Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1532901
MD5:a024a8a076c6f3f2ee6dd97c51cd72a8
SHA1:1c995e44fae09f8f711a16bb6b26fae957eb1706
SHA256:ffe3772fdb21678a4614b824fb3f2018eee8fad7d9358063b5d0538a0e043685
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to detect virtual machines (SIDT)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 4244 cmdline: "C:\Users\user\Desktop\file.exe" MD5: A024A8A076C6F3F2EE6DD97C51CD72A8)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: file.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: file.exeVirustotal: Detection: 58%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044F94E CryptVerifySignatureA,0_2_0044F94E
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.1249315037.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmp

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B0190_2_0040B019
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002801680_2_00280168
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002B61AA0_2_002B61AA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E61D20_2_003E61D2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002BC2640_2_002BC264
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0031A2620_2_0031A262
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003463AC0_2_003463AC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003DF4710_2_003DF471
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003375E30_2_003375E3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0027F7E50_2_0027F7E5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E984F0_2_003E984F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003D88DB0_2_003D88DB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E2B4C0_2_003E2B4C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003D6D6D0_2_003D6D6D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CD9A0_2_0040CD9A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CDA80_2_0040CDA8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CF450_2_0040CF45
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CF580_2_0040CF58
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00441F050_2_00441F05
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003DBF740_2_003DBF74
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CF3C0_2_0040CF3C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A0F9D0_2_003A0F9D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040AFFE0_2_0040AFFE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003E0FDA0_2_003E0FDA
Source: C:\Users\user\Desktop\file.exeCode function: String function: 0044A943 appears 35 times
Source: file.exe, 00000000.00000000.1241348839.0000000000266000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeStatic PE information: Section: dxnzjtng ZLIB complexity 0.9950414023310711
Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeVirustotal: Detection: 58%
Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 1760256 > 1048576
Source: file.exeStatic PE information: Raw size of dxnzjtng is bigger than: 0x100000 < 0x1a7a00
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.1249315037.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.260000.0.unpack :EW;.rsrc:W;.idata :W; :EW;dxnzjtng:EW;bnjbabth:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x1b1df1 should be: 0x1ae20f
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: dxnzjtng
Source: file.exeStatic PE information: section name: bnjbabth
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003FE11B push 2E83766Eh; mov dword ptr [esp], edx0_2_003FF345
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004006E4 push ebx; mov dword ptr [esp], ebp0_2_00402BD7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004006E4 push 4F9C368Ch; mov dword ptr [esp], edx0_2_00402BF9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402043 push 40DEF415h; mov dword ptr [esp], esp0_2_00403113
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003FF01B push edx; mov dword ptr [esp], esi0_2_0040183A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003FF01B push 6AB3CA60h; mov dword ptr [esp], edi0_2_00401842
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00405074 push eax; mov dword ptr [esp], 75FBD99Ch0_2_0040507F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003FE002 push ecx; mov dword ptr [esp], ebp0_2_00400BBA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003FE06F push edi; mov dword ptr [esp], esi0_2_00402215
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B019 push 63908730h; mov dword ptr [esp], ecx0_2_0040B044
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B019 push esi; mov dword ptr [esp], eax0_2_0040B05C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B019 push 25F19B49h; mov dword ptr [esp], ebp0_2_0040B09B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B019 push 55ABFE58h; mov dword ptr [esp], eax0_2_0040B16A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003F2063 push 34CC181Eh; mov dword ptr [esp], ecx0_2_003F20AB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040D0C6 push 2BC2AC8Ch; mov dword ptr [esp], edx0_2_0040D147
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040D0C6 push 52BE33A0h; mov dword ptr [esp], esi0_2_0040D1E1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040D0C6 push 1D19D1B1h; mov dword ptr [esp], edi0_2_0040D22F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040D0D0 push 2BC2AC8Ch; mov dword ptr [esp], edx0_2_0040D147
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040D0D0 push 52BE33A0h; mov dword ptr [esp], esi0_2_0040D1E1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040D0D0 push 1D19D1B1h; mov dword ptr [esp], edi0_2_0040D22F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004060FB push ebp; ret 0_2_0040610A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0049608E push edi; mov dword ptr [esp], 5F9B3F9Dh0_2_0049610C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0049608E push edx; mov dword ptr [esp], edi0_2_0049617C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0049608E push esi; mov dword ptr [esp], esp0_2_0049619B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0049608E push 0EDF082Eh; mov dword ptr [esp], edi0_2_004961DC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0049608E push ecx; mov dword ptr [esp], eax0_2_00496229
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003FF0F7 push eax; mov dword ptr [esp], 49817010h0_2_0040122E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003FF0F7 push eax; mov dword ptr [esp], edx0_2_004021BD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040608B push ecx; ret 0_2_0040609A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040508E push 3C92231Ah; mov dword ptr [esp], esi0_2_004050B4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C6099 push ebp; mov dword ptr [esp], esp0_2_004C60F1
Source: file.exeStatic PE information: section name: entropy: 7.745521434288489
Source: file.exeStatic PE information: section name: dxnzjtng entropy: 7.9537812643556745

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F1D9D second address: 3F1DA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F1DA1 second address: 3F1DF1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC0786FEE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007FC0786FEE62h 0x00000010 push ecx 0x00000011 jg 00007FC0786FEE56h 0x00000017 jmp 00007FC0786FEE64h 0x0000001c pop ecx 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FC0786FEE65h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F0E06 second address: 3F0E0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F0E0A second address: 3F0E0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F1091 second address: 3F10AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC078863605h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F10AC second address: 3F10B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F10B0 second address: 3F10BA instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC0788635F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F10BA second address: 3F10E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FC0786FEE5Eh 0x0000000d jmp 00007FC0786FEE68h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F10E8 second address: 3F10EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F1258 second address: 3F125C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F125C second address: 3F1267 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F1267 second address: 3F128C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 jg 00007FC0786FEE56h 0x0000000e jmp 00007FC0786FEE5Fh 0x00000013 js 00007FC0786FEE56h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F466B second address: 3F46E8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC0788635F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b js 00007FC0788635F6h 0x00000011 push esi 0x00000012 pop esi 0x00000013 popad 0x00000014 popad 0x00000015 pop eax 0x00000016 js 00007FC078863602h 0x0000001c jg 00007FC0788635FCh 0x00000022 push 00000003h 0x00000024 cmc 0x00000025 call 00007FC0788635FEh 0x0000002a call 00007FC078863606h 0x0000002f mov cl, 4Eh 0x00000031 pop edx 0x00000032 pop ecx 0x00000033 push 00000000h 0x00000035 push 00000003h 0x00000037 mov edx, dword ptr [ebp+122D2BFDh] 0x0000003d call 00007FC0788635F9h 0x00000042 pushad 0x00000043 push esi 0x00000044 jng 00007FC0788635F6h 0x0000004a pop esi 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007FC0788635FCh 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F46E8 second address: 3F4704 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC0786FEE5Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007FC0786FEE56h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F4704 second address: 3F471D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push ebx 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 pop ebx 0x00000013 mov eax, dword ptr [eax] 0x00000015 push esi 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F471D second address: 3F473D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC0786FEE5Ah 0x00000009 popad 0x0000000a pop esi 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC0786FEE5Ah 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F473D second address: 3F4791 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC0788635F8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b adc edi, 39F256DAh 0x00000011 lea ebx, dword ptr [ebp+1245A4E9h] 0x00000017 push 00000000h 0x00000019 push esi 0x0000001a call 00007FC0788635F8h 0x0000001f pop esi 0x00000020 mov dword ptr [esp+04h], esi 0x00000024 add dword ptr [esp+04h], 00000017h 0x0000002c inc esi 0x0000002d push esi 0x0000002e ret 0x0000002f pop esi 0x00000030 ret 0x00000031 mov dl, ch 0x00000033 mov esi, dword ptr [ebp+122D1FF0h] 0x00000039 mov dh, ah 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007FC0788635FFh 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F47D2 second address: 3F48A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC0786FEE66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov ecx, dword ptr [ebp+122D2BE5h] 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 jmp 00007FC0786FEE67h 0x0000001a pop edx 0x0000001b call 00007FC0786FEE59h 0x00000020 jmp 00007FC0786FEE5Ch 0x00000025 push eax 0x00000026 push ecx 0x00000027 jmp 00007FC0786FEE5Bh 0x0000002c pop ecx 0x0000002d mov eax, dword ptr [esp+04h] 0x00000031 push edx 0x00000032 js 00007FC0786FEE58h 0x00000038 pushad 0x00000039 popad 0x0000003a pop edx 0x0000003b mov eax, dword ptr [eax] 0x0000003d jmp 00007FC0786FEE64h 0x00000042 mov dword ptr [esp+04h], eax 0x00000046 jns 00007FC0786FEE5Eh 0x0000004c pop eax 0x0000004d mov ch, bh 0x0000004f push 00000003h 0x00000051 push 00000000h 0x00000053 mov cl, bl 0x00000055 push 00000003h 0x00000057 cmc 0x00000058 and edx, 4EB87BDEh 0x0000005e call 00007FC0786FEE59h 0x00000063 jc 00007FC0786FEE5Eh 0x00000069 push esi 0x0000006a jbe 00007FC0786FEE56h 0x00000070 pop esi 0x00000071 push eax 0x00000072 pushad 0x00000073 push eax 0x00000074 push edx 0x00000075 jmp 00007FC0786FEE62h 0x0000007a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F48A8 second address: 3F48AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F48AC second address: 3F48EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FC0786FEE6Dh 0x0000000c popad 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push ebx 0x00000012 pushad 0x00000013 jmp 00007FC0786FEE67h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F48EF second address: 3F4900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 mov eax, dword ptr [eax] 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007FC0788635F6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F4900 second address: 3F4987 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC0786FEE69h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e jg 00007FC0786FEE68h 0x00000014 pop eax 0x00000015 jmp 00007FC0786FEE69h 0x0000001a lea ebx, dword ptr [ebp+1245A4F2h] 0x00000020 movzx esi, bx 0x00000023 xchg eax, ebx 0x00000024 jmp 00007FC0786FEE69h 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FC0786FEE5Dh 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F4987 second address: 3F498D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4061E8 second address: 406202 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FC0786FEE61h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4139C5 second address: 4139C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 413B18 second address: 413B28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FC0786FEE56h 0x0000000a ja 00007FC0786FEE56h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 413B28 second address: 413B43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC078863601h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4140CB second address: 4140DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007FC0786FEE56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007FC0786FEE56h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4140DF second address: 4140E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4140E3 second address: 4140FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC0786FEE64h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4140FD second address: 414103 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 414103 second address: 414107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 414107 second address: 41410B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 414400 second address: 414418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FC0786FEE61h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 414418 second address: 41441D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 414831 second address: 414836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 414C64 second address: 414C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 415266 second address: 41526A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41526A second address: 415298 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC078863606h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jmp 00007FC078863600h 0x0000000f push eax 0x00000010 pop eax 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 415298 second address: 4152B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC0786FEE61h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41570E second address: 415712 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 415A9C second address: 415AA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 