jnc 00007FE1CC51C006h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AFEF8 second address: 2AFF20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FE1CCE8C049h 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AFF20 second address: 2AFF24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AFF24 second address: 2AFF2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AFF2A second address: 2AFF4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1CC51C011h 0x00000007 pushad 0x00000008 jmp 00007FE1CC51C00Dh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A9172 second address: 2A917E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FE1CCE8C036h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A917E second address: 2A918B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007FE1CC51C00Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A918B second address: 2A918F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A918F second address: 2A919A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FE1CC51C006h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A92E1 second address: 2A92EB instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FE1CCE8C036h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2A92EB second address: 2A9307 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE1CC51C016h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AA2B1 second address: 2AA2B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 2AA2B5 second address: 2AA2BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1D988 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1B5C26 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1E3D0A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1CA5CA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4ED0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 5050000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 7050000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001AB056 rdtsc 0_2_001AB056
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001A3A9B sidt fword ptr [esp-02h]0_2_001A3A9B
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7116Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001F5844 GetSystemInfo,VirtualAlloc,0_2_001F5844
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001AB056 rdtsc 0_2_001AB056
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001A3F30 LdrInitializeThunk,0_2_001A3F30
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, file.exe, 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ptNProgram Manager
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001EDF66 GetSystemTime,GetFileTime,0_2_001EDF66

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		41
Disable or Modify Tools		LSASS Memory641
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Bypass User Account Control		271
Virtualization/Sandbox Evasion		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS271
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets24
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
Obfuscated Files or Information		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
Software Packing		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
Bypass User Account Control		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe100%AviraTR/Crypt.XPACK.Gen
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1532866
Start date and time:2024-10-14 03:32:05 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 31s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.evad.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
  • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, ctldl.windowsupdate.com
  • Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File
Process:C:\Users\user\Desktop\file.exe
File Type:CSV text
Category:dropped
Size (bytes):226
Entropy (8bit):5.360398796477698
Encrypted:false
SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:3A8957C6382192B71471BD14359D0B12
SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:true
Reputation:high, very likely benign file
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.933667799919736
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:1'750'016 bytes
MD5:e74b2676a77045684f8ec5f46a486da8
SHA1:49bedb5d53e2b945d77a8a1bad6ee7eea2d982a5
SHA256:e38f3aabd29c5a1225fedb0146299efa05263cf829e60b1d061d12ff7220433b
SHA512:b2173b998bf0ae15fd886069ea891187b9a880e002e5b58e933785160404626640a4d362f4a6e24b303651b9da3333f9f346c8b6cb92f37dd1eca94d7a002cda
SSDEEP:49152:gOUB25Q4T8BBgwn1E32mB5W8kgXlL9Dhh:+KNTABhE3dzvkgB9Vh
TLSH:288533548AE0672CCE260EBE7459A4D2F4754934C8F0CBD5CEA8C3B2C433AE66757D26
File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$...........`E.. ...`....@.. ........................E......&....`................................

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x856000
Entrypoint Section:.taggant
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FE1CC7012BAh
setb byte ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [edx+ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add cl, byte ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 0Ah
add byte ptr [eax], al
add cl, byte ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], eax
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x20000x40000x12001ec7b2dc961dc32358153a7a10947a53False0.9329427083333334data7.796889109002509IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0xa0000x2a40000x2001264b44a27a9c0896180a83749a05339unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
agswtfru0x2ae0000x1a60000x1a520051c499b41eae5933b85a2622db669587False0.9949447165330959data7.953771866704537IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
doxgtilc0x4540000x20000x4005c9ce5176a590eeb70f5cef86fa789d6False0.7880859375data6.154846172728785IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant0x4560000x40000x220087c46b93bad48d594f5926e89880c18bFalse0.06204044117647059DOS executable (COM)0.7482791851283932IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x60900x30cdata0.42948717948717946
RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

Imports

DLLImport
kernel32.dlllstrcpy

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:21:32:54
Start date:13/10/2024
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\file.exe"
Imagebase:0x10000
File size:1'750'016 bytes
MD5 hash:E74B2676A77045684F8EC5F46A486DA8
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:4.7%
    Dynamic/Decrypted Code Coverage:3.5%
    Signature Coverage:4.1%
    Total number of Nodes:339
    Total number of Limit Nodes:19
