Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1532973
MD5:94aee77a927d3436bf79fdcde9bb7086
SHA1:987c32b911cd5cc1dfa067904e49daf2d0646638
SHA256:e077a9e696c374df6d6b934c72c2b59810dd21897049e16836798b3c61074afc
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SIDT)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5828 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 94AEE77A927D3436BF79FDCDE9BB7086)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: file.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: file.exeVirustotal: Detection: 53%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003EDE21 CryptVerifySignatureA,1_2_003EDE21
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000001.00000003.1295566685.0000000004A00000.00000004.00001000.00020000.00000000.sdmp

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003A80611_2_003A8061
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003AD19B1_2_003AD19B
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0032920C1_2_0032920C
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0024E2541_2_0024E254
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003822E51_2_003822E5
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0038D2CB1_2_0038D2CB
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_002D733E1_2_002D733E
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_004383341_2_00438334
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_002F83BE1_2_002F83BE
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_002B743F1_2_002B743F
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_002696011_2_00269601
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003876FB1_2_003876FB
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003A96FC1_2_003A96FC
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_002CB7741_2_002CB774
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0027C8911_2_0027C891
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003859061_2_00385906
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00379AD01_2_00379AD0
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0029BB131_2_0029BB13
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00415C1E1_2_00415C1E
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0037ECCF1_2_0037ECCF
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0038ACC41_2_0038ACC4
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00383EA71_2_00383EA7
Source: C:\Users\user\Desktop\file.exeCode function: String function: 003E8E16 appears 35 times
Source: file.exe, 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000001.00000002.1429859545.0000000000BCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeStatic PE information: Section: wxfyokhm ZLIB complexity 0.9952554043053545
Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeVirustotal: Detection: 53%
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 1794048 > 1048576
Source: file.exeStatic PE information: Raw size of wxfyokhm is bigger than: 0x100000 < 0x1afe00
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000001.00000003.1295566685.0000000004A00000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 1.2.file.exe.200000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wxfyokhm:EW;ybvuafeo:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x1bbcf8 should be: 0x1c5268
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: wxfyokhm
Source: file.exeStatic PE information: section name: ybvuafeo
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003F5631 push ebp; mov dword ptr [esp], 1DE06756h1_2_003F6040
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003F5631 push 68CC0BA6h; mov dword ptr [esp], esi1_2_003F606F
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003F5631 push ebx; mov dword ptr [esp], edx1_2_003F60EB
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003F5631 push ecx; mov dword ptr [esp], eax1_2_003F6126
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003F5631 push 18B85A35h; mov dword ptr [esp], edx1_2_003F614C
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0039DD9A push 47E88348h; mov dword ptr [esp], esi1_2_0039DDB2
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0039E03E push edi; mov dword ptr [esp], eax1_2_0039F5B7
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003AD034 push ecx; mov dword ptr [esp], ebx1_2_003AD05D
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0041504F push 5CC67A16h; mov dword ptr [esp], edi1_2_004150B8
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00454055 push edx; mov dword ptr [esp], ecx1_2_004540A1
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003AD02C push ecx; mov dword ptr [esp], ebx1_2_003AD05D
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_004A3050 push eax; mov dword ptr [esp], edx1_2_004A3075
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0040706B push 693A1A8Ch; mov dword ptr [esp], ecx1_2_004070B0
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0040706B push 56765E29h; mov dword ptr [esp], ebx1_2_004070FA
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0040706B push edi; mov dword ptr [esp], ebp1_2_00407119
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0039E00E push esi; mov dword ptr [esp], 3FFF1591h1_2_0039E012
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003A8061 push ecx; mov dword ptr [esp], edi1_2_003A806B
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003A8061 push 4A3B6479h; mov dword ptr [esp], edi1_2_003A816F
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003A8061 push edx; mov dword ptr [esp], ecx1_2_003A81B8
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003A8061 push 585E2BAEh; mov dword ptr [esp], ebx1_2_003A81DF
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003A8061 push ecx; mov dword ptr [esp], 7C9D6867h1_2_003A828B
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003A8061 push 38173DD5h; mov dword ptr [esp], ebp1_2_003A82BB