415AA2 second address: 415AA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 415AA6 second address: 415AB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007FC0786FEE56h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 415AB8 second address: 415ABC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 417017 second address: 417043 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pushad 0x00000008 jmp 00007FC0786FEE5Ah 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC0786FEE68h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 417043 second address: 417047 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E4288 second address: 3E4291 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 419543 second address: 419547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 419547 second address: 41954B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41954B second address: 419551 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 419711 second address: 419715 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41865F second address: 418663 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 420BFD second address: 420C01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 420D62 second address: 420D68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 420E98 second address: 420E9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 420E9C second address: 420EA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4211D8 second address: 4211DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4211DC second address: 4211E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42209C second address: 4220B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b jmp 00007FC0786FEE5Dh 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 422251 second address: 422257 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42298C second address: 422992 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 422992 second address: 4229CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC078863609h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebx 0x0000000e xor esi, dword ptr [ebp+122D1ED0h] 0x00000014 nop 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FC0788635FEh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4229CD second address: 4229D3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4229D3 second address: 4229DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FC0788635F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 422E0B second address: 422E0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 422F8D second address: 422FBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC078863601h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC078863606h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42355D second address: 42356A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007FC0786FEE56h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42356A second address: 423577 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 423577 second address: 42357B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 424007 second address: 42400D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 425095 second address: 4250B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC0786FEE66h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4250B0 second address: 4250BA instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC0788635FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4250BA second address: 42514A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FC0786FEE5Dh 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007FC0786FEE58h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push esi 0x0000002e call 00007FC0786FEE58h 0x00000033 pop esi 0x00000034 mov dword ptr [esp+04h], esi 0x00000038 add dword ptr [esp+04h], 00000016h 0x00000040 inc esi 0x00000041 push esi 0x00000042 ret 0x00000043 pop esi 0x00000044 ret 0x00000045 jmp 00007FC0786FEE5Ah 0x0000004a xchg eax, ebx 0x0000004b jnc 00007FC0786FEE5Ah 0x00000051 push eax 0x00000052 pushad 0x00000053 pushad 0x00000054 jmp 00007FC0786FEE63h 0x00000059 push esi 0x0000005a pop esi 0x0000005b popad 0x0000005c jbe 00007FC0786FEE5Ch 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42654F second address: 4265A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FC0788635F6h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007FC0788635F8h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push eax 0x00000030 call 00007FC0788635F8h 0x00000035 pop eax 0x00000036 mov dword ptr [esp+04h], eax 0x0000003a add dword ptr [esp+04h], 00000017h 0x00000042 inc eax 0x00000043 push eax 0x00000044 ret 0x00000045 pop eax 0x00000046 ret 0x00000047 add dword ptr [ebp+122D3552h], ebx 0x0000004d push eax 0x0000004e pushad 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4265A8 second address: 4265B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FC0786FEE56h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4265B7 second address: 4265BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4270E4 second address: 42715E instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC0786FEE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c jmp 00007FC0786FEE63h 0x00000011 sub di, F316h 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ebp 0x0000001b call 00007FC0786FEE58h 0x00000020 pop ebp 0x00000021 mov dword ptr [esp+04h], ebp 0x00000025 add dword ptr [esp+04h], 0000001Ch 0x0000002d inc ebp 0x0000002e push ebp 0x0000002f ret 0x00000030 pop ebp 0x00000031 ret 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 call 00007FC0786FEE58h 0x0000003c pop esi 0x0000003d mov dword ptr [esp+04h], esi 0x00000041 add dword ptr [esp+04h], 0000001Bh 0x00000049 inc esi 0x0000004a push esi 0x0000004b ret 0x0000004c pop esi 0x0000004d ret 0x0000004e and esi, dword ptr [ebp+122D3986h] 0x00000054 xchg eax, ebx 0x00000055 push edx 0x00000056 pushad 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 426E4E second address: 426E57 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 426E57 second address: 426E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007FC0786FEE5Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 426E6D second address: 426E72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 427AAE second address: 427ADE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC0786FEE61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC0786FEE67h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 427ADE second address: 427AE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FC0788635F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4286C6 second address: 4286D0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC0786FEE5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4286D0 second address: 4286F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007FC078863609h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4286F6 second address: 4286FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E2652 second address: 3E265B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E265B second address: 3E2663 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E2663 second address: 3E2692 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC0788635FEh 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop edx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jl 00007FC0788635F8h 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007FC0788635FFh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42DABA second address: 42DAC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FC0786FEE56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42E067 second address: 42E0FD instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC0788635F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007FC0788635F8h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 mov ebx, dword ptr [ebp+122D2B9Dh] 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ecx 0x00000031 call 00007FC0788635F8h 0x00000036 pop ecx 0x00000037 mov dword ptr [esp+04h], ecx 0x0000003b add dword ptr [esp+04h], 00000014h 0x00000043 inc ecx 0x00000044 push ecx 0x00000045 ret 0x00000046 pop ecx 0x00000047 ret 0x00000048 movsx ebx, cx 0x0000004b mov edi, 64169719h 0x00000050 push 00000000h 0x00000052 push 00000000h 0x00000054 push edi 0x00000055 call 00007FC0788635F8h 0x0000005a pop edi 0x0000005b mov dword ptr [esp+04h], edi 0x0000005f add dword ptr [esp+04h], 0000001Ch 0x00000067 inc edi 0x00000068 push edi 0x00000069 ret 0x0000006a pop edi 0x0000006b ret 0x0000006c push eax 0x0000006d push eax 0x0000006e push edx 0x0000006f jmp 00007FC078863607h 0x00000074 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42E255 second address: 42E259 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42F0AD second address: 42F0E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007FC078863609h 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f jc 00007FC07886360Ch 0x00000015 pushad 0x00000016 jmp 00007FC0788635FEh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42FE6A second address: 42FF1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FC0786FEE69h 0x0000000a popad 0x0000000b push eax 0x0000000c push edi 0x0000000d jno 00007FC0786FEE5Ch 0x00000013 pop edi 0x00000014 nop 0x00000015 mov edi, 678660D7h 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push ecx 0x0000001f call 00007FC0786FEE58h 0x00000024 pop ecx 0x00000025 mov dword ptr [esp+04h], ecx 0x00000029 add dword ptr [esp+04h], 0000001Bh 0x00000031 inc ecx 0x00000032 push ecx 0x00000033 ret 0x00000034 pop ecx 0x00000035 ret 0x00000036 mov edi, ebx 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push ebp 0x0000003d call 00007FC0786FEE58h 0x00000042 pop ebp 0x00000043 mov dword ptr [esp+04h], ebp 0x00000047 add dword ptr [esp+04h], 0000001Ah 0x0000004f inc ebp 0x00000050 push ebp 0x00000051 ret 0x00000052 pop ebp 0x00000053 ret 0x00000054 jng 00007FC0786FEE67h 0x0000005a jmp 00007FC0786FEE61h 0x0000005f jp 00007FC0786FEE5Ch 0x00000065 mov ebx, dword ptr [ebp+122D26F4h] 0x0000006b push eax 0x0000006c pushad 0x0000006d jnl 00007FC0786FEE58h 0x00000073 push eax 0x00000074 push edx 0x00000075 jnl 00007FC0786FEE56h 0x0000007b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42FF1E second address: 42FF22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 431E2C second address: 431E36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FC0786FEE56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4334A4 second address: 433515 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b jbe 00007FC0788635FCh 0x00000011 mov edi, dword ptr [ebp+122D2C85h] 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ebp 0x0000001c call 00007FC0788635F8h 0x00000021 pop ebp 0x00000022 mov dword ptr [esp+04h], ebp 0x00000026 add dword ptr [esp+04h], 0000001Dh 0x0000002e inc ebp 0x0000002f push ebp 0x00000030 ret 0x00000031 pop ebp 0x00000032 ret 0x00000033 mov bx, cx 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ebp 0x0000003b call 00007FC0788635F8h 0x00000040 pop ebp 0x00000041 mov dword ptr [esp+04h], ebp 0x00000045 add dword ptr [esp+04h], 0000001Dh 0x0000004d inc ebp 0x0000004e push ebp 0x0000004f ret 0x00000050 pop ebp 0x00000051 ret 0x00000052 movsx edi, dx 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4325EB second address: 4325F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 433515 second address: 43351A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43351A second address: 433521 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4369B4 second address: 4369CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC078863602h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4369CB second address: 436A3A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC0786FEE68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007FC0786FEE5Ch 0x00000011 pop edx 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007FC0786FEE58h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d push 00000000h 0x0000002f mov bh, dh 0x00000031 push 00000000h 0x00000033 mov ebx, dword ptr [ebp+122D2B49h] 0x00000039 xchg eax, esi 0x0000003a jl 00007FC0786FEE5Eh 0x00000040 ja 00007FC0786FEE58h 0x00000046 push eax 0x00000047 pushad 0x00000048 push ebx 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 436A3A second address: 436A47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007FC0788635F6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 435B8F second address: 435B94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 435B94 second address: 435B9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 438B21 second address: 438B34 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC0786FEE58h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 438B34 second address: 438B3A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 437C50 second address: 437C61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC0786FEE5Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 437C61 second address: 437C6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FC0788635F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 437C6B second address: 437C7D instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC0786FEE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 437C7D second address: 437C81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 437C81 second address: 437D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FC0786FEE58h 0x0000000c popad 0x0000000d nop 0x0000000e push dword ptr fs:[00000000h] 0x00000015 sub edi, 6BF57880h 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 push 00000000h 0x00000024 push edi 0x00000025 call 00007FC0786FEE58h 0x0000002a pop edi 0x0000002b mov dword ptr [esp+04h], edi 0x0000002f add dword ptr [esp+04h], 00000019h 0x00000037 inc edi 0x00000038 push edi 0x00000039 ret 0x0000003a pop edi 0x0000003b ret 0x0000003c mov edi, dword ptr [ebp+122D29F5h] 0x00000042 mov eax, dword ptr [ebp+122D1461h] 0x00000048 push 00000000h 0x0000004a push edx 0x0000004b call 00007FC0786FEE58h 0x00000050 pop edx 0x00000051 mov dword ptr [esp+04h], edx 0x00000055 add dword ptr [esp+04h], 00000014h 0x0000005d inc edx 0x0000005e push edx 0x0000005f ret 0x00000060 pop edx 0x00000061 ret 0x00000062 push FFFFFFFFh 0x00000064 je 00007FC0786FEE5Eh 0x0000006a jc 00007FC0786FEE58h 0x00000070 push eax 0x00000071 pop ebx 0x00000072 push eax 0x00000073 push eax 0x00000074 push edx 0x00000075 jmp 00007FC0786FEE5Eh 0x0000007a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43AC55 second address: 43AC59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43BC83 second address: 43BCF9 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC0786FEE6Fh 0x00000008 jmp 00007FC0786FEE69h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007FC0786FEE58h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a push 00000000h 0x0000002c sbb ebx, 092C4676h 0x00000032 push 00000000h 0x00000034 sub dword ptr [ebp+122D1E4Ah], esi 0x0000003a xchg eax, esi 0x0000003b jmp 00007FC0786FEE69h 0x00000040 push eax 0x00000041 push edi 0x00000042 push eax 0x00000043 push edx 0x00000044 jc 00007FC0786FEE56h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 439DBD second address: 439DC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 439DC3 second address: 439DC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 439EDA second address: 439EDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 438C93 second address: 438CA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC0786FEE5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 