    execution_graph 6961 1f67de 6963 1f67ea 6961->6963 6964 1f67fc 6963->6964 6967 1f6405 6964->6967 6969 1f6499 6967->6969 6970 1f6416 6967->6970 6970->6969 6971 1f6270 VirtualProtect 6970->6971 6972 1f60af 6970->6972 6971->6970 6975 1f60b6 6972->6975 6974 1f6100 6974->6970 6975->6974 6977 1f5fbd 6975->6977 6981 1f6270 6975->6981 6980 1f5fd2 6977->6980 6978 1f6092 6978->6975 6979 1f605c GetModuleFileNameA 6979->6980 6980->6978 6980->6979 6984 1f6284 6981->6984 6982 1f629c 6982->6975 6983 1f63bf VirtualProtect 6983->6984 6984->6982 6984->6983 6985 1ebadb 6992 1e9e19 GetCurrentThreadId 6985->6992 6987 1ebae7 6988 1ebb05 6987->6988 6994 1ea52b 6987->6994 6990 1ebb36 GetModuleHandleExA 6988->6990 6991 1ebb0d 6988->6991 6990->6991 6993 1e9e31 6992->6993 6993->6987 6995 1ea579 6994->6995 6997 1ea53c 6994->6997 6995->6988 6997->6995 6998 1ea3cc 6997->6998 7000 1ea3f9 6998->7000 6999 1ea4ff 6999->6997 7000->6999 7001 1ea427 PathAddExtensionA 7000->7001 7002 1ea442 7000->7002 7001->7002 7007 1ea464 7002->7007 7010 1ea06d 7002->7010 7004 1ea4ad 7004->6999 7005 1ea4d6 7004->7005 7006 1ea06d lstrcmpiA 7004->7006 7005->6999 7009 1ea06d lstrcmpiA 7005->7009 7006->7005 7007->6999 7007->7004 7008 1ea06d lstrcmpiA 7007->7008 7008->7004 7009->6999 7011 1ea08b 7010->7011 7012 1ea0a2 7011->7012 7014 1e9fea 7011->7014 7012->7007 7016 1ea015 7014->7016 7015 1ea05d 7015->7012 7016->7015 7017 1ea047 lstrcmpiA 7016->7017 7017->7015 7018 5021308 7019 5021349 ImpersonateLoggedOnUser 7018->7019 7020 5021376 7019->7020 7021 5020d48 7022 5020d93 OpenSCManagerW 7021->7022 7024 5020ddc 7022->7024 7025 1eded4 7026 1e9e19 GetCurrentThreadId 7025->7026 7027 1edee0 GetCurrentProcess 7026->7027 7028 1edf2c 7027->7028 7030 1edef0 7027->7030 7029 1edf31 DuplicateHandle 7028->7029 7033 1edf27 7029->7033 7030->7028 7031 1edf1b 7030->7031 7034 1ebc71 7031->7034 7036 1ebc9b 7034->7036 7035 1ebd2e 7035->7033 7036->7035 7038 1ebc59 7036->7038 7041 1e9cc4 7038->7041 7042 1e9cda 7041->7042 7043 1e9cf4 7042->7043 7045 1e9ca8 7042->7045 7043->7035 7048 1ebc32 CloseHandle 7045->7048 7047 1e9cb8 7047->7043 7049 1ebc46 7048->7049 7049->7047 7050 1f6894 7052 1f68a0 7050->7052 7053 1f68b2 7052->7053 7058 1eb491 7053->7058 7055 1f68c1 7056 1f68da 7055->7056 7057 1f6405 GetModuleFileNameA VirtualProtect 7055->7057 7057->7056 7060 1eb49d 7058->7060 7061 1eb4b2 7060->7061 7063 1eb4d0 7061->7063 7064 1eb4df 7061->7064 7066 1eb4ec 7064->7066 7067 1eb502 7066->7067 7068 1eb527 7067->7068 7078 1eb50a 7067->7078 7083 1f6ab7 7067->7083 7070 1e9e19 GetCurrentThreadId 7068->7070 7073 1eb52c 7070->7073 7071 1eb5ea 7075 1eb608 LoadLibraryExA 7071->7075 7076 1eb5f4 LoadLibraryExW 7071->7076 7072 1eb5d7 7105 1eb317 7072->7105 7077 1ea52b 2 API calls 7073->7077 7082 1eb5ae 7075->7082 7076->7082 7079 1eb53d 7077->7079 7078->7071 7078->7072 7079->7078 7080 1eb56b 7079->7080 7085 1eae57 7080->7085 7109 1f6ac6 7083->7109 7086 1eae7d 7085->7086 7087 1eae73 7085->7087 7117 1ea6aa 7086->7117 7087->7082 7092 1eaf77 7092->7087 7144 1eb669 7092->7144 7095 1eaecd 7095->7092 7096 1eaefa 7095->7096 7127 1ea888 7095->7127 7131 1eab23 7096->7131 7099 1eaf05 7099->7092 7136 1eaa9a 7099->7136 7102 1eaf5a 7102->7092 7104 1f6405 2 API calls 7102->7104 7104->7092 7106 1eb322 7105->7106 7107 1eb343 LoadLibraryExA 7106->7107 7108 1eb332 7106->7108 7107->7108 7108->7082 7110 1f6ad6 7109->7110 7111 1e9e19 GetCurrentThreadId 7110->7111 7116 1f6b28 7110->7116 7112 1f6b3e 7111->7112 7113 1ea52b 2 API calls 7112->7113 7114 1f6b50 7113->7114 7115 1ea52b 2 API calls 7114->7115 7114->7116 7115->7116 7118 1ea71f 7117->7118 7119 1ea6c6 7117->7119 7118->7087 7121 1ea750 VirtualAlloc 7118->7121 7119->7118 7120 1ea6f6 VirtualAlloc 7119->7120 7120->7118 7122 1ea795 7121->7122 7122->7092 7123 1ea7cd 7122->7123 7126 1ea7f5 7123->7126 7124 1ea86c 7124->7095 7125 1ea80e VirtualAlloc 7125->7124 7125->7126 7126->7124 7126->7125 7128 1ea8a3 7127->7128 7130 1ea8a8 7127->7130 7128->7096 7129 1ea8db lstrcmpiA 7129->7128 7129->7130 7130->7128 7130->7129 7132 1eac2f 7131->7132 7134 1eab50 7131->7134 7132->7099 7134->7132 7146 1ea635 7134->7146 7154 1eb746 7134->7154 7137 1eaac3 7136->7137 7138 1eaadb VirtualProtect 7137->7138 7139 1eab04 7137->7139 7138->7137 7138->7139 7139->7092 7139->7102 7140 1f670c 7139->7140 7141 1f67d9 7140->7141 7142 1f6728 7140->7142 7141->7102 7142->7141 7143 1f6270 VirtualProtect 7142->7143 7143->7142 7174 1eb675 7144->7174 7156 1eb478 7146->7156 7148 1ea648 7149 1ea69a 7148->7149 7150 1ea671 7148->7150 7153 1ea68e 7148->7153 7151 1eb669 2 API calls 7149->7151 7152 1eb669 2 API calls 7150->7152 7150->7153 7151->7153 7152->7153 7153->7134 7159 1eb74f 7154->7159 7157 1eb4df 17 API calls 7156->7157 7158 1eb48d 7157->7158 7158->7148 7160 1eb75e 7159->7160 7162 1e9e19 GetCurrentThreadId 7160->7162 7166 1eb766 7160->7166 7161 1eb793 GetProcAddress 7163 1eb789 7161->7163 7164 1eb770 7162->7164 7165 1eb780 7164->7165 7164->7166 7168 1eb1a7 7165->7168 7166->7161 7169 1eb293 7168->7169 7170 1eb1c6 7168->7170 7169->7163 7170->7169 7171 1eb203 lstrcmpiA 7170->7171 7172 1eb22d 7170->7172 7171->7170 7171->7172 7172->7169 7173 1eb0f0 16 API calls 7172->7173 7173->7169 7175 1eb684 7174->7175 7177 1e9e19 GetCurrentThreadId 7175->7177 7179 1eb68c 7175->7179 7176 1eb6da FreeLibrary 7182 1eb6c1 7176->7182 7178 1eb696 7177->7178 7178->7179 7180 1eb6a6 7178->7180 7179->7176 7183 1eb057 7180->7183 7184 1eb07a 7183->7184 7186 1eb0ba 7183->7186 7184->7186 7187 1e9c13 7184->7187 7186->7182 7188 1e9c1c 7187->7188 7189 1e9c34 7188->7189 7190 1e9bfa GetCurrentThreadId FreeLibrary 7188->7190 7189->7186 7190->7188 7191 1eb630 7192 1eb478 17 API calls 7191->7192 7193 1eb643 7192->7193 7194 1ee650 7196 1ee65c 7194->7196 7197 1e9e19 GetCurrentThreadId 7196->7197 7198 1ee668 7197->7198 7200 1ee688 7198->7200 7201 1ee55c 7198->7201 7203 1ee568 7201->7203 7204 1ee57c 7203->7204 7205 1e9e19 GetCurrentThreadId 7204->7205 7206 1ee594 7205->7206 7207 1ee5a9 7206->7207 7227 1ee475 7206->7227 7211 1ee5b1 7207->7211 7219 1ee51a IsBadWritePtr 7207->7219 7213 1ee625 CreateFileA 7211->7213 7214 1ee602 CreateFileW 7211->7214 7212 1ea52b 2 API calls 7215 1ee5e4 7212->7215 7218 1ee5f2 7213->7218 7214->7218 7215->7211 7216 1ee5ec 7215->7216 7221 1ebd6f 7216->7221 7220 1ee53c 7219->7220 7220->7211 7220->7212 7224 1ebd7c 7221->7224 7222 1ebe77 7222->7218 7223 1ebdb5 CreateFileA 7225 1ebe01 7223->7225 7224->7222 7224->7223 7225->7222 7226 1ebc32 CloseHandle 7225->7226 7226->7222 7229 1ee484 GetWindowsDirectoryA 7227->7229 7230 1ee4ae 7229->7230 7231 5021510 7232 5021558 ControlService 7231->7232 7233 502158f 7232->7233 7234 50210f0 7235 5021131 7234->7235 7238 1ecb6d 7235->7238 7236 5021151 7239 1e9e19 GetCurrentThreadId 7238->7239 7240 1ecb79 7239->7240 7241 1ecba2 7240->7241 7242 1ecb92 7240->7242 7244 1ecba7 CloseHandle 7241->7244 7243 1ebc59 CloseHandle 7242->7243 7245 1ecb98 7243->7245 7244->7245 7245->7236 7246 1eb988 7248 1eb994 7246->7248 7249 1eb9a8 7248->7249 7251 1eb9d0 7249->7251 7252 1eb9e9 7249->7252 7254 1eb9f2 7252->7254 7255 1eba01 7254->7255 7256 1eba09 