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003AD04D push ecx; mov dword ptr [esp], ebx1_2_003AD05D
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003A6040 push 5AA8A800h; mov dword ptr [esp], edx1_2_003A6045
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003A6040 push edx; mov dword ptr [esp], 7F4DBA60h1_2_003A6826
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003A40BE push 6959CDB2h; mov dword ptr [esp], edi1_2_003A40CE
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_004000CE push esi; mov dword ptr [esp], ebp1_2_004000F1
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_004000CE push 3BD51BA8h; mov dword ptr [esp], eax1_2_0040016E
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0044A0D5 push 11B99BA4h; mov dword ptr [esp], edi1_2_0044A14A
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0039E0A2 push ecx; mov dword ptr [esp], 4C57D731h1_2_003A0380
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_0039E0A2 push ebx; mov dword ptr [esp], eax1_2_003A038B
Source: file.exeStatic PE information: section name: entropy: 7.7974602758469205
Source: file.exeStatic PE information: section name: wxfyokhm entropy: 7.955041807116184

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 391432 second address: 391436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 391436 second address: 39143A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38A4DB second address: 38A4E5 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF8DD0163CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 38A4E5 second address: 38A4FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FF8DCC5EBD1h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 390416 second address: 39043C instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF8DD0163C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF8DD0163D8h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39043C second address: 390440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 390440 second address: 390444 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 390444 second address: 39045F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jng 00007FF8DCC5EBCEh 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39045F second address: 39046D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pushad 0x00000006 popad 0x00000007 jne 00007FF8DD0163C6h 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39046D second address: 390473 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3905D9 second address: 390600 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007FF8DD0163D7h 0x0000000b popad 0x0000000c pushad 0x0000000d jne 00007FF8DD0163C6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39089A second address: 3908A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3908A0 second address: 3908C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FF8DD0163C6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jmp 00007FF8DD0163CCh 0x00000012 pop edx 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jnl 00007FF8DD0163C6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 390A00 second address: 390A17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FF8DCC5EBC6h 0x00000009 pushad 0x0000000a popad 0x0000000b jnc 00007FF8DCC5EBC6h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 390A17 second address: 390A2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8DD0163CAh 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 390C90 second address: 390CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8DCC5EBD8h 0x00000009 popad 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007FF8DCC5EBCEh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 390CBE second address: 390CC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 390CC6 second address: 390CCC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39336B second address: 393371 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 393371 second address: 393375 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3933D3 second address: 3933EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF8DD0163D5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3933EC second address: 39340C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 movzx edi, cx 0x0000000c je 00007FF8DCC5EBC8h 0x00000012 mov cl, AAh 0x00000014 push 00000000h 0x00000016 push 3124CA03h 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39340C second address: 393453 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 xor dword ptr [esp], 3124CA83h 0x0000000e mov ecx, 2AD9C576h 0x00000013 push 00000003h 0x00000015 or si, 7200h 0x0000001a push 00000000h 0x0000001c push 00000003h 0x0000001e mov ecx, dword ptr [ebp+122D1AA0h] 0x00000024 call 00007FF8DD0163C9h 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c jmp 00007FF8DD0163CAh 0x00000031 jmp 00007FF8DD0163CCh 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 393453 second address: 393459 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 393459 second address: 39345D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39345D second address: 39346B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39346B second address: 39346F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 39346F second address: 3934B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jmp 00007FF8DCC5EBD5h 0x0000000e popad 0x0000000f popad 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jmp 00007FF8DCC5EBCBh 0x00000019 mov eax, dword ptr [eax] 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FF8DCC5EBD4h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3936AB second address: 3936B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3936B1 second address: 3936B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3937AD second address: 3937B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B5ED2 second address: 3B5ED8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 385419 