438CA7 second address: 438CAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43BDFB second address: 43BE01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43BEB0 second address: 43BEB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43BEB4 second address: 43BEBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43BEBE second address: 43BEC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43BEC2 second address: 43BEE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC0786FEE64h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43DCC3 second address: 43DD7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC0788635FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnl 00007FC0788635FCh 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 jmp 00007FC078863601h 0x00000017 jns 00007FC0788635F8h 0x0000001d popad 0x0000001e nop 0x0000001f mov bx, 649Bh 0x00000023 push dword ptr fs:[00000000h] 0x0000002a jp 00007FC0788635FEh 0x00000030 mov dword ptr fs:[00000000h], esp 0x00000037 jno 00007FC0788635FCh 0x0000003d pushad 0x0000003e je 00007FC0788635FCh 0x00000044 sub edx, dword ptr [ebp+122D2BE1h] 0x0000004a mov dword ptr [ebp+1245CBE7h], edx 0x00000050 popad 0x00000051 mov eax, dword ptr [ebp+122D14E5h] 0x00000057 movzx edi, dx 0x0000005a push FFFFFFFFh 0x0000005c push 00000000h 0x0000005e push edi 0x0000005f call 00007FC0788635F8h 0x00000064 pop edi 0x00000065 mov dword ptr [esp+04h], edi 0x00000069 add dword ptr [esp+04h], 00000014h 0x00000071 inc edi 0x00000072 push edi 0x00000073 ret 0x00000074 pop edi 0x00000075 ret 0x00000076 jmp 00007FC0788635FBh 0x0000007b push ebx 0x0000007c mov ebx, dword ptr [ebp+122D3474h] 0x00000082 pop edi 0x00000083 nop 0x00000084 push esi 0x00000085 pushad 0x00000086 push eax 0x00000087 push edx 0x00000088 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43DD7B second address: 43DD9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC0786FEE61h 0x00000009 popad 0x0000000a pop esi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007FC0786FEE58h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43FAE6 second address: 43FAF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FC0788635F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43EE49 second address: 43EE4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 441C21 second address: 441C33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC0788635FEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DEF87 second address: 3DEFAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 jng 00007FC0786FEE62h 0x0000000c jnc 00007FC0786FEE56h 0x00000012 jnl 00007FC0786FEE56h 0x00000018 pop edx 0x00000019 pop eax 0x0000001a jl 00007FC0786FEE8Ah 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DEFAA second address: 3DEFB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43FDCC second address: 43FDD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43FDD0 second address: 43FDD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43FDD6 second address: 43FDDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43FDDC second address: 43FDE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 448294 second address: 44829C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 448413 second address: 448454 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FC078863604h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pop edx 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 push edx 0x00000013 jc 00007FC0788635F6h 0x00000019 jmp 00007FC078863604h 0x0000001e pop edx 0x0000001f push eax 0x00000020 push edx 0x00000021 push ebx 0x00000022 pop ebx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 448454 second address: 448458 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 458FA5 second address: 458FB4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 459076 second address: 45908E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC0786FEE63h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 459196 second address: 4591E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 jmp 00007FC078863608h 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 jnc 00007FC0788635F8h 0x00000016 push edx 0x00000017 jmp 00007FC078863608h 0x0000001c pop edx 0x0000001d popad 0x0000001e mov eax, dword ptr [eax] 0x00000020 push ecx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4591E3 second address: 26DAE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jmp 00007FC0786FEE60h 0x00000010 pop eax 0x00000011 clc 0x00000012 push dword ptr [ebp+122D06E5h] 0x00000018 cmc 0x00000019 call dword ptr [ebp+122D2827h] 0x0000001f pushad 0x00000020 pushad 0x00000021 and ecx, 26D131E1h 0x00000027 jmp 00007FC0786FEE5Ch 0x0000002c popad 0x0000002d xor eax, eax 0x0000002f mov dword ptr [ebp+122D378Eh], edi 0x00000035 mov edx, dword ptr [esp+28h] 0x00000039 xor dword ptr [ebp+122D272Eh], ebx 0x0000003f mov dword ptr [ebp+122D297Dh], eax 0x00000045 sub dword ptr [ebp+122D272Eh], ebx 0x0000004b mov esi, 0000003Ch 0x00000050 mov dword ptr [ebp+122D272Eh], esi 0x00000056 add esi, dword ptr [esp+24h] 0x0000005a cld 0x0000005b lodsw 0x0000005d jo 00007FC0786FEE57h 0x00000063 cmc 0x00000064 clc 0x00000065 add eax, dword ptr [esp+24h] 0x00000069 sub dword ptr [ebp+122D272Eh], esi 0x0000006f mov ebx, dword ptr [esp+24h] 0x00000073 xor dword ptr [ebp+122D272Eh], ecx 0x00000079 push eax 0x0000007a push eax 0x0000007b push edx 0x0000007c jmp 00007FC0786FEE64h 0x00000081 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D9F1F second address: 3D9F25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D9F25 second address: 3D9F29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D9F29 second address: 3D9F38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC0788635FBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45D15E second address: 45D166 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45D166 second address: 45D16B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45D16B second address: 45D171 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45D171 second address: 45D17D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FC0788635F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45D17D second address: 45D195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jng 00007FC0786FEE5Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45D195 second address: 45D19F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FC0788635F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45D19F second address: 45D1BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FC0786FEE5Eh 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45D336 second address: 45D33A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45D33A second address: 45D36E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC0786FEE63h 0x0000000b jmp 00007FC0786FEE5Fh 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 push eax 0x00000014 pop eax 0x00000015 push edi 0x00000016 pop edi 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45D36E second address: 45D372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45D372 second address: 45D37C instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC0786FEE56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45D37C second address: 45D38B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jng 00007FC0788635F6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45D4DD second address: 45D4E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45D4E5 second address: 45D4EF instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC0788635FEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45D607 second address: 45D60C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4611F0 second address: 4611F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4611F4 second address: 461208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC0786FEE5Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 461208 second address: 46121B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC0788635FFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46121B second address: 46124C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FC0786FEE64h 0x0000000d jmp 00007FC0786FEE65h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 429890 second address: 4298B6 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC0788635F8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov dx, B945h 0x00000013 lea eax, dword ptr [ebp+1248F595h] 0x00000019 mov dl, BAh 0x0000001b nop 0x0000001c push eax 0x0000001d push edx 0x0000001e push ecx 0x0000001f jl 00007FC0788635F6h 0x00000025 pop ecx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4298B6 second address: 4298D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC0786FEE5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007FC0786FEE5Ch 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4298D7 second address: 4298DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4299A7 second address: 4299B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC0786FEE5Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 429E3F second address: 26DAE1 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC0788635F8h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov edi, 19A57015h 0x00000014 jne 00007FC078863600h 0x0000001a push dword ptr [ebp+122D06E5h] 0x00000020 cld 0x00000021 call dword ptr [ebp+122D2827h] 0x00000027 pushad 0x00000028 pushad 0x00000029 and ecx, 26D131E1h 0x0000002f jmp 00007FC0788635FCh 0x00000034 popad 0x00000035 xor eax, eax 0x00000037 mov dword ptr [ebp+122D378Eh], edi 0x0000003d mov edx, dword ptr [esp+28h] 0x00000041 xor dword ptr [ebp+122D272Eh], ebx 0x00000047 mov dword ptr [ebp+122D297Dh], eax 0x0000004d sub dword ptr [ebp+122D272Eh], ebx 0x00000053 mov esi, 0000003Ch 0x00000058 mov dword ptr [ebp+122D272Eh], esi 0x0000005e add esi, dword ptr [esp+24h] 0x00000062 cld 0x00000063 lodsw 0x00000065 jo 00007FC0788635F7h 0x0000006b cmc 0x0000006c clc 0x0000006d add eax, dword ptr [esp+24h] 0x00000071 sub dword ptr [ebp+122D272Eh], esi 0x00000077 mov ebx, dword ptr [esp+24h] 0x0000007b xor dword ptr [ebp+122D272Eh], ecx 0x00000081 push eax 0x00000082 push eax 0x00000083 push edx 0x00000084 jmp 00007FC078863604h 0x00000089 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 429EF0 second address: 429F25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jc 00007FC0786FEE5Eh 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 jmp 00007FC0786FEE62h 0x00000018 mov eax, dword ptr [eax] 0x0000001a push eax 0x0000001b push edx 0x0000001c push esi 0x0000001d push esi 0x0000001e pop esi 0x0000001f pop esi 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 429F25 second address: 429F36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC0788635FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 429F36 second address: 429F60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jmp 00007FC0786FEE5Eh 0x00000010 pop eax 0x00000011 sub edx, 54BE11BDh 0x00000017 push 477BE50Ch 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 429F60 second address: 429F64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42A0EE second address: 42A0F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42A242 second address: 42A24C instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC0788635F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42A7B0 second address: 42A811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push ecx 0x00000008 jno 00007FC0786FEE58h 0x0000000e pop ecx 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007FC0786FEE58h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 00000014h 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a push 0000001Eh 0x0000002c push 00000000h 0x0000002e push edi 0x0000002f call 00007FC0786FEE58h 0x00000034 pop edi 0x00000035 mov dword ptr [esp+04h], edi 0x00000039 add dword ptr [esp+04h], 00000019h 0x00000041 inc edi 0x00000042 push edi 0x00000043 ret 0x00000044 pop edi 0x00000045 ret 0x00000046 push eax 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007FC0786FEE5Bh 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42A811 second address: 42A822 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC0788635FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42A953 second address: 42A962 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC0786FEE5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42AB17 second address: 42AB7D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FC0788635FEh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FC078863605h 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push esi 0x00000016 pushad 0x00000017 jmp 00007FC078863602h 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f pop esi 0x00000020 mov eax, dword ptr [eax] 0x00000022 push eax 0x00000023 jmp 00007FC0788635FEh 0x00000028 pop eax 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d push eax 0x0000002e push edx 0x0000002f jc 00007FC0788635FCh 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42AB7D second address: 42AB81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 461539 second address: 461544 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FC0788635F6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 461681 second address: 46168E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 461842 second address: 461851 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 461851 second address: 461855 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 461855 second address: 46185B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46185B second address: 461871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push esi 0x00000009 push esi 0x0000000a pop esi 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 jnp 00007FC0786FEE56h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4619A4 second address: 4619A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4619A8 second address: 4619AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 461B04 second address: 461B15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FC0788635F6h 0x00000009 push eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 461B15 second address: 461B1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 461DDB second address: 461E00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push edi 0x00000008 pop edi 0x00000009 popad 0x0000000a push edi 0x0000000b push esi 0x0000000c pop esi 0x0000000d ja 00007FC0788635F6h 0x00000013 pop edi 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FC0788635FAh 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 461E00 second address: 461E04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 461F6D second address: 461F7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FC0788635F6h 0x0000000a js 00007FC0788635F6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 461F7F second address: 461F88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 461F88 second address: 461F8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 468B8C second address: 468B96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FC0786FEE56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 468B96 second address: 468BA0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC0788635F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 467C9B second address: 467CA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FC0786FEE56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 467E01 second address: 