7255->7256 7257 1e9e19 GetCurrentThreadId 7255->7257 7258 1ebaac GetModuleHandleW 7256->7258 7259 1ebaba GetModuleHandleA 7256->7259 7260 1eba13 7257->7260 7261 1eba41 7258->7261 7259->7261 7262 1ea52b 2 API calls 7260->7262 7263 1eba2e 7260->7263 7262->7263 7263->7256 7263->7261 7264 1f6848 7266 1f6854 7264->7266 7267 1f6866 7266->7267 7268 1eb478 17 API calls 7267->7268 7270 1f6875 7268->7270 7269 1f688e 7270->7269 7271 1f6405 2 API calls 7270->7271 7271->7269 7272 1ee3e9 7274 1ee3f5 7272->7274 7275 1e9e19 GetCurrentThreadId 7274->7275 7276 1ee401 7275->7276 7278 1ee421 7276->7278 7279 1ee340 7276->7279 7281 1ee34c 7279->7281 7282 1ee360 7281->7282 7283 1e9e19 GetCurrentThreadId 7282->7283 7284 1ee378 7283->7284 7292 1ea57d 7284->7292 7287 1ea52b 2 API calls 7288 1ee39b 7287->7288 7289 1ee3a3 7288->7289 7290 1ee3bf GetFileAttributesW 7288->7290 7291 1ee3d0 GetFileAttributesA 7288->7291 7290->7289 7291->7289 7293 1ea631 7292->7293 7294 1ea591 7292->7294 7293->7287 7293->7289 7294->7293 7295 1ea3cc 2 API calls 7294->7295 7295->7294 7296 19e461 7297 19e486 7296->7297 7298 19e4bc RegOpenKeyA 7297->7298 7299 19e495 RegOpenKeyA 7297->7299 7301 19e4d9 7298->7301 7299->7298 7300 19e4b2 7299->7300 7300->7298 7302 19e528 7301->7302 7303 19e51d GetNativeSystemInfo 7301->7303 7303->7302 7304 1f5844 GetSystemInfo 7305 1f5864 7304->7305 7306 1f58a2 VirtualAlloc 7304->7306 7305->7306 7319 1f5b90 7306->7319 7308 1f58e9 7309 1f5b90 VirtualAlloc GetModuleFileNameA VirtualProtect 7308->7309 7318 1f59be 7308->7318 7311 1f5913 7309->7311 7310 1f59da GetModuleFileNameA VirtualProtect 7312 1f5982 7310->7312 7313 1f5b90 VirtualAlloc GetModuleFileNameA VirtualProtect 7311->7313 7311->7318 7314 1f593d 7313->7314 7315 1f5b90 VirtualAlloc GetModuleFileNameA VirtualProtect 7314->7315 7314->7318 7316 1f5967 7315->7316 7316->7312 7317 1f5b90 VirtualAlloc GetModuleFileNameA VirtualProtect 7316->7317 7316->7318 7317->7318 7318->7310 7318->7312 7321 1f5b98 7319->7321 7322 1f5bac 7321->7322 7323 1f5bc4 7321->7323 7329 1f5a5c 7322->7329 7325 1f5a5c 2 API calls 7323->7325 7326 1f5bd5 7325->7326 7331 1f5be7 7326->7331 7334 1f5a64 7329->7334 7332 1f5bf8 VirtualAlloc 7331->7332 7333 1f5be3 7331->7333 7332->7333 7335 1f5a77 7334->7335 7336 1f60af 2 API calls 7335->7336 7337 1f5aba 7335->7337 7336->7337 7338 1eef42 7340 1eef4e 7338->7340 7341 1eef66 7340->7341 7343 1eef90 7341->7343 7344 1eee7c 7341->7344 7346 1eee88 7344->7346 7347 1e9e19 GetCurrentThreadId 7346->7347 7348 1eee9b 7347->7348 7349 1eeed9 7348->7349 7350 1eef14 7348->7350 7352 1eeeb5 7348->7352 7349->7352 7354 1ec553 7349->7354 7351 1eef19 CreateFileMappingA 7350->7351 7351->7352 7357 1ec56a 7354->7357 7355 1ec667 7355->7352 7356 1ec5d3 CreateFileA 7358 1ec618 7356->7358 7357->7355 7357->7356 7358->7355 7359 1ebc32 CloseHandle 7358->7359 7359->7355 7360 19b2c5 7361 19e7ae LoadLibraryA 7360->7361 7363 19f9ee 7361->7363 7364 1ee763 7366 1ee76c 7364->7366 7367 1e9e19 GetCurrentThreadId 7366->7367 7368 1ee778 7367->7368 7369 1ee7c8 ReadFile 7368->7369 7370 1ee791 7368->7370 7369->7370 7371 1ef0a0 7372 1e9e19 GetCurrentThreadId 7371->7372 7373 1ef0ac 7372->7373 7374 1ef114 MapViewOfFileEx 7373->7374 7375 1ef0c5 7373->7375 7374->7375

    Executed Functions

    Function 001F5844 Relevance: 3.1, APIs: 2, Instructions: 107memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 153 1f5844-1f585e GetSystemInfo 154 1f5864-1f589c 153->154 155 1f58a2-1f58eb VirtualAlloc call 1f5b90 153->155 154->155 159 1f59d1 call 1f59da 155->159 160 1f58f1-1f5915 call 1f5b90 155->160 165 1f59d6 159->165 160->159 166 1f591b-1f593f call 1f5b90 160->166 167 1f59d8-1f59d9 165->167 166->159 170 1f5945-1f5969 call 1f5b90 166->170 170->159 173 1f596f-1f597c 170->173 174 1f59a2-1f59b9 call 1f5b90 173->174 175 1f5982-1f599d 173->175 178 1f59be-1f59c0 174->178 180 1f59cc 175->180 178->159 179 1f59c6 178->179 179->180 180->167
    APIs
    • GetSystemInfo.KERNELBASE(?,-122B5FEC), ref: 001F5850
    • VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 001F58B1
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID: AllocInfoSystemVirtual
    • String ID:
    • API String ID: 3440192736-0
    • Opcode ID: 3bfab1de4fbacd28e090b590a934277ef4cbe1f257e3e8b77c8f6ebf31d0ea3b
    • Instruction ID: f9de698731789a34f56fc0163e7ab79fd33beff4d3f6cb32b418cc3c09daf9c6
    • Opcode Fuzzy Hash: 3bfab1de4fbacd28e090b590a934277ef4cbe1f257e3e8b77c8f6ebf31d0ea3b
    • Instruction Fuzzy Hash: 5B414FB2D0460BAAE729CF60CC45FA6B7ADFB58741F1044A6A743DA482F77095D48BE0
    Function 001EB4EC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • LoadLibraryExW.KERNEL32(?,?,?), ref: 001EB5FD
    • LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 001EB611
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: .dll$.exe$1002
    • API String ID: 1029625771-847511843
    • Opcode ID: fa226c5bb3388d4f90fbc50d875d3f522a5acf531f7efcb5aade7c4e4e98d415
    • Instruction ID: 4b34f7a8a50643710ce00466fa3e424588bf4e08fe6d50902c94aac734ab95f8
    • Opcode Fuzzy Hash: fa226c5bb3388d4f90fbc50d875d3f522a5acf531f7efcb5aade7c4e4e98d415
    • Instruction Fuzzy Hash: 3F31BC71408A89FFCF29EF52D845AAE7B75FF28300F114129FA0196162C7319EA0DFA1
    Function 001EB9F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 40 1eb9f2-1eba03 call 1eb356 43 1eba0e-1eba17 call 1e9e19 40->43 44 1eba09 40->44 51 1eba1d-1eba29 call 1ea52b 43->51 52 1eba4b-1eba52 43->52 45 1ebaa2-1ebaa6 44->45 47 1ebaac-1ebab5 GetModuleHandleW 45->47 48 1ebaba-1ebabd GetModuleHandleA 45->48 50 1ebac3 47->50 48->50 54 1ebacd-1ebacf 50->54 58 1eba2e-1eba30 51->58 55 1eba9d call 1e9ec4 52->55 56 1eba58-1eba5f 52->56 55->45 56->55 59 1eba65-1eba6c 56->59 58->55 61 1eba36-1eba3b 58->61 59->55 60 1eba72-1eba79 59->60 60->55 62 1eba7f-1eba93 60->62 61->55 63 1eba41-1ebac8 call 1e9ec4 61->63 62->55 63->54
    APIs
    • GetModuleHandleW.KERNEL32(?,?,?,?,001EB984,?,00000000,00000000), ref: 001EBAAF
    • GetModuleHandleA.KERNEL32(00000000,?,?,?,001EB984,?,00000000,00000000), ref: 001EBABD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID: HandleModule
    • String ID: .dll
    • API String ID: 4139908857-2738580789
    • Opcode ID: 09c8f8a72da887b676b0c67346570d50cdfdd2cbb39ed76a1769e79126cd48c6
    • Instruction ID: 5936a76c35f33fbfcf4df14060424b15a5c2b453a0e6890b1f9d5d4c5b950e07
    • Opcode Fuzzy Hash: 09c8f8a72da887b676b0c67346570d50cdfdd2cbb39ed76a1769e79126cd48c6
    • Instruction Fuzzy Hash: 4511AC30108E86EFDF39DF16D88975E3AB5BF50345F094231A404A64A1C774D9E0EBA1
    Function 001EE34C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 67 1ee34c-1ee35a 68 1ee36c 67->68 69 1ee360-1ee367 67->69 70 1ee373-1ee389 call 1e9e19 call 1ea57d 68->70 69->70 75 1ee38f-1ee39d call 1ea52b 70->75 76 1ee3a8 70->76 81 1ee3b4-1ee3b9 75->81 82 1ee3a3 75->82 78 1ee3ac-1ee3af 76->78 80 1ee3df-1ee3e6 call 1e9ec4 78->80 84 1ee3bf-1ee3cb GetFileAttributesW 81->84 85 1ee3d0-1ee3d3 GetFileAttributesA 81->85 82->78 87 1ee3d9-1ee3da 84->87 85->87 87->80
    APIs
    • GetFileAttributesW.KERNELBASE(00EE0254,-122B5FEC), ref: 001EE3C5
    • GetFileAttributesA.KERNEL32(00000000,-122B5FEC), ref: 001EE3D3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: c4fa3f9bf0bf8e978c01af067e7b49487e9c55755c3527d1ad40ffd0e11a7375
    • Instruction ID: f97df67ede2132d94cbf6c02cf64a9c00a6cf04df60816142f0abac48733d6c8
    • Opcode Fuzzy Hash: c4fa3f9bf0bf8e978c01af067e7b49487e9c55755c3527d1ad40ffd0e11a7375
    • Instruction Fuzzy Hash: 1F018C30504A85FBDF259F67D90979C7EF0BF20344F228024E106674A1D3B19AE1EB41
    Function 0019E461 Relevance: 4.6, APIs: 3, Instructions: 63registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 88 19e461-19e493 90 19e4bc-19e4d7 RegOpenKeyA 88->90 91 19e495-19e4b0 RegOpenKeyA 88->91 93 19e4d9-19e4e3 90->93 94 19e4ef-19e51b 90->94 91->90 92 19e4b2 91->92 92->90 93->94 97 19e528-19e532 94->97 98 19e51d-19e526 GetNativeSystemInfo 94->98 99 19e53e-19e54c 97->99 100 19e534 97->100 98->97 102 19e558-19e55f 99->102 103 19e54e 99->103 100->99 104 19e572 102->104 105 19e565-19e56c 102->105 103->102 106 1a0848-1a0851 104->106 105->104 105->106
    APIs
    • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0019E4A8
    • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 0019E4CF
    • GetNativeSystemInfo.KERNELBASE(?), ref: 0019E526
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID: Open$InfoNativeSystem
    • String ID:
    • API String ID: 1247124224-0
    • Opcode ID: 07b5c3cf26695daa06df2677120c781fbd549f2a2f808a77c711317e0bae8b40
    • Instruction ID: a67e992c022a175eb6b7792bdf85fba76015aaffb3444a459033d0f47810ac52
    • Opcode Fuzzy Hash: 07b5c3cf26695daa06df2677120c781fbd549f2a2f808a77c711317e0bae8b40
    • Instruction Fuzzy Hash: 6021357600024E9EEF22DF60C848BDE3BA8EF09315F100526E945C6951EBB64CA4DB69
    Function 001EA3CC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 107 1ea3cc-1ea3fc 109 1ea527-1ea528 107->109 110 1ea402-1ea417 107->110 110->109 112 1ea41d-1ea421 110->112 113 1ea427-1ea439 PathAddExtensionA 112->113 114 1ea443-1ea44a 112->114 117 1ea442 113->117 115 1ea46c-1ea473 114->115 116 1ea450-1ea45f call 1ea06d 114->116 119 1ea479-1ea480 115->119 120 1ea4b5-1ea4bc 115->120 123 1ea464-1ea466 116->123 117->114 124 1ea499-1ea4a8 call 1ea06d 119->124 125 1ea486-1ea48f 119->125 121 1ea4de-1ea4e5 120->121 122 1ea4c2-1ea4d8 call 1ea06d 120->122 127 1ea4eb-1ea501 call 1ea06d 121->127 128 1ea507-1ea50e 121->128 122->109 122->121 123->109 123->115 131 1ea4ad-1ea4af 124->131 125->124 129 1ea495 125->129 127->109 127->128 128->109 134 1ea514-1ea521 call 1ea0a6 128->134 129->124 131->109 131->120 134->109
    APIs
    • PathAddExtensionA.KERNELBASE(?,00000000), ref: 001EA42E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID: ExtensionPath
    • String ID: \\?\
    • API String ID: 158807944-4282027825
    • Opcode ID: 5f68785f42a4970847199883e1a4a5cbee6801f44c688fe6ae3b9e1f3e85a999
    • Instruction ID: 78c1ac14c4213f1927f58aa550add2574554831a0bb8c9496ab39b0ab82a8b52
    • Opcode Fuzzy Hash: 5f68785f42a4970847199883e1a4a5cbee6801f44c688fe6ae3b9e1f3e85a999
    • Instruction Fuzzy Hash: 62317A35A00A4ABFDF22CF96CC09F9EBB75FF08714F400155F901A54A0D772AAA1DB92
    Function 001EBADB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 138 1ebadb-1ebaee call 1e9e19 141 1ebaf4-1ebb00 call 1ea52b 138->141 142 1ebb31-1ebb45 call 1e9ec4 GetModuleHandleExA 138->142 145 1ebb05-1ebb07 141->145 148 1ebb4f-1ebb51 142->148 145->142 147 1ebb0d-1ebb14 145->147 149 1ebb1d-1ebb4a call 1e9ec4 147->149 150 1ebb1a 147->150 149->148 150->149
    APIs
      • Part of subcall function 001E9E19: GetCurrentThreadId.KERNEL32 ref: 001E9E28
    • GetModuleHandleExA.KERNELBASE(?,?,?), ref: 001EBB3F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID: CurrentHandleModuleThread
    • String ID: .dll
    • API String ID: 2752942033-2738580789
    • Opcode ID: 120761d4fae9ecaaa0cdd5b6e044e83586307281fe9729063e1b69e95214e4fd
    • Instruction ID: 04b6caebcde7ca5d33c3b2d66d030b19c08d4d210e645b8180a95a5e2d364cc7
    • Opcode Fuzzy Hash: 120761d4fae9ecaaa0cdd5b6e044e83586307281fe9729063e1b69e95214e4fd
    • Instruction Fuzzy Hash: 5AF0B471204AC5EFCF14EF56D886BAE7BB4FF24300F118021FE0546155D330C860DA21
    Function 001EE568 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 181 1ee568-1ee576 182 1ee57c-1ee583 181->182 183 1ee588 181->183 184 1ee58f-1ee59b call 1e9e19 182->184 183->184 187 1ee5b6-1ee5c6 call 1ee51a 184->187 188 1ee5a1-1ee5ab call 1ee475 184->188 194 1ee5cc-1ee5d3 187->194 195 1ee5d8-1ee5e6 call 1ea52b 187->195 188->187 193 1ee5b1 188->193 196 1ee5f7-1ee5fc 193->196 194->196 195->196 202 1ee5ec-1ee5ed call 1ebd6f 195->202 198 1ee625-1ee63a CreateFileA 196->198 199 1ee602-1ee620 CreateFileW 196->199 201 1ee640-1ee641 198->201 199->201 203 1ee646-1ee64d call 1e9ec4 201->203 205 1ee5f2 202->205 205->203
    APIs
    • CreateFileW.KERNELBASE(00EE0254,?,?,-122B5FEC,?,?,?,-122B5FEC,?), ref: 001EE61A
      • Part of subcall function 001EE51A: IsBadWritePtr.KERNEL32(?,00000004), ref: 001EE528
    • CreateFileA.KERNEL32(?,?,?,-122B5FEC,?,?,?,-122B5FEC,?), ref: 001EE63A
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID: CreateFile$Write
    • String ID:
    • API String ID: 1125675974-0
    • Opcode ID: ce0bce1ceeb691912ccfc8ace858560b467d897cb15ff9b321487ae741306874
    • Instruction ID: 6dab3e44cfcdb0ebd406b9ae379b0185bb7ba4d50b04a6ea33185f984ca0516b
    • Opcode Fuzzy Hash: ce0bce1ceeb691912ccfc8ace858560b467d897cb15ff9b321487ae741306874
    • Instruction Fuzzy Hash: 3E111C3500098AFBDF269F96DC09BAD3EB2BF18348F158019F901640A1D775C9B1EB51
    Function 001EDED4 Relevance: 3.0, APIs: 2, Instructions: 41COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 208 1eded4-1edeea call 1e9e19 GetCurrentProcess 211 1edf2c-1edf4e call 1e9ec4 DuplicateHandle 208->211 212 1edef0-1edef3 208->212 217 1edf58-1edf5a 211->217 212->211 214 1edef9-1edefc 212->214 214->211 216 1edf02-1edf15 call 1e9c73 214->216 216->211 220 1edf1b-1edf53 call 1ebc71 call 1e9ec4 216->220 220->217
    APIs
      • Part of subcall function 001E9E19: GetCurrentThreadId.KERNEL32 ref: 001E9E28
    • GetCurrentProcess.KERNEL32(-122B5FEC), ref: 001EDEE1
    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 001EDF47
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID: Current$DuplicateHandleProcessThread
    • String ID:
    • API String ID: 3748180921-0
    • Opcode ID: c61211cfa133a56c5b02183cdca3ecb35990590966c2e850775c1de0d785099a
    • Instruction ID: 66a7709abf83516bbc7b39fb8dfffd5e565aeb70c7de1114430e65c537138758
    • Opcode Fuzzy Hash: c61211cfa133a56c5b02183cdca3ecb35990590966c2e850775c1de0d785099a