467E08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46824D second address: 468270 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC0786FEE60h 0x00000009 jmp 00007FC0786FEE5Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4683EA second address: 4683EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 468655 second address: 46866C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC0786FEE5Eh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4673C0 second address: 4673C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4673C9 second address: 4673F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FC0786FEE56h 0x0000000a popad 0x0000000b popad 0x0000000c jc 00007FC0786FEE7Ah 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 jmp 00007FC0786FEE64h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46FC34 second address: 46FC38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46FC38 second address: 46FC3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46FC3E second address: 46FC52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FC0788635FBh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46EC53 second address: 46EC5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46EC5B second address: 46EC69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007FC0788635F6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46EC69 second address: 46EC92 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC0786FEE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FC0786FEE63h 0x00000010 jl 00007FC0786FEE56h 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46EF52 second address: 46EF69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC078863600h 0x00000007 push esi 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46F0A7 second address: 46F0C8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FC0786FEE5Dh 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC0786FEE5Ch 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46F67D second address: 46F683 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46F683 second address: 46F689 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46F689 second address: 46F692 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46F692 second address: 46F697 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46F697 second address: 46F69F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46F69F second address: 46F6A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46F96C second address: 46F972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46F972 second address: 46F97E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 472804 second address: 472812 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 je 00007FC0788635F6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 472812 second address: 472818 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4768F8 second address: 4768FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4768FF second address: 476904 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 476904 second address: 47690F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 479848 second address: 479854 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FC0786FEE56h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 479854 second address: 479858 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 479858 second address: 47985E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47985E second address: 47986F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnp 00007FC0788635F6h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4793F6 second address: 47940B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC0786FEE5Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47940B second address: 479415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FC0788635F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4831EB second address: 4831FD instructions: 0x00000000 rdtsc 0x00000002 je 00007FC0786FEE5Ch 0x00000008 jng 00007FC0786FEE56h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4831FD second address: 483203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 483203 second address: 483207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 481BC9 second address: 481BCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 481BCF second address: 481BD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 481D17 second address: 481D1D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 481D1D second address: 481D27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 481D27 second address: 481D2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 481D2D second address: 481D48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a push edx 0x0000000b pop edx 0x0000000c pop esi 0x0000000d jne 00007FC0786FEE62h 0x00000013 jno 00007FC0786FEE56h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 481D48 second address: 481D4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48206C second address: 482072 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 482072 second address: 482086 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 jne 00007FC078863602h 0x0000000c js 00007FC0788635F6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4824BB second address: 4824CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FC0786FEE56h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4824CC second address: 4824D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4824D0 second address: 482506 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 js 00007FC0786FEE56h 0x0000000f push edi 0x00000010 pop edi 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 popad 0x00000015 pushad 0x00000016 pushad 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 jmp 00007FC0786FEE67h 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 482EA8 second address: 482EAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 482EAC second address: 482EB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 482EB2 second address: 482EC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FC0788635F8h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 482EC0 second address: 482ED6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC0786FEE62h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 482ED6 second address: 482EDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 482EDA second address: 482EE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 482EE0 second address: 482EE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 485FDF second address: 485FE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 485FE3 second address: 485FF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 ja 00007FC0788635F6h 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 485FF3 second address: 485FF8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4857F4 second address: 4857F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 485932 second address: 485971 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC0786FEE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b je 00007FC0786FEE56h 0x00000011 jns 00007FC0786FEE56h 0x00000017 pop ecx 0x00000018 jmp 00007FC0786FEE65h 0x0000001d popad 0x0000001e pushad 0x0000001f jbe 00007FC0786FEE5Ch 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 485971 second address: 485977 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 485D31 second address: 485D3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FC0786FEE56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 485D3B second address: 485D5D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FC0788635FCh 0x0000000c pop esi 0x0000000d push edx 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jl 00007FC0788635F6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 485D5D second address: 485D61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 489FC9 second address: 489FD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 489251 second address: 48929A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC0786FEE5Eh 0x00000009 popad 0x0000000a push edi 0x0000000b push esi 0x0000000c pop esi 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pop edi 0x00000010 popad 0x00000011 pushad 0x00000012 je 00007FC0786FEE5Ah 0x00000018 jmp 00007FC0786FEE61h 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FC0786FEE61h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 489522 second address: 48952A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48952A second address: 489539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007FC0786FEE5Ah 0x0000000b push esi 0x0000000c pop esi 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 489539 second address: 489545 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 489545 second address: 489549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48987F second address: 489887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 489887 second address: 4898EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FC0786FEE66h 0x0000000a jp 00007FC0786FEE5Ch 0x00000010 jl 00007FC0786FEE58h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 pushad 0x0000001a jnp 00007FC0786FEE7Eh 0x00000020 jmp 00007FC0786FEE66h 0x00000025 jmp 00007FC0786FEE62h 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4898EA second address: 4898EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49121F second address: 491240 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC0786FEE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push edx 0x0000000c jo 00007FC0786FEE5Ch 0x00000012 jo 00007FC0786FEE56h 0x00000018 push edi 0x00000019 jnp 00007FC0786FEE56h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48F570 second address: 48F57F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jnc 00007FC0788635F6h 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 490A11 second address: 490A15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 490A15 second address: 490A19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 490A19 second address: 490A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FC0786FEE5Dh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 490A2E second address: 490A32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 490F36 second address: 490F3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 490F3A second address: 490F44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 490F44 second address: 490F5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC0786FEE5Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 490F5E second address: 490F62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 490F62 second address: 490F6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 490F6C second address: 490F70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 490F70 second address: 490F74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A371E second address: 4A3731 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC0788635F8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A3731 second address: 4A3735 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A3735 second address: 4A3755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC0788635FAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jo 00007FC0788635FCh 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A191C second address: 4A1921 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1921 second address: 4A1934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a jnl 00007FC0788635F6h 0x00000010 push eax 0x00000011 pop eax 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1934 second address: 4A193D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1D77 second address: 4A1D7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A205F second address: 4A2074 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FC0786FEE5Fh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A2074 second address: 4A2087 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC0788635F6h 0x00000008 jng 00007FC0788635F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A24A4 second address: 4A24A9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A24A9 second address: 4A24B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jng 00007FC078863607h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A2615 second address: 4A261A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A261A second address: 4A2624 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FC0788635F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A2624 second address: 4A2646 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC0786FEE64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jns 00007FC0786FEE56h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A2646 second address: 4A267D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FC078863607h 0x0000000e jmp 00007FC0788635FCh 0x00000013 pushad 0x00000014 push eax 0x00000015 pop eax 0x00000016 jnp 00007FC0788635F6h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A267D second address: 4A2686 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A2686 second address: 4A268A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A27DA second address: 4A2803 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC0786FEE5Dh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FC0786FEE63h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A2803 second address: 4A2807 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A74DB second address: 4A74E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A74E1 second address: 4A74E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D690A second address: 3D6916 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push ecx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AE836 second address: 4AE85C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 jp 00007FC0788635F6h 0x0000000b pop edi 0x0000000c push ebx 0x0000000d push esi 0x0000000e pop esi 0x0000000f jmp 00007FC0788635FFh 0x00000014 pop ebx 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AE85C second address: 4AE866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FC0786FEE56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AE866 second address: 4AE874 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FC0788635F6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AE874 second address: 4AE878 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AE878 second address: 4AE89D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnp 00007FC0788635F6h 0x0000000d jmp 00007FC078863601h 0x00000012 push edi 0x00000013 pop edi 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AE89D second address: 4AE8A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AE8A3 second address: 4AE8A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AE9E7 second address: 4AEA0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FC0786FEE65h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AEA0A second address: 4AEA14 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC078863602h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AEB37 second address: 4AEB46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jnp 00007FC0786FEE56h 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B03F6 second address: 4B03FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B03FE second address: 4B041C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FC0786FEE56h 0x0000000a popad 0x0000000b jng 00007FC0786FEE5Ah 0x00000011 push esi 0x00000012 pop esi 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 