    • Instruction Fuzzy Hash: 5901F6721009CAFB8F12EFA6EC09C9F3B7AFFA87547114115FA0695021D732C862EB61
    Function 001F6270 Relevance: 1.6, APIs: 1, Instructions: 112COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 241 1f6270-1f627e 242 1f6284-1f6296 241->242 243 1f62a1-1f62ab call 1f6105 241->243 242->243 247 1f629c 242->247 248 1f62b6-1f62bf 243->248 249 1f62b1 243->249 250 1f6400-1f6402 247->250 251 1f62d7-1f62de 248->251 252 1f62c5-1f62cc 248->252 249->250 254 1f62e9-1f62f9 251->254 255 1f62e4 251->255 252->251 253 1f62d2 252->253 253->250 254->250 256 1f62ff-1f630b call 1f61da 254->256 255->250 259 1f630e-1f6312 256->259 259->250 260 1f6318-1f6322 259->260 261 1f6349-1f634c 260->261 262 1f6328-1f633b 260->262 263 1f634f-1f6352 261->263 262->261 267 1f6341-1f6343 262->267 265 1f63f8-1f63fb 263->265 266 1f6358-1f635f 263->266 265->259 268 1f638d-1f63a6 266->268 269 1f6365-1f636b 266->269 267->261 267->265 275 1f63bf-1f63c7 VirtualProtect 268->275 276 1f63ac-1f63ba 268->276 270 1f6388 269->270 271 1f6371-1f6376 269->271 273 1f63f0-1f63f3 270->273 271->270 272 1f637c-1f6382 271->272 272->268 272->270 273->263 277 1f63cd-1f63d0 275->277 276->277 277->273 279 1f63d6-1f63ef 277->279 279->273
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b0fcd6755200426892907056fd77bf456989722d6454eb346982d9edb6a58ae8
    • Instruction ID: af05c6470e98ce86ac06fcc2a69526917417c139b3ef92de35fa6352d26da871
    • Opcode Fuzzy Hash: b0fcd6755200426892907056fd77bf456989722d6454eb346982d9edb6a58ae8
    • Instruction Fuzzy Hash: 1A418E71A0420DEFDB29DF24D944BBEB7B0FF10314F258455EA06AB192D374ACA1DB91
    Function 001EC553 Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 281 1ec553-1ec564 282 1ec56a-1ec57e call 1e9ef7 281->282 283 1ec593-1ec59c call 1e9ef7 281->283 294 1ec681 282->294 295 1ec584-1ec592 282->295 288 1ec679-1ec67c call 1e9f1c 283->288 289 1ec5a2-1ec5b3 call 1ebd35 283->289 288->294 296 1ec5b9-1ec5bd 289->296 297 1ec5d3-1ec612 CreateFileA 289->297 298 1ec688-1ec68c 294->298 295->283 299 1ec5c3-1ec5cf call 1f0dbd 296->299 300 1ec5d0 296->300 301 1ec618-1ec635 297->301 302 1ec636-1ec639 297->302 299->300 300->297 301->302 305 1ec63f-1ec656 call 1e9c39 302->305 306 1ec66c-1ec674 call 1ebbc4 302->306 305->298 313 1ec65c-1ec667 call 1ebc32 305->313 306->294 313->294
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 001EC608
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 9352efb6b961b6e79fcc78f8cf51f38638d1253706c8d456331d66da20c7d0b6
    • Instruction ID: a72ae2863bc979c7cb7e698da4af149fc5ecd531bc431abaad13e1a8c00636ad
    • Opcode Fuzzy Hash: 9352efb6b961b6e79fcc78f8cf51f38638d1253706c8d456331d66da20c7d0b6
    • Instruction Fuzzy Hash: 6B31ADB1900644FBDF209F66DC85F9EBBB8FF18314F208269F504AA291C771AA52CF50
    Function 001EBD6F Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 316 1ebd6f-1ebd7e call 1e9ef7 319 1ebe84 316->319 320 1ebd84-1ebd95 call 1ebd35 316->320 321 1ebe8b-1ebe8f 319->321 324 1ebd9b-1ebd9f 320->324 325 1ebdb5-1ebdfb CreateFileA 320->325 328 1ebda5-1ebdb1 call 1f0dbd 324->328 329 1ebdb2 324->329 326 1ebe46-1ebe49 325->326 327 1ebe01-1ebe22 325->327 330 1ebe4f-1ebe66 call 1e9c39 326->330 331 1ebe7c-1ebe7f call 1ebbc4 326->331 327->326 337 1ebe28-1ebe45 327->337 328->329 329->325 330->321 339 1ebe6c-1ebe77 call 1ebc32 330->339 331->319 337->326 339->319
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 001EBDF1
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 3ad22ae9ba892fa80a760ce73f9dc0fcc338088068155d41a94d8fa3e7884be9
    • Instruction ID: 5088b9ebb65e01c4affe2edfaec4d58534980a4b5328f425cb3733591e229769
    • Opcode Fuzzy Hash: 3ad22ae9ba892fa80a760ce73f9dc0fcc338088068155d41a94d8fa3e7884be9
    • Instruction Fuzzy Hash: A731C371500A44BFEB309F65DC86FDEB7B8EB14728F208255F614AA1D1C3B1A592CF50
    Function 001F5FBD Relevance: 1.6, APIs: 1, Instructions: 65COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 343 1f5fbd-1f5fcc 344 1f5fd8-1f5fec 343->344 345 1f5fd2 343->345 347 1f60aa-1f60ac 344->347 348 1f5ff2-1f5ffc 344->348 345->344 349 1f6099-1f60a5 348->349 350 1f6002-1f600c 348->350 349->344 350->349 351 1f6012-1f601c 350->351 351->349 352 1f6022-1f6031 351->352 354 1f603c-1f6041 352->354 355 1f6037 352->355 354->349 356 1f6047-1f6056 354->356 355->349 356->349 357 1f605c-1f6073 GetModuleFileNameA 356->357 357->349 358 1f6079-1f6087 call 1f5f19 357->358 361 1f608d 358->361 362 1f6092-1f6094 358->362 361->349 362->347
    APIs
    • GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,?), ref: 001F606A
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID: FileModuleName
    • String ID:
    • API String ID: 514040917-0
    • Opcode ID: 8834b3781aeb9776b9b8101244cd05f8db526ae199431a2a3f62c289e3dbc48e
    • Instruction ID: 31569c3746c7cfed10f1bcc324a6dfabdcb87b373e6f221c5d793339b03797ef
    • Opcode Fuzzy Hash: 8834b3781aeb9776b9b8101244cd05f8db526ae199431a2a3f62c289e3dbc48e
    • Instruction Fuzzy Hash: EE11D6B1A0122D9BEB3046148C48BBB736CEF44755F3440A9FA0696182DB70AD808AA1
    Function 05020D41 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 05020DCD
    Memory Dump Source
    • Source File: 00000000.00000002.2162672865.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5020000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 1e367d9b568cf638a5bc35d7cd88ada238d043bda41a8cc5399289548d05de5f
    • Instruction ID: c38cdd49869681686556d17c34d3f2ae17d57d083196e65cae2b992b35107649
    • Opcode Fuzzy Hash: 1e367d9b568cf638a5bc35d7cd88ada238d043bda41a8cc5399289548d05de5f
    • Instruction Fuzzy Hash: 352135B6D01319CFCB44CF99E484ADEFBF1FB88310F14862AD909AB244C774A545CBA4
    Function 05020D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 05020DCD
    Memory Dump Source
    • Source File: 00000000.00000002.2162672865.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5020000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: d37fd547fe1c3198500cfb79c062e5f2b140c90e9054f663723788e21efda39f
    • Instruction ID: c6b2f487bc6388fa8c16cf0280662aa38ef1a0db7c17201bc4744ea0fef3b671
    • Opcode Fuzzy Hash: d37fd547fe1c3198500cfb79c062e5f2b140c90e9054f663723788e21efda39f
    • Instruction Fuzzy Hash: FD2124B6C057199FCB50CF99E888ADEFBF4FF88310F14821AD909AB204D774A540CBA4
    Function 05021510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 05021580
    Memory Dump Source
    • Source File: 00000000.00000002.2162672865.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5020000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: d11c11bfc1fdd4e8d4e656ef35176a950c7608b5c8f590540ad118bd745d92da
    • Instruction ID: a93bd6897c771572a006bcd7171dbf016e2ed6128f9848dd0239dfd865365345
    • Opcode Fuzzy Hash: d11c11bfc1fdd4e8d4e656ef35176a950c7608b5c8f590540ad118bd745d92da
    • Instruction Fuzzy Hash: 9F11D3B1904259DFDB10CF9AD584BDEFBF4EB48320F108029E559A7250D378AA44CFA5
    Function 05021509 Relevance: 1.6, APIs: 1, Instructions: 52serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 05021580
    Memory Dump Source
    • Source File: 00000000.00000002.2162672865.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5020000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 8dba21815f4e4958e10574a6bd2a965ce83d27ab9eee35ee87a78209cfec5513
    • Instruction ID: 3a79a3ba4a2557af5a0ed76cb3b45b5a59c80fdb4b03fc3afdeb89630f50a52f
    • Opcode Fuzzy Hash: 8dba21815f4e4958e10574a6bd2a965ce83d27ab9eee35ee87a78209cfec5513
    • Instruction Fuzzy Hash: F72100B5900249CFCB10CF9AD584BDEBBF4BB48320F10842AE959A7250D778AA44CFA5
    Function 001EF0A0 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 001E9E19: GetCurrentThreadId.KERNEL32 ref: 001E9E28
    • MapViewOfFileEx.KERNELBASE(?,?,?,?,?,?,-122B5FEC), ref: 001EF127
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID: CurrentFileThreadView
    • String ID:
    • API String ID: 1949693742-0
    • Opcode ID: 1608069c7d05e49432f6a5769b4155b8c9314c991047c1f393a6b93e69bc3089
    • Instruction ID: 9d20e43d2a9ab5d58c702fca385cf686b52e69480ff5f7d58c4df31fd489f769
    • Opcode Fuzzy Hash: 1608069c7d05e49432f6a5769b4155b8c9314c991047c1f393a6b93e69bc3089
    • Instruction Fuzzy Hash: D9110C3210098AFBCF16AFA6DC0AC9F3B76BF98384B114025FA0155021C736C472EBA1
    Function 001EEE88 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID: CurrentThread
    • String ID:
    • API String ID: 2882836952-0
    • Opcode ID: 7cc09c5a59e800b7d17c8d0597b40b41e7acb252ea88e28e9ff90a008e3c9bce
    • Instruction ID: 7a562ae7a3f74e4671f1a3cca547bb3c140a94d755b2ccc9a255b6b0f2cec3bb
    • Opcode Fuzzy Hash: 7cc09c5a59e800b7d17c8d0597b40b41e7acb252ea88e28e9ff90a008e3c9bce
    • Instruction Fuzzy Hash: 03112D72100ACAFBCF16AFA6CD09E9F3BE6AF54344F118511F911560A1C735C972EB61
    Function 05021301 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 05021367
    Memory Dump Source
    • Source File: 00000000.00000002.2162672865.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5020000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 890882ede3701785d29850b182f1d16f66fd609240bb7a4d98820ad70c025192
    • Instruction ID: cdcff2b0b4004a26345315d39b3dc6035b1b6f52a71ef300208906e62b4e8cfd
    • Opcode Fuzzy Hash: 890882ede3701785d29850b182f1d16f66fd609240bb7a4d98820ad70c025192
    • Instruction Fuzzy Hash: 721155B1800249CFDB10CF9AD984BEEFBF8EF48320F10846AD519A3240C778A545CFA1
    Function 05021308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 05021367
    Memory Dump Source
    • Source File: 00000000.00000002.2162672865.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5020000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 322fb59cd6c26282021fa3c70cdb993bca283449609671e72bba41696cefae57
    • Instruction ID: 1c68c64f343035f968753cdbcc808a292b80b75e85c12d7b15d37a28d76f051e
    • Opcode Fuzzy Hash: 322fb59cd6c26282021fa3c70cdb993bca283449609671e72bba41696cefae57
    • Instruction Fuzzy Hash: 751136B1800249CFDB10CF9AD445BDEFBF8EF48320F10841AD558A3640C778A544CFA5
    Function 001EE76C Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 001E9E19: GetCurrentThreadId.KERNEL32 ref: 001E9E28
    • ReadFile.KERNELBASE(?,00000000,?,00000400,?,-122B5FEC,?,?,001EC49B,?,?,00000400,?,00000000,?,00000000), ref: 001EE7D8
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID: CurrentFileReadThread
    • String ID:
    • API String ID: 2348311434-0
    • Opcode ID: b912eed5379f9124186136a01ee158538b1fe6a3e9e960b3ed3b0c0af58efea7
    • Instruction ID: fd1810585f425c4076d7a9a3763b3eb5c9da2fd9ea1f5a00618c5845c7ef5e38
    • Opcode Fuzzy Hash: b912eed5379f9124186136a01ee158538b1fe6a3e9e960b3ed3b0c0af58efea7
    • Instruction Fuzzy Hash: 07F0EC365009CAFBCF169FA6DC09D9E3BA6BF98344F054515FA0149061D732C8B1EBA1
    Function 0019B2C5 Relevance: 1.5, APIs: 1, Instructions: 24libraryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: af706420418ab7654619ab94c283dba962d12c886441adbf9ecd1625239192e4
    • Instruction ID: 996ad366c65e71096ecd122643c5fc89baa9d1f447fb184e359a52192ea270ec
    • Opcode Fuzzy Hash: af706420418ab7654619ab94c283dba962d12c886441adbf9ecd1625239192e4
    • Instruction Fuzzy Hash: F0E0EDB250DB44EFDA486F55C59943DFAE9FE91720F23492EE1C786110D3B15C82EA13
    Function 001E9FEA Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID: lstrcmpi
    • String ID:
    • API String ID: 1586166983-0
    • Opcode ID: 60f23f12b17799e4e34d61b51729cd1eb32235c8c898bb81e1337f17de645f01
    • Instruction ID: 6f4a49914f80a05aa3347ae56917cdfdbf46a4647ebf7a92c66696132b00322b
    • Opcode Fuzzy Hash: 60f23f12b17799e4e34d61b51729cd1eb32235c8c898bb81e1337f17de645f01
    • Instruction Fuzzy Hash: 1A01E436A0058DBFCF229FA6DC05DDEBB76FF88784F504161B800A4460DB329A61DFA1
    Function 001F5BE7 Relevance: 1.3, APIs: 1, Instructions: 37memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,?,001F5BE3,?,?,001F58E9,?,?,001F58E9,?,?,001F58E9), ref: 001F5C07
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: ee85ab88dc79f6608f286f6ca212307261e9da5146f722ef93b2f8fa9106fba2
    • Instruction ID: 1bc7422dbd0b23468231855bb98c42d4831f14413fd72760a8c94fb0bdfcce0e
    • Opcode Fuzzy Hash: ee85ab88dc79f6608f286f6ca212307261e9da5146f722ef93b2f8fa9106fba2
    • Instruction Fuzzy Hash: 07F0D1B1900309EFD7258F14CD08B68BFA4FF497A1F208428F64B9B652E3B198C08B50
    Function 001ECB6D Relevance: 1.3, APIs: 1, Instructions: 25COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 001E9E19: GetCurrentThreadId.KERNEL32 ref: 001E9E28
    • CloseHandle.KERNELBASE(001EC530,-122B5FEC,?,?,001EC530,?), ref: 001ECBAB
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID: CloseCurrentHandleThread
    • String ID:
    • API String ID: 3305057742-0
    • Opcode ID: 147ee576bec47475394862a9e82cd9071f48c8e886d36f19e5953e305f56b28b
    • Instruction ID: 31b9d9e185e924851f1557b83f6cd76250f772da078dd4aa959ae9e9234b5a1c
    • Opcode Fuzzy Hash: 147ee576bec47475394862a9e82cd9071f48c8e886d36f19e5953e305f56b28b
    • Instruction Fuzzy Hash: 02E04F72204DC1B6CE20BF7BEC0ED8F2A689FB43847114122B50696051DB22C4A3D6A1
    Function 001EBC32 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNELBASE(?,?,001E9CB8,?,?), ref: 001EBC38
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: e11398e2c4b6bf74640063c4724e50e6ea17f37e35d316d42348d7a1f16016b1
    • Instruction ID: c870de47bb0029df183ea4086a8bbf7c9a275a4f3bea85984a69d3143e50b967
    • Opcode Fuzzy Hash: e11398e2c4b6bf74640063c4724e50e6ea17f37e35d316d42348d7a1f16016b1
    • Instruction Fuzzy Hash: 03B09231004508BBCF01BF52DC0688EBFA9BF29398B408120F91988071CB72EAB89F90

    Non-executed Functions

    Function 0018084E Relevance: 15.4, Strings: 11, Instructions: 1670COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID:
    • String ID: #K{o$8:r^$<_?$NpN$WK?$[Gws$_pm$cGc$r5 ${z$?