jns 00007FC0786FEE56h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B041C second address: 4B0422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BD7F8 second address: 4BD802 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC0786FEE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BD802 second address: 4BD80B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BD342 second address: 4BD354 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC0786FEE5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C0A9E second address: 4C0AA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C0AA3 second address: 4C0AA8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C5270 second address: 4C5277 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D4B15 second address: 4D4B20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FC0786FEE56h 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D4B20 second address: 4D4B41 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC078863609h 0x00000008 jmp 00007FC078863603h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D4C8A second address: 4D4CA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC0786FEE64h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D50D8 second address: 4D5107 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC0788635FCh 0x00000007 jmp 00007FC078863608h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D5107 second address: 4D510B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D510B second address: 4D510F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D510F second address: 4D5115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DBA41 second address: 3DBA49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F05FE second address: 4F0626 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC0786FEE5Ch 0x00000007 jbe 00007FC0786FEE56h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC0786FEE5Eh 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F454C second address: 4F4560 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FC0788635FBh 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F4560 second address: 4F456A instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC0786FEE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FB887 second address: 4FB8A1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jns 00007FC0788635F6h 0x00000009 jmp 00007FC0788635FDh 0x0000000e pop esi 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FBD00 second address: 4FBD29 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jo 00007FC0786FEE56h 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop esi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jg 00007FC0786FEE56h 0x00000017 je 00007FC0786FEE56h 0x0000001d jmp 00007FC0786FEE5Bh 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FBD29 second address: 4FBD35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FBE70 second address: 4FBE89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FC0786FEE60h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC02F second address: 4FC03F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC0788635FAh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC03F second address: 4FC044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC1BB second address: 4FC1F2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jno 00007FC0788635F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007FC0788635FBh 0x00000014 popad 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FC078863607h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC1F2 second address: 4FC20C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC0786FEE5Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c js 00007FC0786FEE56h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC20C second address: 4FC211 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC211 second address: 4FC216 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC216 second address: 4FC22F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC078863603h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FF373 second address: 4FF39A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 je 00007FC0786FEE70h 0x0000000d jmp 00007FC0786FEE68h 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FF39A second address: 4FF39F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FF39F second address: 4FF3B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC0786FEE5Eh 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50490A second address: 50491E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC078863600h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50491E second address: 504928 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FC0786FEE56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 506171 second address: 506185 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FC0788635FDh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 500980 second address: 500986 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FF567 second address: 4FF590 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnl 00007FC0788635F6h 0x0000000d pushad 0x0000000e popad 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 push edi 0x00000013 jmp 00007FC078863601h 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FF6FB second address: 4FF709 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC0786FEE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FF709 second address: 4FF713 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC0788635F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FF713 second address: 4FF73D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jl 00007FC0786FEE56h 0x0000000b jnc 00007FC0786FEE56h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push edx 0x00000019 jnc 00007FC0786FEE56h 0x0000001f jmp 00007FC0786FEE5Ah 0x00000024 pop edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 424A9F second address: 424AA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 424AA5 second address: 424AA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 26DB19 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 26DA86 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 429A30 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4C20000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4E10000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4C20000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B019 rdtsc 0_2_0040B019
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004071CC sidt fword ptr [esp-02h]0_2_004071CC
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5416Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00452CCF GetSystemInfo,VirtualAlloc,0_2_00452CCF
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040B019 rdtsc 0_2_0040B019
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, file.exe, 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044EA90 GetSystemTime,GetFileTime,0_2_0044EA90

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		41
Disable or Modify Tools		LSASS Memory641
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Bypass User Account Control		271
Virtualization/Sandbox Evasion		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS271
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets24
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
Obfuscated Files or Information		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
Software Packing		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
Bypass User Account Control		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe58%VirustotalBrowse
file.exe100%AviraTR/Crypt.XPACK.Gen
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1532901
Start date and time:2024-10-14 06:02:07 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 23s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:14
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.evad.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, ctldl.windowsupdate.com, time.windows.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File
Process:C:\Users\user\Desktop\file.exe
File Type:CSV text
Category:dropped
Size (bytes):226
Entropy (8bit):5.360398796477698
Encrypted:false
SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:3A8957C6382192B71471BD14359D0B12
SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:true
Reputation:high, very likely benign file
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.933326836866019
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:1'760'256 bytes
MD5:a024a8a076c6f3f2ee6dd97c51cd72a8
SHA1:1c995e44fae09f8f711a16bb6b26fae957eb1706
SHA256:ffe3772fdb21678a4614b824fb3f2018eee8fad7d9358063b5d0538a0e043685
SHA512:3e0226d128394e4222befd8b14836d9729b00bcbb1b57d0da08043e8fc5161f6ae1bafe5783f7d40ab1f6754afa300edfc5c0dc8d51d7a9e851c5b6244425ce4
SSDEEP:24576:Dl4WimeCt7I0g7eXRpRXzkp0EHb5zCV++D46kG8c9k//lgCeq+gGRbJeQJBg2S2V:DTimed3CBbYpR75ztIk69k/Oq+DPiU
TLSH:1A85338EF9A4C35DD46ACF390632CF583F558796686B722D6E84363A0C54F0E34BA46C
File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............E.. ...`....@.. ....................... F...........`................................

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x85e000
Entrypoint Section:.taggant
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FC078E3AC1Ah

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x20000x40000x1200748621d8002bac7f319a4e4407ed44ceFalse0.9290364583333334OpenPGP Public Key7.745521434288489IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0xa0000x2aa0000x2000e3aba30141f2ddd4f7f3a59d8929cbfunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
dxnzjtng0x2b40000x1a80000x1a7a00461c012199e6196250f65a3732348966False0.9950414023310711data7.9537812643556745IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
bnjbabth0x45c0000x20000x4003ce93aa614d34628501059d2e20afb09False0.78125data6.107976173722523IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant0x45e0000x40000x22006dc314d53772f9dbc52e8bf99c9f6791False0.006548713235294118DOS executable (COM)0.019571456231530684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x60900x30cdata0.42948717948717946
RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

Imports

DLLImport
kernel32.dlllstrcpy

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:00:03:00
Start date:14/10/2024
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\file.exe"
Imagebase:0x260000
File size:1'760'256 bytes
MD5 hash:A024A8A076C6F3F2EE6DD97C51CD72A8
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:4.6%
    Dynamic/Decrypted Code Coverage:3.5%
    Signature Coverage:4.1%
    Total number of Nodes:345
    Total number of Limit Nodes:16
    execution_graph 6831 44c605 6838 44a943 GetCurrentThreadId 6831->6838 6833 44c611 6834 44c62f 6833->6834 6840 44b055 6833->6840 6836 44c660 GetModuleHandleExA 6834->6836 6837 44c637 6834->6837 6836->6837 6839 44a95b 6838->6839 6839->6833 6841 44b066 6840->6841 6842 44b0a3 6840->6842 6841->6842 6844 44aef6 6841->6844 6842->6834 6846 44af23 6844->6846 6845 44b029 6845->6841 6846->6845 6847 44af51 PathAddExtensionA 6846->6847 6848 44af6c 6846->6848 6847->6848 6852 44af8e 6848->6852 6856 44ab97 6848->6856 6849 44afd7 6849->6845 6851 44b000 6849->6851 6854 44ab97 lstrcmpiA 6849->6854 6851->6845 6855 44ab97 lstrcmpiA 6851->6855 6852->6845 6852->6849 6853 44ab97 lstrcmpiA 6852->6853 6853->6849 6854->6851 6855->6845 6857 44abb5 6856->6857 6858 44abcc 6857->6858 6860 44ab14 6857->6860 6858->6852 6861 44ab3f 6860->6861 6862 44ab71 lstrcmpiA 6861->6862 6863 44ab87 6861->6863 6862->6863 6863->6858 6864 3fe11b 6868 3ff32d 6864->6868 6865 402670 RegOpenKeyA 6865->6868 6866 402649 RegOpenKeyA 6866->6865 6866->6868 6867 4026d1 GetNativeSystemInfo 6867->6868 6868->6865 6868->6866 6868->6867 6869 400866 6868->6869 6869->6869 6870 4cc0d48 6872 4cc0d93 OpenSCManagerW 6870->6872 6873 4cc0ddc 6872->6873 6874 4006e4 6875 402bca LoadLibraryA 6874->6875 6876 402cc6 6875->6876 6877 4cc1308 6878 4cc1349 ImpersonateLoggedOnUser 6877->6878 6879 4cc1376 6878->6879 6880 44fa6c 6882 44fa78 6880->6882 6884 44fa90 6882->6884 6885 44faba 6884->6885 6886 44f9a6 6884->6886 6888 44f9b2 6886->6888 6889 44a943 GetCurrentThreadId 6888->6889 6890 44f9c5 6889->6890 6891 44fa03 6890->6891 6892 44fa3e 6890->6892 6895 44f9df 6890->6895 6891->6895 6896 44d07d 6891->6896 6893 44fa43 CreateFileMappingA 6892->6893 6893->6895 6897 44d094 6896->6897 6898 44d191 6897->6898 6899 44d0fd CreateFileA 6897->6899 6898->6895 6900 44d142 6899->6900 6900->6898 6902 44c75c CloseHandle 6900->6902 6903 44c770 6902->6903 6903->6898 6904 44f28d 6906 44f296 6904->6906 6907 44a943 GetCurrentThreadId 6906->6907 6908 44f2a2 6907->6908 6909 44f2f2 ReadFile 6908->6909 6910 44f2bb 6908->6910 6909->6910 6911 452ccf GetSystemInfo 6912 452d2d VirtualAlloc 6911->6912 6913 452cef 6911->6913 6926 45301b 6912->6926 6913->6912 6915 452d74 6916 45301b VirtualAlloc GetModuleFileNameA VirtualProtect 6915->6916 6924 452e49 6915->6924 6918 452d9e 6916->6918 6917 452e65 GetModuleFileNameA VirtualProtect 6925 452e0d 6917->6925 6919 45301b VirtualAlloc GetModuleFileNameA VirtualProtect 6918->6919 6918->6924 6920 452dc8 6919->6920 6921 45301b VirtualAlloc GetModuleFileNameA VirtualProtect 6920->6921 6920->6924 6922 452df2 6921->6922 6923 45301b VirtualAlloc GetModuleFileNameA VirtualProtect 6922->6923 6922->6924 6922->6925 6923->6924 6924->6917 6924->6925 6928 453023 6926->6928 6929 453037 6928->6929 6930 45304f 6928->6930 6936 452ee7 6929->6936 6932 452ee7 2 API calls 6930->6932 6933 453060 6932->6933 6938 453072 6933->6938 6941 452eef 6936->6941 6939 453083 VirtualAlloc 6938->6939 6940 45306e 6938->6940 6939->6940 6942 452f02 6941->6942 6944 452f45 6942->6944 6945 45353a 6942->6945 6948 453541 6945->6948 6947 45358b 6947->6944 6948->6947 6950 453448 6948->6950 6954 4536fb 6948->6954 6953 45345d 6950->6953 6951 45351d 6951->6948 6952 4534e7 GetModuleFileNameA 6952->6953 6953->6951 6953->6952 6956 45370f 6954->6956 6955 453727 6955->6948 6956->6955 6957 45384a VirtualProtect 6956->6957 6957->6956 6958 453c69 6960 453c75 6958->6960 6961 453c87 6960->6961 6964 453890 6961->6964 6966 453924 6964->6966 6967 4538a1 6964->6967 6965 45353a 2 API calls 6965->6967 6967->6965 6967->6966 6968 4536fb VirtualProtect 6967->6968 6968->6967 6969 44fbca 6970 44a943 GetCurrentThreadId 6969->6970 6971 44fbd6 6970->6971 6972 44fc3e MapViewOfFileEx 6971->6972 6973 44fbef 6971->6973 6972->6973 6974 453cd3 6976 453cdf 6974->6976 6977 453cf1 6976->6977 6982 44bfa2 6977->6982 6980 453d19 6981 453890 2 API calls 6981->6980 6985 44c009 6982->6985 6984 44bfb7 6984->6980 6984->6981 6987 44c016 6985->6987 6989 44c02c 6987->6989 6988 44c051 6993 44a943 GetCurrentThreadId 6988->6993 6989->6988 6999 44c034 6989->6999 7004 453f42 6989->7004 6990 44c114 6996 44c132 LoadLibraryExA 6990->6996 6997 44c11e LoadLibraryExW 6990->6997 6991 44c101 7026 44be41 6991->7026 6994 44c056 6993->6994 6998 44b055 2 API calls 6994->6998 7003 44c0d8 6996->7003 6997->7003 7000 44c067 6998->7000 6999->6990 6999->6991 7000->6999 7001 44c095 7000->7001 7006 44b981 7001->7006 7030 453f51 7004->7030 7007 44b9a7 7006->7007 7008 44b99d 7006->7008 7038 44b1d4 7007->7038 7008->7003 7013 44baa1 7013->7008 7065 44c193 7013->7065 7016 44b9f7 7016->7013 7017 44ba24 7016->7017 7048 44b3b2 7016->7048 7052 44b64d 7017->7052 7020 44ba2f 7020->7013 7057 44b5c4 7020->7057 7022 44ba84 7022->7013 7025 453890 2 API calls 7022->7025 7025->7013 7027 44be4c 7026->7027 7028 44be5c 7027->7028 7029 44be6d LoadLibraryExA 7027->7029 7028->7003 7029->7028 7031 453f61 7030->7031 7032 44a943 GetCurrentThreadId 7031->7032 7037 453fb3 7031->7037 7033 453fc9 7032->7033 7034 44b055 2 API calls 7033->7034 7035 453fdb 7034->7035 7036 44b055 2 API calls 7035->7036 7035->7037 7036->7037 7039 44b1f0 7038->7039 7041 44b249 7038->7041 7040 44b220 VirtualAlloc 7039->7040 7039->7041 7040->7041 7041->7008 7042 44b27a VirtualAlloc 7041->7042 7043 44b2bf 7042->7043 7043->7013 7044 44b2f7 7043->7044 7047 44b31f 7044->7047 7045 44b396 7045->7016 7046 44b338 VirtualAlloc 7046->7045 7046->7047 7047->7045 7047->7046 7049 44b3cd 7048->7049 7051 44b3d2 7048->7051 7049->7017 7050 44b405 lstrcmpiA 7050->7049 7050->7051 7051->7049 7051->7050 7053 44b759 7052->7053 7055 44b67a 7052->7055 7053->7020 7055->7053 7067 44b15f 7055->7067 7075 44c270 7055->7075 7058 44b5ed 7057->7058 7059 44b62e 7058->7059 7060 44b605 VirtualProtect 7058->7060 7059->7013 7059->7022 7061 453b97 7059->7061 7060->7058 7060->7059 7062 453c64 7061->7062 7063 453bb3 7061->7063 7062->7022 7063->7062 7064 4536fb VirtualProtect 7063->7064 7064->7063 7100 44c19f 7065->7100 7068 44bfa2 17 API calls 7067->7068 7070 44b172 7068->7070 7069 44b1b8 7069->7055 7070->7069 7071 44b1c4 7070->7071 7073 44b19b 7070->7073 7072 44c193 2 API calls 7071->7072 7072->7069 7073->7069 7074 44c193 2 API calls 7073->7074 7074->7069 7077 44c279 7075->7077 7078 44c288 7077->7078 7079 44c290 7078->7079 7081 44a943 GetCurrentThreadId 7078->7081 7080 44c2bd GetProcAddress 7079->7080 7085 44c2b3 7080->7085 7082 44c29a 7081->7082 7082->7079 7083 44c2aa 7082->7083 7086 44bcd1 7083->7086 7087 44bcf0 7086->7087 7091 44bdbd 7086->7091 7088 44bd2d lstrcmpiA 7087->7088 7089 44bd57 7087->7089 7087->7091 7088->7087 7088->7089 7089->7091 7092 44bc1a 7089->7092 7091->7085 7094 44bc2b 7092->7094 7093 44bcb6 7093->7091 7094->7093 7095 44bc5b lstrcpyn 7094->7095 7095->7093 7096 44bc77 7095->7096 7096->7093 7097 44b15f 16 API calls 7096->7097 7098 44bca5 7097->7098 7098->7093 7099 44c270 16 API calls 7098->7099 7099->7093 7101 44c1ae 7100->7101 7103 44a943 GetCurrentThreadId 7101->7103 7106 44c1b6 7101->7106 7102 44c204 FreeLibrary 7108 44c1eb 7102->7108 7104 44c1c0 7103->7104 7105 44c1d0 7104->7105 7104->7106 7109 44bb81 7105->7109 7106->7102 7110 44bbe4 7109->7110 7111 44bba4 7109->7111 7110->7108 7111->7110 7113 44a73d 7111->7113 7116 44a746 7113->7116 7114 44a75e 7114->7110 7116->7114 7117 44a724 7116->7117 7118 44c193 GetCurrentThreadId FreeLibrary 7117->7118 7119 44a731 7118->7119 7119->7116 7120 44c4b2 7122 44c4be 7120->7122 7123 44c4d2 7122->7123 7125 44c4fa 7123->7125 7126 44c513 7123->7126 7128 44c51c 7126->7128 7129 44c52b 7128->7129 7130 44c533 7129->7130 7131 44a943 GetCurrentThreadId 7129->7131 7132 44c5e4 GetModuleHandleA 7130->7132 7133 44c5d6 GetModuleHandleW 7130->7133 7134 44c53d 7131->7134 7137 44c56b 7132->7137 7133->7137 7135 44b055 2 API calls 7134->7135 7136 44c558 7134->7136 7135->7136 7136->7130 7136->7137 7138 44ef13 7140 44ef1f 7138->7140 7141 44a943 GetCurrentThreadId 7140->7141 7142 44ef2b 7141->7142 7144 44ef4b 7142->7144 7145 44ee6a 7142->7145 7147 44ee76 7145->7147 7148 44ee8a 7147->7148 7149 44a943 GetCurrentThreadId 7148->7149 7150 44eea2 7149->7150 7158 44b0a7 7150->7158 7153 44b055 2 API calls 7154 44eec5 7153->7154 7155 44eecd 7154->7155 7156 44eee9 GetFileAttributesW 7154->7156 7157 44eefa GetFileAttributesA 7154->7157 7156->7155 7157->7155 7159 44b15b 7158->7159 7161 44b0bb 7158->7161 7159->7153 7159->7155 7160 44aef6 2 API calls 7160->7161 7161->7159 7161->7160 7162 453d1f 7164 453d2b 7162->7164 7165 453d3d 7164->7165 7170 44bfbb 7165->7170 7167 453d4c 7168 453d65 7167->7168 7169 453890 GetModuleFileNameA VirtualProtect 7167->7169 7169->7168 7172 44bfc7 7170->7172 7174 44bfdc 7172->7174 7173 44bffa 7174->7173 7175 44c009 17 API calls 7174->7175 7175->7173 7176 44e9fe 7177 44a943 GetCurrentThreadId 7176->7177 7178 44ea0a GetCurrentProcess 7177->7178 7179 44ea56 7178->7179 7180 44ea1a 7178->7180 7181 44ea5b DuplicateHandle 7179->7181 7180->7179 7182 44ea45 7180->7182 7184 44ea51 7181->7184 7185 44c79b 7182->7185 7188 44c7c5 7185->7188 7186 44c858 7186->7184 7188->7186 7189 44c783 7188->7189 7192 44a7ee 7189->7192 7193 44a804 7192->7193 7195 44a81e 7193->7195 7196 44a7d2 7193->7196 7195->7186 7197 44c75c CloseHandle 7196->7197 7198 44a7e2 7197->7198 7198->7195 7199 4cc10f0 7200 4cc1131 7199->7200 7203 44d697 7200->7203 7201 4cc1151 7204 44a943 GetCurrentThreadId 7203->7204 7205 44d6a3 7204->7205 7206 44d6cc 7205->7206 7207 44d6bc 7205->7207 7209 44d6d1 CloseHandle 7206->7209 7208 44c783 CloseHandle 7207->7208 7210 44d6c2 7208->7210 7209->7210 7210->7201 7211 4cc1510 7212 4cc1558 ControlService 7211->7212 7213 4cc158f 7212->7213 7214 44c15a 7215 44bfa2 17 API calls 7214->7215 7216 44c16d 7215->7216 7217 44f17a 7219 44f186 7217->7219 7220 44a943 GetCurrentThreadId 7219->7220 7221 44f192 7220->7221 7222 44f1b2 7221->7222 7224 44f086 7221->7224 7226 44f092 7224->7226 7227 44f0a6 7226->7227 7228 44a943 GetCurrentThreadId 7227->7228 7229 44f0be 7228->7229 7230 44f0d3 7229->7230 7250 44ef9f 7229->7250 7234 44f0db 7230->7234 7242 44f044 IsBadWritePtr 7230->7242 7237 44f12c CreateFileW 7234->7237 7238 44f14f CreateFileA 7234->7238 7235 44b055 2 API calls 7236 44f10e 7235->7236 7236->7234 7239 44f116 7236->7239 7241 44f11c 7237->7241 7238->7241 7244 44c899 7239->7244 7243 44f066 7242->7243 7243->7234 7243->7235 7245 44c8a6 7244->7245 7246 44c8df CreateFileA 7245->7246 7249 44c9a1 7245->7249 7247 44c92b 7246->7247 7248 44c75c CloseHandle 7247->7248 7247->7249 7248->7249 7249->7241 7252 44efae GetWindowsDirectoryA 7250->7252 7253 44efd8 7252->7253

    Executed Functions

    Function 00452CCF Relevance: 3.1, APIs: 2, Instructions: 107memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 160 452ccf-452ce9 GetSystemInfo 161 452d2d-452d76 VirtualAlloc call 45301b 160->161 162 452cef-452d27 160->162 166 452e5c call 452e65 161->166 167 452d7c-452da0 call 45301b 161->167 162->161 172 452e61 166->172 167->166 173 452da6-452dca call 45301b 167->173 174 452e63-452e64 172->174 173->166 177 452dd0-452df4 call 45301b 173->177 177->166 180 452dfa-452e07 177->180 181 452e2d-452e44 call 45301b 180->181 182 452e0d-452e28 180->182 185 452e49-452e4b 181->185 186 452e57 182->186 185->166 187 452e51 185->187 186->174 187->186
    APIs
    • GetSystemInfo.KERNELBASE(?,-12065FEC), ref: 00452CDB
    • VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 00452D3C
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: AllocInfoSystemVirtual
    • String ID:
    • API String ID: 3440192736-0
    • Opcode ID: 4232846558ec1b50c9145c0a8577850a961ab8b90b58e54d5b8a41893978f56a
    • Instruction ID: 64ca087f401d333964173da15016ca397a0761963acdb62d2c1e267ed4de9383
    • Opcode Fuzzy Hash: 4232846558ec1b50c9145c0a8577850a961ab8b90b58e54d5b8a41893978f56a
    • Instruction Fuzzy Hash: 3F4113B2E00206AFF325DF70CD45F9AB7ACBF48B41F004067A606DE582E77495D48B98
    Function 0044C016 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • LoadLibraryExW.KERNEL32(?,?,?), ref: 0044C127
    • LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 0044C13B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: .dll$.exe$1002
    • API String ID: 1029625771-847511843
    • Opcode ID: 2d487d0cb7eb6b7ff62672f791cb535a1ee90fb7701d8df41978ab2c5c8c8d9b
    • Instruction ID: 0e31119973409c913a75167964d1b45b80ee222ba1c894158180deca379c0c54
    • Opcode Fuzzy Hash: 2d487d0cb7eb6b7ff62672f791cb535a1ee90fb7701d8df41978ab2c5c8c8d9b
    • Instruction Fuzzy Hash: A631B171402205FFFF25AF90D841AAE7B75FF04305F14415BF90156162C73989A1DF9A
    Function 003FE11B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 40 3fe11b-3fe129 41 40260f-402647 40->41 43 402670-40268b RegOpenKeyA 41->43 44 402649-402664 RegOpenKeyA 41->44 46 4026a3-4026cf 43->46 47 40268d-402697 43->47 44->43 45 402666 44->45 45->43 50 4026d1-4026da GetNativeSystemInfo 46->50 51 4026dc-4026e6 46->51 47->46 50->51 52 4026f2-402700 51->52 53 4026e8 51->53 55 402702 52->55 56 40270c-402713 52->56 53->52 55->56 57 402726 56->57 58 402719-402720 56->58 60 403200-40324a 57->60 58->57 59 3ff32d-3ff334 58->59 61 3ff33a-401f5d 59->61 62 400866-40086d 59->62 65 40324b 60->65 61->41 62->60 65->65
    APIs
    • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0040265C
    • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00402683
    • GetNativeSystemInfo.KERNELBASE(?), ref: 004026DA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: Open$InfoNativeSystem
    • String ID: v\76
    • API String ID: 1247124224-1426833957
    • Opcode ID: 4e175fa64b594ce04c3f40d944c48489d1606a4ead577847e6624e7631f00229
    • Instruction ID: 4b784dff391323581a392935df760dbbd0eb32243fd0484668aa108f1f812988
    • Opcode Fuzzy Hash: 4e175fa64b594ce04c3f40d944c48489d1606a4ead577847e6624e7631f00229
    • Instruction Fuzzy Hash: 904193B150414E9FEB11EF14C848BEF77E9EF04701F00492ADA4192A81E77A5CA48B5E
    Function 0044C51C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 66 44c51c-44c52d call 44be80 69 44c533 66->69 70 44c538-44c541 call 44a943 66->70 72 44c5cc-44c5d0 69->72 76 44c575-44c57c 70->76 77 44c547-44c553 call 44b055 70->77 74 44c5e4-44c5e7 GetModuleHandleA 72->74 75 44c5d6-44c5df GetModuleHandleW 72->75 78 44c5ed 74->78 75->78 81 44c5c7 call 44a9ee 76->81 82 44c582-44c589 76->82 83 44c558-44c55a 77->83 80 44c5f7-44c5f9 78->80 81->72 82->81 84 44c58f-44c596 82->84 83->81 86 44c560-44c565 83->86 84->81 87 44c59c-44c5a3 84->87 86->81 88 44c56b-44c5f2 call 44a9ee 86->88 87->81 89 44c5a9-44c5bd 87->89 88->80 89->81
    APIs
    • GetModuleHandleW.KERNEL32(?,?,?,?,0044C4AE,?,00000000,00000000), ref: 0044C5D9
    • GetModuleHandleA.KERNEL32(00000000,?,?,?,0044C4AE,?,00000000,00000000), ref: 0044C5E7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: HandleModule
    • String ID: .dll
    • API String ID: 4139908857-2738580789
    • Opcode ID: 92fadc0b9a8f548547b5a6b6290dfee87bf81ca48811a4a60f6f8d22ca487155
    • Instruction ID: f81bec818042a9e2885ae11aeedae25cf96c40b62fed5cec3e840a780c9dc2c2
    • Opcode Fuzzy Hash: 92fadc0b9a8f548547b5a6b6290dfee87bf81ca48811a4a60f6f8d22ca487155
    • Instruction Fuzzy Hash: 79115E71102515FBFB719F20C889B9E76B0FF00385F084217A405549E1C77DF5E1DA9A
    Function 0044EE76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 93 44ee76-44ee84 94 44ee96 93->94 95 44ee8a-44ee91 93->95 96 44ee9d-44eeb3 call 44a943 call 44b0a7 94->96 95->96 101 44eed2 96->101 102 44eeb9-44eec7 call 44b055 96->102 104 44eed6-44eed9 101->104 107 44eecd 102->107 108 44eede-44eee3 102->108 106 44ef09-44ef10 call 44a9ee 104->106 107->104 110 44eee9-44eef5 GetFileAttributesW 108->110 111 44eefa-44eefd GetFileAttributesA 108->111 113 44ef03-44ef04 110->113 111->113 113->106
    APIs
    • GetFileAttributesW.KERNELBASE(00D603CC,-12065FEC), ref: 0044EEEF
    • GetFileAttributesA.KERNEL32(00000000,-12065FEC), ref: 0044EEFD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: 05d9b9820ba6d47980608469417676b86ef31e0ac8e50cf5b5cded7c77e47fb5
    • Instruction ID: d7fbb3f7262546eca849dda9a3755372bc9a975fd500262495a2ea45fedba678
    • Opcode Fuzzy Hash: 05d9b9820ba6d47980608469417676b86ef31e0ac8e50cf5b5cded7c77e47fb5
    • Instruction Fuzzy Hash: 0C016D70504205FBFB219F16C90DB9E7FB0BF40305F208527E60265591D7B89A96EB4A
    Function 0044AEF6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 114 44aef6-44af26 116 44b051-44b052 114->116 117 44af2c-44af41 114->117 117->116 119 44af47-44af4b 117->119 120 44af51-44af63 PathAddExtensionA 119->120 121 44af6d-44af74 119->121 126 44af6c 120->126 122 44af96-44af9d 121->122 123 44af7a-44af89 call 44ab97 121->123 124 44afa3-44afaa 122->124 125 44afdf-44afe6 122->125 132 44af8e-44af90 123->132 128 44afb0-44afb9 124->128 129 44afc3-44afd2 call 44ab97 124->129 130 44afec-44b002 call 44ab97 125->130 131 44b008-44b00f 125->131 126->121 128->129 133 44afbf 128->133 139 44afd7-44afd9 129->139 130->116 130->131 136 44b015-44b02b call 44ab97 131->136 137 44b031-44b038 131->137 132->116 132->122 133->129 136->116 136->137 137->116 138 44b03e-44b04b call 44abd0 137->138 138->116 139->116 139->125
    APIs
    • PathAddExtensionA.KERNELBASE(?,00000000), ref: 0044AF58
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: ExtensionPath
    • String ID: \\?\
    • API String ID: 158807944-4282027825
    • Opcode ID: 0395198fa6f20cf740707a8ac69656b18114670d510abcf93a0f05715b433eca
    • Instruction ID: aea2582cb8fb9519d78dc6cb647882e41bdff3ff79c67e2a43e2b7abe8d26510
    • Opcode Fuzzy Hash: 0395198fa6f20cf740707a8ac69656b18114670d510abcf93a0f05715b433eca
    • Instruction Fuzzy Hash: 0D313731500209BFEF22CE95C809F9FBA76FF48309F000056FA02A5590D73AD9A4DB99
    Function 0044C605 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 145 44c605-44c618 call 44a943 148 44c61e-44c62a call 44b055 145->148 149 44c65b-44c66f call 44a9ee GetModuleHandleExA 145->149 153 44c62f-44c631 148->153 154 44c679-44c67b 149->154 153->149 155 44c637-44c63e 153->155 156 44c644 155->156 157 44c647-44c674 call 44a9ee 155->157 156->157 157->154
    APIs
      • Part of subcall function 0044A943: GetCurrentThreadId.KERNEL32 ref: 0044A952
    • GetModuleHandleExA.KERNELBASE(?,?,?), ref: 0044C669
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: CurrentHandleModuleThread
    • String ID: .dll
    • API String ID: 2752942033-2738580789
    • Opcode ID: d49a4dc7ae470fbbfb0a5ff9ab852e6215edd62fdd8a6fcc7fe6cff25bebcdc1
    • Instruction ID: 0e7955e4bed1e7e6c19380ac27dfc15e16cc59d7944f46dd91176d39a8dd13ea
    • Opcode Fuzzy Hash: d49a4dc7ae470fbbfb0a5ff9ab852e6215edd62fdd8a6fcc7fe6cff25bebcdc1
    • Instruction Fuzzy Hash: 49F06DB1141205EFFF009F54C986BAB7BA5FF14304F16C516FD0586192C739C9619A6A
    Function 0044F092 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 188 44f092-44f0a0 189 44f0a6-44f0ad 188->189 190 44f0b2 188->190 191 44f0b9-44f0c5 call 44a943 189->191 190->191 194 44f0e0-44f0f0 call 44f044 191->194 195 44f0cb-44f0d5 call 44ef9f 191->195 201 44f0f6-44f0fd 194->201 202 44f102-44f110 call 44b055 194->202 195->194 200 44f0db 195->200 203 44f121-44f126 200->203 201->203 202->203 208 44f116-44f117 call 44c899 202->208 206 44f12c-44f14a CreateFileW 203->206 207 44f14f-44f164 CreateFileA 203->207 209 44f16a-44f16b 206->209 207->209 212 44f11c 208->212 211 44f170-44f177 call 44a9ee 209->211 212->211
    APIs
    • CreateFileW.KERNELBASE(00D603CC,?,?,-12065FEC,?,?,?,-12065FEC,?), ref: 0044F144
      • Part of subcall function 0044F044: IsBadWritePtr.KERNEL32(?,00000004), ref: 0044F052
    • CreateFileA.KERNEL32(?,?,?,-12065FEC,?,?,?,-12065FEC,?), ref: 0044F164
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: CreateFile$Write
    • String ID:
    • API String ID: 1125675974-0
    • Opcode ID: 06d8206a3058c823b91d8a461d15fb78d6f8f56227122d433dcd56efe8420115
    • Instruction ID: 5f1608b90d2f226550bd9db57a794d5aa603d5fdb20225b54e4110c395208171
    • Opcode Fuzzy Hash: 06d8206a3058c823b91d8a461d15fb78d6f8f56227122d433dcd56efe8420115
    • Instruction Fuzzy Hash: 0111F972104109FBEF129FD0DC05B9E7A72BF44344F144126B905645A1C37A89B9EB5A
    Function 0044E9FE Relevance: 3.0, APIs: 2, Instructions: 41COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 215 44e9fe-44ea14 call 44a943 GetCurrentProcess 218 44ea56-44ea78 call 44a9ee DuplicateHandle 215->218 219 44ea1a-44ea1d 215->219 224 44ea82-44ea84 218->224 219->218 221 44ea23-44ea26 219->221 221->218 223 44ea2c-44ea3f call 44a79d 221->223 223->218 227 44ea45-44ea7d call 44c79b call 44a9ee 223->227 227->224
    APIs
      • Part of subcall function 0044A943: GetCurrentThreadId.KERNEL32 ref: 0044A952