    • API String ID: 0-4023284824
    • Opcode ID: 1b394b3356a6d605cc3a38bd83f251a26a29a2ea8ec0d824d1282cdbb339dd43
    • Instruction ID: e13368c3c16190412a200376cf61363e4a2fe769ff636cf31d1ee87d0e3c82de
    • Opcode Fuzzy Hash: 1b394b3356a6d605cc3a38bd83f251a26a29a2ea8ec0d824d1282cdbb339dd43
    • Instruction Fuzzy Hash: 49B229F360C2049FE3046E2DEC8567AFBE9EFD4720F16893DEAC583744EA3558058696
    Function 001871A8 Relevance: 10.4, Strings: 7, Instructions: 1629COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID:
    • String ID: #?G]$0igz$Ow}$RIKM$aFZ$d6_<$t9g
    • API String ID: 0-3652775659
    • Opcode ID: 70c125668b9530dedd9049c71ffd186c42c76834c2c02051862080b2a96b2941
    • Instruction ID: f7abe4fdd088687faa8e17b24f11b01da16e5c89b282cfb48750885bfdf041d5
    • Opcode Fuzzy Hash: 70c125668b9530dedd9049c71ffd186c42c76834c2c02051862080b2a96b2941
    • Instruction Fuzzy Hash: 53B217F360C204AFE7086E2DEC4567ABBE9EFD4720F1A453DE6C5C7340EA3598058696
    Function 00182294 Relevance: 10.3, Strings: 7, Instructions: 1575COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID:
    • String ID: ./?~$:+;^$<+/g$>+;^$`CV$}-+{$mZ
    • API String ID: 0-917836768
    • Opcode ID: 1f8ef9e9007c9ac6701d9cfaa5f60c4aba0b1fbd48302092344c3731b0eae123
    • Instruction ID: 0833b8b4bb329ec40f5af44f34d33f6420089782d10e39797e629b6c2d0450f8
    • Opcode Fuzzy Hash: 1f8ef9e9007c9ac6701d9cfaa5f60c4aba0b1fbd48302092344c3731b0eae123
    • Instruction Fuzzy Hash: D9B219F390C2009FE3046E2DEC85A7ABBE9EF94720F1A853DE6C4C7744E63599058697
    Function 0017D1E9 Relevance: 6.7, Strings: 4, Instructions: 1699COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID:
    • String ID: 7}{$:Ao$OLef$cDsb
    • API String ID: 0-1789730671
    • Opcode ID: 5ba53637e7783fb093b1f3a1190432257ec96df92352fb19db03a104e0a3ae20
    • Instruction ID: 1d104bf7ad7d03ba34978188926fca80fe33e66b9c9da17369385de7de4904da
    • Opcode Fuzzy Hash: 5ba53637e7783fb093b1f3a1190432257ec96df92352fb19db03a104e0a3ae20
    • Instruction Fuzzy Hash: 0DB21AF3A0C204AFE304AE2DEC8567AF7E9EB94720F16463DEAC4C3744E53598058697
    Function 00188CEC Relevance: 6.7, Strings: 4, Instructions: 1668COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID:
    • String ID: 10}_$K\>$K\>$cN>f
    • API String ID: 0-2955486427
    • Opcode ID: 0755944df8bda1b5d16193372451f084ac9b7ae2f8f0bcc6f1119fb53b229d3f
    • Instruction ID: e52658b4b692acb945b169e67871ff7a08e799cf42a884421ca4ea93d6e2021f
    • Opcode Fuzzy Hash: 0755944df8bda1b5d16193372451f084ac9b7ae2f8f0bcc6f1119fb53b229d3f
    • Instruction Fuzzy Hash: 2FB2F7F36082009FE304AE2DEC85B7ABBE9EFD4720F1A453DE6C5C7744E93598058696
    Function 0018A7E6 Relevance: 6.6, Strings: 4, Instructions: 1619COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID:
    • String ID: &)F~$GV_~$OY~$p_o
    • API String ID: 0-1761811821
    • Opcode ID: c8d3f3b696d930dfdb8d30c7c1bdd1df7840537ad4f97e9d108692c099acf0d3
    • Instruction ID: b2c125db481b6bef03f81e0f03c3a816ac0c01e4a9363047cefd8fed89153c2b
    • Opcode Fuzzy Hash: c8d3f3b696d930dfdb8d30c7c1bdd1df7840537ad4f97e9d108692c099acf0d3
    • Instruction Fuzzy Hash: 2FB2E7F360C2009FE304AE2DEC85A7AB7E5EF94720F1A893DE6C5C3744EA3559058697
    Function 0017F4B8 Relevance: 4.8, Strings: 3, Instructions: 1050COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID:
    • String ID: c?~$k[wO$zp?E
    • API String ID: 0-408443935
    • Opcode ID: 5b8d20a446aa2519d86bd30d35e02de0b9e300b3a1ec0f10fa41807bb60f09bf
    • Instruction ID: 2924c67835ab1d574e1539086791d8602e0c4379f2236ae22199d4087dd98a2c
    • Opcode Fuzzy Hash: 5b8d20a446aa2519d86bd30d35e02de0b9e300b3a1ec0f10fa41807bb60f09bf
    • Instruction Fuzzy Hash: 186207F360C204AFE3046E2DEC85A7AFBE9EF94720F16453DEAC5C3740EA3558058696
    Function 00097815 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID:
    • String ID: ,G_[$4#T$OsO
    • API String ID: 0-2438650889
    • Opcode ID: ca6d319f7f7f2b95f9f978c6354788bed5ce6e13eec7d1b17652adea160d9921
    • Instruction ID: ed4dbadf2ac13371f6d425a35eaeb8e005078ca01f64d374c07b8b503f2ab2af
    • Opcode Fuzzy Hash: ca6d319f7f7f2b95f9f978c6354788bed5ce6e13eec7d1b17652adea160d9921
    • Instruction Fuzzy Hash: 6C3127B3E251244BF3449A3CDC093A67AC2DBD5720F1AC63DDA88E77C8D878990947C5
    Function 001EDF66 Relevance: 3.0, APIs: 2, Instructions: 43timeCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 001E9E19: GetCurrentThreadId.KERNEL32 ref: 001E9E28
    • GetSystemTime.KERNEL32(?,-122B5FEC), ref: 001EDF9B
    • GetFileTime.KERNEL32(?,?,?,?,-122B5FEC), ref: 001EDFDE
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID: Time$CurrentFileSystemThread
    • String ID:
    • API String ID: 2191017843-0
    • Opcode ID: 46582aeb48b0ad43fb9027a204470a599eb8ef393dbb31277bf8b46be40aa5f4
    • Instruction ID: 4f5313b5ccb681517f9bc4c699b77660149b0dd71286816a77aaeda744b881f2
    • Opcode Fuzzy Hash: 46582aeb48b0ad43fb9027a204470a599eb8ef393dbb31277bf8b46be40aa5f4
    • Instruction Fuzzy Hash: F301D632200986FBCB26DF6AE90CD8E7F75EF95710B114126F90255461D73288A2DA61
    Function 001857BC Relevance: 2.7, Strings: 1, Instructions: 1499COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID:
    • String ID: [/
    • API String ID: 0-3235141762
    • Opcode ID: 11b4e11fd8baeb9d99eafe82d77a08a685d46e5624426a73638defd9832c434a
    • Instruction ID: cf98fac1947c87767eff3029f728d1af69b657a95bf62f8c69569710fd28c595
    • Opcode Fuzzy Hash: 11b4e11fd8baeb9d99eafe82d77a08a685d46e5624426a73638defd9832c434a
    • Instruction Fuzzy Hash: 9FA2C2F260C2009FE704AE2DEC8567ABBE5EF94320F16493DE6C4C3744E63598558B97
    Function 001EEE24 Relevance: 1.5, APIs: 1, Instructions: 24encryptionCOMMON
    Download Yara Rule
    APIs
    • CryptVerifySignatureA.ADVAPI32(?,?,?,?,?,?), ref: 001EEE6B
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID: CryptSignatureVerify
    • String ID:
    • API String ID: 1015439381-0
    • Opcode ID: f0725c7f84ecf3b3f42502b799ab7f0e4c946b04b18ca3fec9f387c9cd1b42d4
    • Instruction ID: 4dee0030a72dc0be57a2363cbc14658dfbac4fad4226f2d29dce0b423408bb93
    • Opcode Fuzzy Hash: f0725c7f84ecf3b3f42502b799ab7f0e4c946b04b18ca3fec9f387c9cd1b42d4
    • Instruction Fuzzy Hash: C1F01C3260064AFFCF01CF95D904A9D7BB2FF18354F108129F91596150D3769AB4EF40
    Function 000FFB3F Relevance: 1.5, Strings: 1, Instructions: 262COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID:
    • String ID: Plk
    • API String ID: 0-714847102
    • Opcode ID: f7846306ca6508c994aee4a3f88dbcda238dbd16a0c258059ff71dbb4d91c053
    • Instruction ID: aa9d89696f82c08b9b1658d19dcd15f669b5ba0d0668d174d16e794e1c8f94c3
    • Opcode Fuzzy Hash: f7846306ca6508c994aee4a3f88dbcda238dbd16a0c258059ff71dbb4d91c053
    • Instruction Fuzzy Hash: 517116F3E082145FE3006D2DEC9577ABADADBD4760F2A493EEAC4D7380E9745C058296
    Function 000AD3BF Relevance: 1.5, Strings: 1, Instructions: 218COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID:
    • String ID: 9\?