    • GetCurrentProcess.KERNEL32(-12065FEC), ref: 0044EA0B
    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0044EA71
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: Current$DuplicateHandleProcessThread
    • String ID:
    • API String ID: 3748180921-0
    • Opcode ID: 84f1bda93e8d75798b55017fd991c4ba23049af872b9bd5265eb939f48c51133
    • Instruction ID: 90a6885679fc54727eae247f61535b88fc57a4e5436dfbe2d2a26976e39ccc4d
    • Opcode Fuzzy Hash: 84f1bda93e8d75798b55017fd991c4ba23049af872b9bd5265eb939f48c51133
    • Instruction Fuzzy Hash: 7C016D7214000AFBAF22AFA6DC45C9F3B76FF883947054917F905A0051C73AC572EB2A
    Function 00453072 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 37memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 232 453072-45307d 233 453083-4530a5 VirtualAlloc 232->233 234 4530ac-4530b9 232->234 233->234 236 4530bf-4530cb 234->236 237 4530ea-4530ec 234->237 239 4530d1-4530d4 236->239 240 4530e2-4530e7 239->240 241 4530da-4530dd 239->241 240->237 241->239
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,t-E,0045306E,?,?,?,?,?,t-E,?,?,00452D74), ref: 00453092
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID: t-E
    • API String ID: 4275171209-2317743726
    • Opcode ID: b7f7d46837de9bd3610ef06fddad46c5da4480d82de303977e1ec14e6b92cb48
    • Instruction ID: fa3dde2eac2d51de58c713129e03886b6f5bcbb4de43ce49206d10fbeb80a351
    • Opcode Fuzzy Hash: b7f7d46837de9bd3610ef06fddad46c5da4480d82de303977e1ec14e6b92cb48
    • Instruction Fuzzy Hash: 2AF081B1A00305EFEB248F14CE05B99BBE4FF457A3F108469F84A9B292D3B598C0DB54
    Function 004536FB Relevance: 1.6, APIs: 1, Instructions: 112COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 266 4536fb-453709 267 45372c-453736 call 453590 266->267 268 45370f-453721 266->268 273 453741-45374a 267->273 274 45373c 267->274 268->267 272 453727 268->272 275 45388b-45388d 272->275 276 453750-453757 273->276 277 453762-453769 273->277 274->275 276->277 278 45375d 276->278 279 453774-453784 277->279 280 45376f 277->280 278->275 279->275 281 45378a-453796 call 453665 279->281 280->275 284 453799-45379d 281->284 284->275 285 4537a3-4537ad 284->285 286 4537d4-4537d7 285->286 287 4537b3-4537c6 285->287 288 4537da-4537dd 286->288 287->286 292 4537cc-4537ce 287->292 290 453883-453886 288->290 291 4537e3-4537ea 288->291 290->284 293 4537f0-4537f6 291->293 294 453818-453831 291->294 292->286 292->290 295 453813 293->295 296 4537fc-453801 293->296 300 453837-453845 294->300 301 45384a-453852 VirtualProtect 294->301 298 45387b-45387e 295->298 296->295 297 453807-45380d 296->297 297->294 297->295 298->288 302 453858-45385b 300->302 301->302 302->298 304 453861-45387a 302->304 304->298
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 924ff7c61fe64d623969f72e0c018c867cce6f9b82ef64668ae1b59d37cd3598
    • Instruction ID: 36805b6bea48fc0fec921d2f04f410450e0f5183f9d985fa70269582b4357460
    • Opcode Fuzzy Hash: 924ff7c61fe64d623969f72e0c018c867cce6f9b82ef64668ae1b59d37cd3598
    • Instruction Fuzzy Hash: FE41C1B1D00205EFDB29DF50C844BAEB7A1FB04397F148456FC02AA643C379AE99CB59
    Function 0044D07D Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 306 44d07d-44d08e 307 44d094-44d0a8 call 44aa21 306->307 308 44d0bd-44d0c6 call 44aa21 306->308 318 44d1ab 307->318 319 44d0ae-44d0bc 307->319 313 44d1a3-44d1a6 call 44aa46 308->313 314 44d0cc-44d0dd call 44c85f 308->314 313->318 322 44d0e3-44d0e7 314->322 323 44d0fd-44d13c CreateFileA 314->323 321 44d1b2-44d1b6 318->321 319->308 324 44d0ed-44d0f9 call 4518e7 322->324 325 44d0fa 322->325 326 44d160-44d163 323->326 327 44d142-44d15f 323->327 324->325 325->323 330 44d196-44d19e call 44c6ee 326->330 331 44d169-44d180 call 44a763 326->331 327->326 330->318 331->321 338 44d186-44d191 call 44c75c 331->338 338->318
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 0044D132
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 030237c7608cb4fef4b742ee1d3faeb208f9634fb7e57315b7d5f84df55c9632
    • Instruction ID: 54e13f151a8a9a92c6a3a847f134bb8a4e3dde8625cf419f1f98829f25a14e3d
    • Opcode Fuzzy Hash: 030237c7608cb4fef4b742ee1d3faeb208f9634fb7e57315b7d5f84df55c9632
    • Instruction Fuzzy Hash: BF316F71900204BFFB20AF55DC85F9AB7B8EF04318F20826AF915AA2D1C7799952CB58
    Function 0044C899 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 0044C91B
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 7f5ba6f39396cd82695f77fe7377624b494cd55961e42bdf2fdadef8223cc44b
    • Instruction ID: b4562aec5cc5e6b1c1744b796c1912cf541bfc616e29bbd8bda8966d20a9931f
    • Opcode Fuzzy Hash: 7f5ba6f39396cd82695f77fe7377624b494cd55961e42bdf2fdadef8223cc44b
    • Instruction Fuzzy Hash: B931F771541204BFFB309F64DC85F8AB7B8EB04728F24421AF611EE1D1D3BAA551CB58
    Function 00453448 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,?), ref: 004534F5
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: FileModuleName
    • String ID:
    • API String ID: 514040917-0
    • Opcode ID: 14cb47b72c6b73d61589b1aa4c471f74fbe7bb23c8856cc8e7859992ee31519e
    • Instruction ID: fcb4704fdb7b4120894d502cd6ecb8eb0c9dde2af17e6234d9d104cd30050261
    • Opcode Fuzzy Hash: 14cb47b72c6b73d61589b1aa4c471f74fbe7bb23c8856cc8e7859992ee31519e
    • Instruction Fuzzy Hash: 3B118BB1A0112DABEB318D048C44BAFB7ACAF05797F105057FD0592143E7789F998AA9
    Function 04CC0D42 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04CC0DCD
    Memory Dump Source
    • Source File: 00000000.00000002.1384234492.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4cc0000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 9a7450e1cc5d3e3a1b712385f3c38c37370f9364f420a06417856f19a2a7bf73
    • Instruction ID: 9ee1a0eba1859f26ee795ec3762df02eba45e56f0d0b197fc7eefa73f53cde63
    • Opcode Fuzzy Hash: 9a7450e1cc5d3e3a1b712385f3c38c37370f9364f420a06417856f19a2a7bf73
    • Instruction Fuzzy Hash: F42137B6C01219DFCB10CF9AD884BDEFBB5EB88310F14811AD918AB244D734A645CBA5
    Function 04CC0D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04CC0DCD
    Memory Dump Source
    • Source File: 00000000.00000002.1384234492.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4cc0000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 0ec67d443659a16a2b4a763f965c0a65bf221a6b45c969b38a6a6f361b19d57b
    • Instruction ID: 23f8bf4278f847de7cf1eb4e8a9148798d79125a1795cc964925e43b71b156bc
    • Opcode Fuzzy Hash: 0ec67d443659a16a2b4a763f965c0a65bf221a6b45c969b38a6a6f361b19d57b
    • Instruction Fuzzy Hash: 5D2104B6C01219DFCB10CF9AD885BDEFBB5EB88310F14861AD818AB244D774A645CBA5
    Function 04CC1509 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 04CC1580
    Memory Dump Source
    • Source File: 00000000.00000002.1384234492.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4cc0000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 77c4a2a313cb3c40c731ab501e511c46583432150309545de49d83aeded80916
    • Instruction ID: dd0552e60bc4201cdebebff182679e868f8b76956ae3a86b29cc9e5b0cd07d0d
    • Opcode Fuzzy Hash: 77c4a2a313cb3c40c731ab501e511c46583432150309545de49d83aeded80916
    • Instruction Fuzzy Hash: 9A2103B5D00249CFDB20CF9AC584BDEBBF4AB48320F14842AE519A7351C778AA45CFA5
    Function 04CC1510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 04CC1580
    Memory Dump Source
    • Source File: 00000000.00000002.1384234492.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4cc0000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: ae9ec223aac8c38633a3c927a89438133c55ecc6e855fc2f503f7255bc84825e
    • Instruction ID: 79c10557b91b1e8ce6c0c0de0fcadba4b35e4d399506a530b80b889d91b7f9b8
    • Opcode Fuzzy Hash: ae9ec223aac8c38633a3c927a89438133c55ecc6e855fc2f503f7255bc84825e
    • Instruction Fuzzy Hash: 4C1117B1D003498FDB10CF9AC484BDEFBF4EB48320F148029E518A3241D778A645CFA5
    Function 0044FBCA Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0044A943: GetCurrentThreadId.KERNEL32 ref: 0044A952
    • MapViewOfFileEx.KERNELBASE(?,?,?,?,?,?,-12065FEC), ref: 0044FC51
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: CurrentFileThreadView
    • String ID:
    • API String ID: 1949693742-0
    • Opcode ID: ee8ffdedfdbf00cbb33f1acfea9de75ffb44dddc8fcc7b70f4f6423585eea96e
    • Instruction ID: 1f37d3f650858f1fd27a0783ccaf88d1f77522e448ad4c8f07cc6c0356bcdcd2
    • Opcode Fuzzy Hash: ee8ffdedfdbf00cbb33f1acfea9de75ffb44dddc8fcc7b70f4f6423585eea96e
    • Instruction Fuzzy Hash: 5011273214410AFFEF12AFA1DD4AC9F3B66FF49344B004826FA0141021C73AC876EB6A
    Function 0044F9B2 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: CurrentThread
    • String ID:
    • API String ID: 2882836952-0
    • Opcode ID: 3fcfb3919560e9468e17490e521ab426d4df6a7b40faefb7f7ca278dad08f354
    • Instruction ID: 1bba27343e0eda83d1703280fb4ae2aaae8ff172996c2ba0850d8c921e43bc58
    • Opcode Fuzzy Hash: 3fcfb3919560e9468e17490e521ab426d4df6a7b40faefb7f7ca278dad08f354
    • Instruction Fuzzy Hash: 26113071500109FBFF11AF95C909E9F7B65EF44308F014426F80566161D73DCA6AEB55
    Function 04CC1301 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 04CC1367
    Memory Dump Source
    • Source File: 00000000.00000002.1384234492.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4cc0000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 1f6269b740fda7a53bdc12a437aa312a1170a6b423557226f5418bd3b15b94ad
    • Instruction ID: ca20051bf2666b98f9d664e36e06d3a39132a1ad77d2511921ddb2de48fd0fef
    • Opcode Fuzzy Hash: 1f6269b740fda7a53bdc12a437aa312a1170a6b423557226f5418bd3b15b94ad
    • Instruction Fuzzy Hash: 721155B1C00249CFDB20CF9AC445BDEFBF4EB48324F24842AD518A3280C778A944CFA1
    Function 04CC1308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 04CC1367
    Memory Dump Source
    • Source File: 00000000.00000002.1384234492.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4cc0000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: c9a6699ae299d81573b139ee39910eded81b251c4adfe12566dc6220ace438e2
    • Instruction ID: 1360f743a3ebeb006c217b30345b9b4194e534ce813ef0ef5161ba1fd18c70e8
    • Opcode Fuzzy Hash: c9a6699ae299d81573b139ee39910eded81b251c4adfe12566dc6220ace438e2
    • Instruction Fuzzy Hash: 7F1122B1C003498FDB20CF9AC945BDEBBF8EB48324F24842AD558A3640C778A944CFA5
    Function 004006E4 Relevance: 1.5, APIs: 1, Instructions: 41libraryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 68c1e8dc903147a923cda8d85c656bd82fe909fe7674109de1db4b6f74b36e4e
    • Instruction ID: 8c95ac477da3d3e466fe2524b17fa3df726c571cc77b29d09c297b28b5b633e8
    • Opcode Fuzzy Hash: 68c1e8dc903147a923cda8d85c656bd82fe909fe7674109de1db4b6f74b36e4e
    • Instruction Fuzzy Hash: CF0128B250C604DFD7017F68D98966EFBE4EF58340F22082DE6C187650E33564A1DB87
    Function 0044F296 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0044A943: GetCurrentThreadId.KERNEL32 ref: 0044A952
    • ReadFile.KERNELBASE(?,00000000,?,00000400,?,-12065FEC,?,?,0044CFC5,?,?,00000400,?,00000000,?,00000000), ref: 0044F302
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: CurrentFileReadThread
    • String ID:
    • API String ID: 2348311434-0
    • Opcode ID: ef64773626ac9158d5098dfa52aec80074ecbb09f345a0bff63e451310da9c4c
    • Instruction ID: 4495d117f240a9397f21eb0d7463fe1d3c254adfcba99d927955cb8fe034a509
    • Opcode Fuzzy Hash: ef64773626ac9158d5098dfa52aec80074ecbb09f345a0bff63e451310da9c4c
    • Instruction Fuzzy Hash: 5EF0197224010AFBEF125FA5D909D8E3B26FF45344B014027B90199061C73AC9B6EB6A
    Function 0044AB14 Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: lstrcmpi
    • String ID:
    • API String ID: 1586166983-0
    • Opcode ID: 06cb65cea6d7c932a46c65c8b3b4df459701b6c0cebe1b3f7e660069f8ab1066
    • Instruction ID: eeacb7cc037bb8fbc7abb934c2735b6ab7b566057cb77869594663e90ca6f1ab
    • Opcode Fuzzy Hash: 06cb65cea6d7c932a46c65c8b3b4df459701b6c0cebe1b3f7e660069f8ab1066
    • Instruction Fuzzy Hash: D7012831A40209BFEF129FA5DC04DCFBB7AFF48740F000066B902A4160DB369A21DFA9
    Function 0044D697 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0044A943: GetCurrentThreadId.KERNEL32 ref: 0044A952
    • CloseHandle.KERNELBASE(0044D05A,-12065FEC,?,?,0044D05A,?), ref: 0044D6D5
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: CloseCurrentHandleThread
    • String ID:
    • API String ID: 3305057742-0
    • Opcode ID: a201fd2e60cb44e983b862606dbfa973ec6b322afa3ab536090229233e6b145b
    • Instruction ID: 5672eadde71db9b66e54d7e42d204b08d5fcc52a4fc53735c0c4f1af5fa70dca
    • Opcode Fuzzy Hash: a201fd2e60cb44e983b862606dbfa973ec6b322afa3ab536090229233e6b145b
    • Instruction Fuzzy Hash: 7AE0D8A2544002B7FF207B7AC80AC4F1F289F80348702052BB00685042C62DC5A2897A
    Function 0044C75C Relevance: 1.3, APIs: 1, Instructions: 8COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNELBASE(?,?,0044A7E2,?,?), ref: 0044C762
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: 161f199c742977a725b5cec0c759f77064d1481ef2b717c6998481595be7a408
    • Instruction ID: fc11b5440b91a017f11dbf87b836fd797d8efb41a391512383c9a28970c16ce9
    • Opcode Fuzzy Hash: 161f199c742977a725b5cec0c759f77064d1481ef2b717c6998481595be7a408
    • Instruction Fuzzy Hash: D1B09232001108BBDB42BF52DC0A84EBF79FF25398B01C122F906841618F76EAA0AB94

    Non-executed Functions

    Function 003E61D2 Relevance: 15.4, Strings: 11, Instructions: 1675COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID:
    • String ID: &al$6!_$8Ig^$>l~$A.?$FQe$L<e~$PN~$Vkx$]+r=$O;o
    • API String ID: 0-1187152487
    • Opcode ID: 97424d7cae7d1356a052f38d6ddb716cf2795ff0a03e56273d149c379ad7717d
    • Instruction ID: 0c8eb7b4f46171b973f0a205cc85e7f9ee2df5c337a724d9ca31104716efcf9c
    • Opcode Fuzzy Hash: 97424d7cae7d1356a052f38d6ddb716cf2795ff0a03e56273d149c379ad7717d
    • Instruction Fuzzy Hash: 9AB238F3A0C2149FE304AE2DEC8567ABBE9EFD4320F1A853DEAC4C3744E57558058696
    Function 003DF471 Relevance: 9.1, Strings: 6, Instructions: 1637COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID:
    • String ID: +#\2$GOn~$Rt}O$t{km$zl$w
    • API String ID: 0-4107898093
    • Opcode ID: e2330c81235437d7ca5f52d55c1887b3e7951b83d22955bb06158b9a29f1b9d1
    • Instruction ID: ae50134bb9dba83a9e939609dc89186c47b48a729c9b843684e8818cad967942
    • Opcode Fuzzy Hash: e2330c81235437d7ca5f52d55c1887b3e7951b83d22955bb06158b9a29f1b9d1
    • Instruction Fuzzy Hash: 14B229F3608204AFE3046E29EC8567AFBE9EFD4720F16893DE6C5C7744EA3558058792
    Function 003E984F Relevance: 9.1, Strings: 6, Instructions: 1616COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID:
    • String ID: !PP$36Db$3<^i$AU){$nK$r1
    • API String ID: 0-2278086041
    • Opcode ID: 08d11211d4ebe5b40c25e0895d6627687a8b8b49a05575b102ed68fd3cbb5436
    • Instruction ID: 8c3379917eb101383c1945503b20b6faa287de0ab6921e96fc038ab7c2b81e19
    • Opcode Fuzzy Hash: 08d11211d4ebe5b40c25e0895d6627687a8b8b49a05575b102ed68fd3cbb5436
    • Instruction Fuzzy Hash: 0AB2C3F36086009FE304AE2DEC8577ABBE9EF94720F1A493DE6C4C7744E63598418697
    Function 003DBF74 Relevance: 7.8, Strings: 5, Instructions: 1584COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID:
    • String ID: =Tv}$BIE$$}A/}$@;{$V@p
    • API String ID: 0-3671181457
    • Opcode ID: 55e17570e00a44c639e4dfe199af8c4fc526f98048ed27ccc63dcf38c58e7210
    • Instruction ID: 934b14fccbf9aadd33b35ceffaa847f90f96e49e8ca4c2358a159846b420d128
    • Opcode Fuzzy Hash: 55e17570e00a44c639e4dfe199af8c4fc526f98048ed27ccc63dcf38c58e7210
    • Instruction Fuzzy Hash: 70B216F3A082049FE7046E2DEC8567ABBE9EF94320F16493DE6C5C7344EA3598058797
    Function 003E2B4C Relevance: 6.7, Strings: 4, Instructions: 1671COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID:
    • String ID: e~?$0w$[swg$c.N?