    • API String ID: 0-2693652492
    • Opcode ID: fa9a7673544623fa53480d8d6b9467fce3d5c13fed32f74ccfbca8599614e13e
    • Instruction ID: 5beb60697863948d3123474e33f16749692f5a8b1df85f139366cb40a970ce6a
    • Opcode Fuzzy Hash: fa9a7673544623fa53480d8d6b9467fce3d5c13fed32f74ccfbca8599614e13e
    • Instruction Fuzzy Hash: D461E6F360C300AFE3085E29EC9177AB7E6EB94320F19853DE6D5C7780E67988058657
    Function 0007556E Relevance: 1.4, Strings: 1, Instructions: 189COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID:
    • String ID: G}~
    • API String ID: 0-2896208758
    • Opcode ID: ea1e671246cd8fe1e5e058280ac1a865e42e4a492a27ed96316b98e9931956eb
    • Instruction ID: 1f3209107726355255a4a603b703398804cdee9f3028d80ce8d89ff81d34a129
    • Opcode Fuzzy Hash: ea1e671246cd8fe1e5e058280ac1a865e42e4a492a27ed96316b98e9931956eb
    • Instruction Fuzzy Hash: 23515CF3B182244BE708AA3CECD5776B7D9DB54310F16423DED8AD3744E8655D0482D2
    Function 0009FD51 Relevance: 1.4, Strings: 1, Instructions: 145COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID:
    • String ID: aom
    • API String ID: 0-1266595987
    • Opcode ID: 7a6c65e0703088fbccd3392820fd0a219c45d5c4a3780b52ea0a1f9b245929aa
    • Instruction ID: 94ff99a7a3892c8d0e00584d6085d6eacdfd260b0d95ad34db845689904b87c9
    • Opcode Fuzzy Hash: 7a6c65e0703088fbccd3392820fd0a219c45d5c4a3780b52ea0a1f9b245929aa
    • Instruction Fuzzy Hash: F64186B3E181301BE350A93CDC49797B696DF94220F07873ADDD8E7B84E9319D0482D2
    Function 001AB056 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID:
    • String ID: +'/
    • API String ID: 0-367829677
    • Opcode ID: 2cf5a35a2c5ad3c75ea836ad2eec2c46b9df4399074855c1ba86f4932895fbba
    • Instruction ID: c985793bf2ad530dccdddb200ad3701c8158ae426ef2522315ccf4442a6bdcf2
    • Opcode Fuzzy Hash: 2cf5a35a2c5ad3c75ea836ad2eec2c46b9df4399074855c1ba86f4932895fbba
    • Instruction Fuzzy Hash: 7D417CF614C614AFE301BF69EC816BAFBE9FB45320F26092DE2C0C2601E77494448B93
    Function 001A92D7 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID:
    • String ID: 4)>m
    • API String ID: 0-458738461
    • Opcode ID: 374090b8fe0066cfb97be11f44773fcef334bb64bce5180de823298639721f61
    • Instruction ID: 2abe251819703cf1b103367a67d2ff034db0fc1ab2b50349809b186a6b2e1340
    • Opcode Fuzzy Hash: 374090b8fe0066cfb97be11f44773fcef334bb64bce5180de823298639721f61
    • Instruction Fuzzy Hash: 3C311BB251C200AFD755AE69DC817AAFBE9EF58320F124D2EE6C4C3250E73598508B97
    Function 001BF823 Relevance: .2, Instructions: 167COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9a4db31be1a809fa41d5af43c988a85c8bf943e7e08d85889516a36f5db734c3
    • Instruction ID: 1be2474fd5281f943bba2055f37e2e23a3551a5e3084be8d1a1bca3ba996324a
    • Opcode Fuzzy Hash: 9a4db31be1a809fa41d5af43c988a85c8bf943e7e08d85889516a36f5db734c3
    • Instruction Fuzzy Hash: C051E1B260C204EFD30CAE29DC4127AF7E6EF94714F22893DE6D687254EB3149429B43
    Function 0009307F Relevance: .1, Instructions: 146COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 02deab512d1f5d2f33b11f32b9c235c3c699c4991a567f1b7fd3ca6b48544b18
    • Instruction ID: 9d94af39b9c3a899cbb87b5ed47d2ce2ee34bd0a70f41496664430a426ae0e69
    • Opcode Fuzzy Hash: 02deab512d1f5d2f33b11f32b9c235c3c699c4991a567f1b7fd3ca6b48544b18
    • Instruction Fuzzy Hash: B64103B3E083145FE314AE2DDC8576BB7D6EBC8360F26863DDAC453780EA356C058696
    Function 00211A0F Relevance: .1, Instructions: 138COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 20f94c479b6c48d4f70d2888df1fe2427f28ca554ba8e609e7678f2d0d1d51fa
    • Instruction ID: 5d5e52941270c746ba1569dd71c599f328bf0f13f47a67104e398135d869871e
    • Opcode Fuzzy Hash: 20f94c479b6c48d4f70d2888df1fe2427f28ca554ba8e609e7678f2d0d1d51fa
    • Instruction Fuzzy Hash: F84114B240C3089FD704BF2DE84563AFBE9EF94720F1A092DE9C583744EA355885CA97
    Function 001A88D2 Relevance: .1, Instructions: 95COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 1b2b271943eb6ecd54ec9502b4aa10f9252c01670aa3f78eedafb3c9e43ad035
    • Instruction ID: 59dc925d1b6840e09e5afd1f68c727546211a957b507bf35d72398916e9c7cc0
    • Opcode Fuzzy Hash: 1b2b271943eb6ecd54ec9502b4aa10f9252c01670aa3f78eedafb3c9e43ad035
    • Instruction Fuzzy Hash: 523107B291C610EFE705BF29D8816AAFBE5FF58710F06482DEAC493250D7355840CB97
    Function 001B206B Relevance: .1, Instructions: 88COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: fe6af4095f6de75d956990a6009a232917fb53c29154da7970bc60b899b7fcf7
    • Instruction ID: 06d1af00bee15cdaf24cc2baa4c3329cb5b41619765471ed79952437b208fa4d
    • Opcode Fuzzy Hash: fe6af4095f6de75d956990a6009a232917fb53c29154da7970bc60b899b7fcf7
    • Instruction Fuzzy Hash: E63130B290C7049FE311BF29D8866AAFBE1FF98710F12092CD6D483610EB359480CB87
    Function 001A3A9B Relevance: .0, Instructions: 21COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 679049e8bda54f4b207c0448767039fca0cf1d2a4859b48ada22ea3cbbd2765a
    • Instruction ID: 91db2d3e89df41001af21b9796ad0fda11a6c46240459c7267bc4a09a740d8a3
    • Opcode Fuzzy Hash: 679049e8bda54f4b207c0448767039fca0cf1d2a4859b48ada22ea3cbbd2765a
    • Instruction Fuzzy Hash: 45E04F36104105AAD7009F54C845A9FFBF4FF1A320F219845E884C7622C3358D42C729
    Function 001A3F30 Relevance: .0, Instructions: 8COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 7eece42b15cdddf3fa66bb2b06164d716f28933399b882f1e9bb0de500d68163
    • Instruction ID: 7f71cb2c90c6c39387532292d6196d7e42d79d105efa934779ed60c337d232ee
    • Opcode Fuzzy Hash: 7eece42b15cdddf3fa66bb2b06164d716f28933399b882f1e9bb0de500d68163
    • Instruction Fuzzy Hash: D9B0926987C29225D0526124089177A8A280B33A21E2603557238640D35345C10A2117
    Function 001ED49C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 001E9E19: GetCurrentThreadId.KERNEL32 ref: 001E9E28
      • Part of subcall function 001EE51A: IsBadWritePtr.KERNEL32(?,00000004), ref: 001EE528
    • wsprintfA.USER32 ref: 001ED4E2
    • LoadImageA.USER32(?,?,?,?,?,?), ref: 001ED5A6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID: CurrentImageLoadThreadWritewsprintf
    • String ID: %8x$%8x
    • API String ID: 439219941-2046107164
    • Opcode ID: 3230db982fb2888030bbdd1f61556604f6ae6e22e1ac6d9f17ba2900051550eb
    • Instruction ID: d1dc1b44940b994715e964c6257bb08e09aa2e08247fddb1a2fd85ad6de42981
    • Opcode Fuzzy Hash: 3230db982fb2888030bbdd1f61556604f6ae6e22e1ac6d9f17ba2900051550eb
    • Instruction Fuzzy Hash: A631577190054AFBCF11DF95DC09EEEBBB9FF88310F108025FA11A61A1D7319A61DBA0
    Function 001EE06D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesExW.KERNEL32(00EE0254,00004020,00000000,-122B5FEC), ref: 001EE15A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2160275292.0000000000197000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
    • Associated: 00000000.00000002.2160163974.0000000000010000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160212357.0000000000012000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160246117.0000000000016000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.000000000001A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002AE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160275292.00000000002BE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160565720.00000000002BF000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160700708.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2160722785.0000000000466000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_10000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: 7f359fd0a18ee477d5569c1011eb77eff54924b17af3cf32743f1724d3d78914
    • Instruction ID: a119deb7192218c43e34b3d655d1d2bd0ce43cb023e5af3530a73370696e574c
    • Opcode Fuzzy Hash: 7f359fd0a18ee477d5569c1011eb77eff54924b17af3cf32743f1724d3d78914
    • Instruction Fuzzy Hash: 673148B1504B45EFDF258F56C84878EBBB4FF08310F118519F55667250C3B1AAA5DF90