    • API String ID: 0-3196046233
    • Opcode ID: 3515c7e736262dff6c8662df039cc2f17202788a193f95660cd2dcf5550f1b2d
    • Instruction ID: 552ec9701721e4c134d239d5440906c45bb361ee4b72ad99890040f0fd67903f
    • Opcode Fuzzy Hash: 3515c7e736262dff6c8662df039cc2f17202788a193f95660cd2dcf5550f1b2d
    • Instruction Fuzzy Hash: 66B226F390C2149FE304AF2DEC8566AB7E9EF94720F1A492DEAC4D3744E63598018797
    Function 003E0FDA Relevance: 6.6, Strings: 4, Instructions: 1631COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID:
    • String ID: Ln,|$hb$hb$oH5w
    • API String ID: 0-3262124758
    • Opcode ID: 0291f7b41560bd5da9e98e50b689830c4f53d986748a0838c2653a97ca65c87d
    • Instruction ID: 8f8f25f7e7e132b132054e90691d759440b2d6466eacd37154aaf067f02f9eae
    • Opcode Fuzzy Hash: 0291f7b41560bd5da9e98e50b689830c4f53d986748a0838c2653a97ca65c87d
    • Instruction Fuzzy Hash: 19B216F390C314AFE3046E29EC8567ABBE9EB94720F16463DEAC4C7744EA3558008697
    Function 003D6D6D Relevance: 5.4, Strings: 3, Instructions: 1666COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID:
    • String ID: 6y~$O~b$v$^
    • API String ID: 0-618941704
    • Opcode ID: d7222a98a7ef63f456225b2313344a5b5760354d2f08b685266f62f0c25aa3af
    • Instruction ID: d775dce7841c95b62f319b9843e5acc51ad7b35d81ccb417a006bfeaf95fc3e0
    • Opcode Fuzzy Hash: d7222a98a7ef63f456225b2313344a5b5760354d2f08b685266f62f0c25aa3af
    • Instruction Fuzzy Hash: 67B2F6F3A0C2109FE304AE2DEC8566AF7E9EF94720F16493DEAC4C7744EA3558058697
    Function 003D88DB Relevance: 5.4, Strings: 3, Instructions: 1636COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID:
    • String ID: 02Wa$d%}$4}_
    • API String ID: 0-1736207142
    • Opcode ID: 3a686c6be5d7552785d8d8e5d9b0d1c6cea9a4f46ffd684509a0fb4d68b1f710
    • Instruction ID: cbe121497a002c0a9fb167b6ea9708e3186f3ede2288993dfc080f428dd5530c
    • Opcode Fuzzy Hash: 3a686c6be5d7552785d8d8e5d9b0d1c6cea9a4f46ffd684509a0fb4d68b1f710
    • Instruction Fuzzy Hash: 22B2F7F360C2049FE304AE2DEC8577ABBE9EF94720F1A853DE6C4C7744EA3558058696
    Function 0044EA90 Relevance: 3.0, APIs: 2, Instructions: 43timeCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0044A943: GetCurrentThreadId.KERNEL32 ref: 0044A952
    • GetSystemTime.KERNEL32(?,-12065FEC), ref: 0044EAC5
    • GetFileTime.KERNEL32(?,?,?,?,-12065FEC), ref: 0044EB08
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: Time$CurrentFileSystemThread
    • String ID:
    • API String ID: 2191017843-0
    • Opcode ID: 985348423438ba825007adff8e774be653d8347201389c1de324a2c107f63e10
    • Instruction ID: 110633e63e7acee9a8b19e467a76729e43c2bc52a815ae162f9113aeccadd2f5
    • Opcode Fuzzy Hash: 985348423438ba825007adff8e774be653d8347201389c1de324a2c107f63e10
    • Instruction Fuzzy Hash: 42012C7224008AFBEF21AF5ADD09D8F7F35FF85365B004526F40295062C736D9A2DA66
    Function 0044F94E Relevance: 1.5, APIs: 1, Instructions: 24encryptionCOMMON
    Download Yara Rule
    APIs
    • CryptVerifySignatureA.ADVAPI32(?,?,?,?,?,?), ref: 0044F995
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: CryptSignatureVerify
    • String ID:
    • API String ID: 1015439381-0
    • Opcode ID: 9f534a094715b6c4ea5e92c9aaea0f8c979dcb6835421b3608883dee909317b2
    • Instruction ID: 8bd3f5d13e363e90df0db381901f483a97519857e622e093d648ba6f77f62e8a
    • Opcode Fuzzy Hash: 9f534a094715b6c4ea5e92c9aaea0f8c979dcb6835421b3608883dee909317b2
    • Instruction Fuzzy Hash: 8AF01C7260460EFFCF01CF94CA44ACD7B72FF49308B108126F90596250D37A9665EF84
    Function 0031A262 Relevance: 1.5, Strings: 1, Instructions: 207COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID:
    • String ID: ;V44
    • API String ID: 0-4106352124
    • Opcode ID: 16e053a8d7db5c760811dca0409b219660a889573a98ab8e8e3531153715f07f
    • Instruction ID: 84e9d135eb171ee70101c9c9786daaeedd498f0ea9dadb5a6bb9c88b8ed32a41
    • Opcode Fuzzy Hash: 16e053a8d7db5c760811dca0409b219660a889573a98ab8e8e3531153715f07f
    • Instruction Fuzzy Hash: 8F511AF390C2009BE70C2F28EC5677AFBD5EB94720F16463DEAC597780EE3958058696
    Function 002B61AA Relevance: 1.4, Strings: 1, Instructions: 182COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID:
    • String ID: C_
    • API String ID: 0-3125379340
    • Opcode ID: d9c96d18ed97d2823f5d8e485b554a7c5161bb5ec0a7328e11fe3e9706acf7de
    • Instruction ID: 6c30dfeb422be636a9e56556be307de77bd576016b026a3f3fd14a88a2e2a966
    • Opcode Fuzzy Hash: d9c96d18ed97d2823f5d8e485b554a7c5161bb5ec0a7328e11fe3e9706acf7de
    • Instruction Fuzzy Hash: 01514BF26087049FE300AF59ECC1B6AFBE9EF98720F56482DD6C883340E67559518B96
    Function 00280168 Relevance: .3, Instructions: 251COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 4eed0bf73da86bc65aa42b5d7afbaacd4c9ffac430c378fa9f5faf918b64cbed
    • Instruction ID: e05561303e72a497072777dd6ee36c1db9f5c0b2c51787b5259bbb5ae795c517
    • Opcode Fuzzy Hash: 4eed0bf73da86bc65aa42b5d7afbaacd4c9ffac430c378fa9f5faf918b64cbed
    • Instruction Fuzzy Hash: E49171B3F112254BF3544E78CC983627652DB96314F2F81B88E8C5B7C6D97E5C4A9384
    Function 003463AC Relevance: .2, Instructions: 195COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c25c5e3f9792d9a2089279a6dd9bd7354e57822ff1059df3dc749fd587a0f43d
    • Instruction ID: a0b5820dc439b499450799bfbd76690a26b013d1f42df281f1899447e6917361
    • Opcode Fuzzy Hash: c25c5e3f9792d9a2089279a6dd9bd7354e57822ff1059df3dc749fd587a0f43d
    • Instruction Fuzzy Hash: 5C51F0F3B041205BF718692DEC957BBBA95EB80720F2B453DEB89D7380E83858054296
    Function 003A0F9D Relevance: .2, Instructions: 181COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 3eb64f260c25ec5dff8b9c4a9a0b74ca870e0aa7c4a77975b282220ac4eab37d
    • Instruction ID: 3e1163b8f2eb9a6d5a0af1a4e8c6c846d5ed48d253f4eac1f3ff791e6115d62b
    • Opcode Fuzzy Hash: 3eb64f260c25ec5dff8b9c4a9a0b74ca870e0aa7c4a77975b282220ac4eab37d
    • Instruction Fuzzy Hash: BF51E4B3A0C2149FE349AE29DC5467BB7E9EF94720F16863DE5C4C7384EA31980487D2
    Function 00441F05 Relevance: .2, Instructions: 180COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ea12b36ee8db827ffd3c7bfd8508712e887c9396920cef0e4d358772c2a1abbd
    • Instruction ID: 4cbd854f56d4b0f093f2a477dae68849b5f5278910ca71bb2671ffba017e5661
    • Opcode Fuzzy Hash: ea12b36ee8db827ffd3c7bfd8508712e887c9396920cef0e4d358772c2a1abbd
    • Instruction Fuzzy Hash: 9D51F7B2A0D708DBF3046E54DE8563AB7D4AB14310F66452FA78287700E6BE5446E68B
    Function 0027F7E5 Relevance: .2, Instructions: 172COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d3f771a6a252cf527d15d15ee017fa9b3fd72f03d330397a367917d4ede2aa93
    • Instruction ID: 01b57b69928fa3b0c1556a48921b60e93b7ca550896a5d058c1880e7072dbba7
    • Opcode Fuzzy Hash: d3f771a6a252cf527d15d15ee017fa9b3fd72f03d330397a367917d4ede2aa93
    • Instruction Fuzzy Hash: EA51F4F3E082149BE3006E2DDC4572AB7D6DBE4720F1B853DDECC97784E93A98058686
    Function 003375E3 Relevance: .2, Instructions: 151COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f6143a54fdadad1b3104f0d1b238a934a12eda2df2c3d8a6f80d6a2a44ba68b7
    • Instruction ID: 80990b25fb74c1eec7a8d3f8577c147c75a63d5219b610f4bbc158ec08229d21
    • Opcode Fuzzy Hash: f6143a54fdadad1b3104f0d1b238a934a12eda2df2c3d8a6f80d6a2a44ba68b7
    • Instruction Fuzzy Hash: 49412CF360C6005BE3045D3EDD5676ABADADBC4360F26463EEA85D3B88E83948064195
    Function 0040CDA8 Relevance: .1, Instructions: 137COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: cf0b9bc54d6675bdf54b09453518b91943339e1b698eae9c6bf5820d5181119e
    • Instruction ID: 5b2e265db408bf6ac7495b74e110a01a8198b88413080bd90db58bfff7bc840b
    • Opcode Fuzzy Hash: cf0b9bc54d6675bdf54b09453518b91943339e1b698eae9c6bf5820d5181119e
    • Instruction Fuzzy Hash: 56416EB350C210EFD306AF19DC816AEFBE9EF99720F16492EE6C583650D77458408A97
    Function 0040CD9A Relevance: .1, Instructions: 136COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5b77bd5a5ddca33ef4b658ee72a7845e8ff52362b911179b7ad2fd9a1a43cd38
    • Instruction ID: 84e7d73ea5a92ae5b911141d458c32ca16d3d08369eddefaf0c228c55d1f8e73
    • Opcode Fuzzy Hash: 5b77bd5a5ddca33ef4b658ee72a7845e8ff52362b911179b7ad2fd9a1a43cd38
    • Instruction Fuzzy Hash: 7F419FB350C200EFD306AF19DC816BAFBE9FF99320F16492EE6C592650D77448408A97
    Function 0040AFFE Relevance: .1, Instructions: 134COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0124a3b5740646aacc7afe505e1b0fc4705fd373e45b95e8b54c33a4c900c9ae
    • Instruction ID: f567cf946f2622baa1384d9ee16806f592d37969bf39bf246c5511e4e5b6afc9
    • Opcode Fuzzy Hash: 0124a3b5740646aacc7afe505e1b0fc4705fd373e45b95e8b54c33a4c900c9ae
    • Instruction Fuzzy Hash: 764159B210C204AFE3056F19ED86ABAFBF9FF49760F12082EE6D182600D7715944DB97
    Function 0040CF3C Relevance: .1, Instructions: 131COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 29e72238371ee83d8d3740a4415f4289d51b946e75ece9c4fe0e6ddacc3e9b39
    • Instruction ID: ce9859353cb9a435e6a16d5996319df675ae1dc0e37c957f25f39a49945c6e16
    • Opcode Fuzzy Hash: 29e72238371ee83d8d3740a4415f4289d51b946e75ece9c4fe0e6ddacc3e9b39
    • Instruction Fuzzy Hash: F94198B650C600AFE301AF1ADC8066AF7F9FFD8720F26493DE6C5C3610E67558458697
    Function 0040CF45 Relevance: .1, Instructions: 130COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f5620773fb914aff0fb6fa81834ebb3cb4d395419c61f0631e425b5cf8f5d6d5
    • Instruction ID: d50e0df60fcb59912fdeafe65fc6be35d53e1e7ac4bfa2606835cc88825379a1
    • Opcode Fuzzy Hash: f5620773fb914aff0fb6fa81834ebb3cb4d395419c61f0631e425b5cf8f5d6d5
    • Instruction Fuzzy Hash: D64198B660C6009FE301AF1ADC816AAF7F9FFD8720F26492DE6D4C3610E67158458B97
    Function 0040CF58 Relevance: .1, Instructions: 129COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: bd24b6bd9c1688ec3908a36fc94953459276df7283cac1e1041baaab3750e447
    • Instruction ID: 3d0fa76f9bfcd560129f35f0a81355dc18cb991fd2fb22d93256aa67f6118334
    • Opcode Fuzzy Hash: bd24b6bd9c1688ec3908a36fc94953459276df7283cac1e1041baaab3750e447
    • Instruction Fuzzy Hash: F34194B260C7009FE301AF2ADD816AAF7F5FFD8720F26492DE6C4C3610E67558458A93
    Function 0040B019 Relevance: .1, Instructions: 123COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 39afc552c0014804325066de121725d4fc4d4e78c958248df405b04a9226d9d9
    • Instruction ID: 9e21aae359bc7f6269a834a73ad3d9bf9f5e814044b847b82c43ff3c2af7fa58
    • Opcode Fuzzy Hash: 39afc552c0014804325066de121725d4fc4d4e78c958248df405b04a9226d9d9
    • Instruction Fuzzy Hash: 9A4118B250C304AFE3056F19E8866BAFBE9FF58720F12082EE6D582640D7715944DB57
    Function 002BC264 Relevance: .1, Instructions: 97COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e49138a074e0bfeeaafcc2ee9976209b3904e69bf4e84e8b77e6b7591e5bc9d8
    • Instruction ID: be126fb5683232321b87bf210c814e3236ed801e323cad3186c1ff1ff2a404fd
    • Opcode Fuzzy Hash: e49138a074e0bfeeaafcc2ee9976209b3904e69bf4e84e8b77e6b7591e5bc9d8
    • Instruction Fuzzy Hash: EB21FBB39182109BE3186E24EC557FBB7D5EB90330F17863EDAC653A80DA39580086C6
    Function 004071CC Relevance: .0, Instructions: 34COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e928661af71579b57a7bdf1fccdb8f5cd200c37a7671a61126fab888cbfae1e0
    • Instruction ID: 8d53e60bcd6c4a81017a345a8135cd966f429e48863eda18a0b01a37e2ff917b
    • Opcode Fuzzy Hash: e928661af71579b57a7bdf1fccdb8f5cd200c37a7671a61126fab888cbfae1e0
    • Instruction Fuzzy Hash: 6F014B7250024ACFEB05DF44C144ADBB775FF49320F1982A9E8052BB91D3B01CD0CB49
    Function 0044DFC6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0044A943: GetCurrentThreadId.KERNEL32 ref: 0044A952
      • Part of subcall function 0044F044: IsBadWritePtr.KERNEL32(?,00000004), ref: 0044F052
    • wsprintfA.USER32 ref: 0044E00C
    • LoadImageA.USER32(?,?,?,?,?,?), ref: 0044E0D0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: CurrentImageLoadThreadWritewsprintf
    • String ID: %8x$%8x
    • API String ID: 439219941-2046107164
    • Opcode ID: fe9c15505460835296404e0da9abe315018142c29fa1cb6a8a52199ffc431106
    • Instruction ID: 989fbfc09f0e893a47dff01b1749e6400742fd80de72455411126437a50a83f6
    • Opcode Fuzzy Hash: fe9c15505460835296404e0da9abe315018142c29fa1cb6a8a52199ffc431106
    • Instruction Fuzzy Hash: 7131177190010AFFEB119F95DC09EEEBB79FF48300F10812AF911A61A1C7759A61DB65
    Function 0044EB97 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesExW.KERNEL32(00D603CC,00004020,00000000,-12065FEC), ref: 0044EC84
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1382268852.00000000003FC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
    • Associated: 00000000.00000002.1382219888.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382235599.0000000000262000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382254091.0000000000266000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.000000000026A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000504000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382268852.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382665450.0000000000515000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1382900891.00000000006BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_260000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: 096038c2a965a77fc39a39c3cd32741fe419b58f5af7bceadab741c813a1f06c
    • Instruction ID: f367fe2237c743685dd099fc6a2dda28f2b0c0d1416af744271f8aea11b8c7b2
    • Opcode Fuzzy Hash: 096038c2a965a77fc39a39c3cd32741fe419b58f5af7bceadab741c813a1f06c
    • Instruction Fuzzy Hash: 3E319CB1504305EFEB248F56C884B8FBBB0FF08314F00861AE95667690C379EAA5DF95