second address: 38541D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B3E1F second address: 3B3E60 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 js 00007FF8DCC5EBC6h 0x00000009 pop esi 0x0000000a jmp 00007FF8DCC5EBD6h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pushad 0x00000015 popad 0x00000016 pop esi 0x00000017 jmp 00007FF8DCC5EBD9h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B4107 second address: 3B410D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B410D second address: 3B4117 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FF8DCC5EBC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B4117 second address: 3B4121 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B4121 second address: 3B4125 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B4125 second address: 3B4147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF8DD0163D5h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B4147 second address: 3B414D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B414D second address: 3B4152 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B4152 second address: 3B415A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B4C35 second address: 3B4C95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FF8DD0163E4h 0x0000000c pushad 0x0000000d jg 00007FF8DD0163C6h 0x00000013 jmp 00007FF8DD0163CEh 0x00000018 pushad 0x00000019 popad 0x0000001a push edi 0x0000001b pop edi 0x0000001c popad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FF8DD0163D5h 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B4C95 second address: 3B4CB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8DCC5EBD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B4CB1 second address: 3B4CB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B4CB7 second address: 3B4CBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B4CBD second address: 3B4CCF instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF8DD0163C6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B4CCF second address: 3B4CD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B5092 second address: 3B509C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FF8DD0163C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B509C second address: 3B50B8 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF8DCC5EBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FF8DCC5EBCFh 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B568B second address: 3B5690 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B57EC second address: 3B57F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B594E second address: 3B595A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pop ebx 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B595A second address: 3B5960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B5960 second address: 3B597C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007FF8DD0163D2h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B7CC9 second address: 3B7CCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B7CCF second address: 3B7CDC instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF8DD0163C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B910E second address: 3B9112 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B9112 second address: 3B912C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FF8DD0163CFh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B912C second address: 3B914C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007FF8DCC5EBD5h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3B914C second address: 3B9151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BC379 second address: 3BC3B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FF8DCC5EBC6h 0x00000009 jng 00007FF8DCC5EBC6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 jmp 00007FF8DCC5EBD5h 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FF8DCC5EBCAh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BC3B1 second address: 3BC3B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BC3B7 second address: 3BC3BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BC3BB second address: 3BC3E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jmp 00007FF8DD0163D5h 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push ecx 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BC56F second address: 3BC575 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BC575 second address: 3BC57B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BC57B second address: 3BC58E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007FF8DCC5EBC6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BC58E second address: 3BC592 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3BC592 second address: 3BC598 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C196E second address: 3C1973 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C10B3 second address: 3C10B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C10B7 second address: 3C10BD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C5C99 second address: 3C5C9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C5C9D second address: 3C5CAE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007FF8DD0163CCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C5CAE second address: 3C5CB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C5D8D second address: 3C5D91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C6C9E second address: 3C6CF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 mov dword ptr [esp], eax 0x00000009 or di, 9942h 0x0000000e jmp 00007FF8DCC5EBD2h 0x00000013 push 00000000h 0x00000015 pushad 0x00000016 or dword ptr [ebp+122D2C80h], esi 0x0000001c mov di, ax 0x0000001f popad 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push ebp 0x00000025 call 00007FF8DCC5EBC8h 0x0000002a pop ebp 0x0000002b mov dword ptr [esp+04h], ebp 0x0000002f add dword ptr [esp+04h], 00000018h 0x00000037 inc ebp 0x00000038 push ebp 0x00000039 ret 0x0000003a pop ebp 0x0000003b ret 0x0000003c mov si, ax 0x0000003f xchg eax, ebx 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 popad 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C6B1F second address: 3C6B23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C6CF7 second address: 3C6D01 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF8DCC5EBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C87E5 second address: 3C8806 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FF8DD0163D4h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CB7BA second address: 3CB7BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CBEFB second address: 3CBF17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8DD0163CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jc 00007FF8DD0163E1h 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C8FBC second address: 3C8FC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C8FC0 second address: 3C8FCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CE4BD second address: 3CE4D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007FF8DCC5EBCFh 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CE4D8 second address: 3CE4DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CE580 second address: 3CE596 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jno 00007FF8DCC5EBC6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jns 00007FF8DCC5EBC6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CF60D second address: 3CF651 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF8DD0163CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007FF8DD0163C8h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 push 00000000h 0x00000029 je 00007FF8DD0163C6h 0x0000002f push 00000000h 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CF651 second address: 3CF655 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CF655 second address: 3CF659 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D06E4 second address: 3D0732 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8DCC5EBD3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov edi, eax 0x0000000c push 00000000h 0x0000000e stc 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007FF8DCC5EBC8h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 00000015h 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b push ecx 0x0000002c mov edi, 73D7F463h 0x00000031 pop ebx 0x00000032 push eax 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 jl 00007FF8DCC5EBC6h 0x0000003c pop eax 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D1702 second address: 3D1708 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CE6C6 second address: 3CE751 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF8DCC5EBC8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov bl, D0h 0x0000000f mov dword ptr [ebp+122D1DEAh], eax 0x00000015 push dword ptr fs:[00000000h] 0x0000001c push 00000000h 0x0000001e push edx 0x0000001f call 00007FF8DCC5EBC8h 0x00000024 pop edx 0x00000025 mov dword ptr [esp+04h], edx 0x00000029 add dword ptr [esp+04h], 0000001Bh 0x00000031 inc edx 0x00000032 push edx 0x00000033 ret 0x00000034 pop edx 0x00000035 ret 0x00000036 cmc 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e jng 00007FF8DCC5EBCCh 0x00000044 add dword ptr [ebp+122D249Bh], edi 0x0000004a mov eax, dword ptr [ebp+122D0EC9h] 0x00000050 call 00007FF8DCC5EBD4h 0x00000055 jg 00007FF8DCC5EBCCh 0x0000005b pop ebx 0x0000005c add dword ptr [ebp+122D2167h], eax 0x00000062 push FFFFFFFFh 0x00000064 mov ebx, esi 0x00000066 nop 0x00000067 pushad 0x00000068 pushad 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3CE751 second address: 3CE75B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D1900 second address: 3D1915 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF8DCC5EBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007FF8DCC5EBC8h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D291E second address: 3D29B1 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF8DD0163C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007FF8DD0163CEh 0x00000011 nop 0x00000012 movzx ebx, ax 0x00000015 push dword ptr fs:[00000000h] 0x0000001c mov ebx, 30F2557Dh 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 movzx edi, di 0x0000002b mov eax, dword ptr [ebp+122D1391h] 0x00000031 push 00000000h 0x00000033 push ebp 0x00000034 call 00007FF8DD0163C8h 0x00000039 pop ebp 0x0000003a mov dword ptr [esp+04h], ebp 0x0000003e add dword ptr [esp+04h], 0000001Ah 0x00000046 inc ebp 0x00000047 push ebp 0x00000048 ret 0x00000049 pop ebp 0x0000004a ret 0x0000004b push FFFFFFFFh 0x0000004d jne 00007FF8DD0163D9h 0x00000053 nop 0x00000054 jns 00007FF8DD0163D0h 0x0000005a push eax 0x0000005b jbe 00007FF8DD0163D4h 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 popad 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D3754 second address: 3D375E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FF8DCC5EBC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D1915 second address: 3D19F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FF8DD0163D5h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e mov di, si 0x00000011 push dword ptr fs:[00000000h] 0x00000018 call 00007FF8DD0163D8h 0x0000001d call 00007FF8DD0163CBh 0x00000022 movzx ebx, ax 0x00000025 pop ebx 0x00000026 pop ebx 0x00000027 mov dword ptr fs:[00000000h], esp 0x0000002e xor dword ptr [ebp+122D2C8Ch], eax 0x00000034 mov dword ptr [ebp+124801A4h], ebx 0x0000003a mov eax, dword ptr [ebp+122D13CDh] 0x00000040 push 00000000h 0x00000042 push eax 0x00000043 call 00007FF8DD0163C8h 0x00000048 pop eax 0x00000049 mov dword ptr [esp+04h], eax 0x0000004d add dword ptr [esp+04h], 0000001Bh 0x00000055 inc eax 0x00000056 push eax 0x00000057 ret 0x00000058 pop eax 0x00000059 ret 0x0000005a call 00007FF8DD0163D1h 0x0000005f mov ebx, 3E74ACAFh 0x00000064 pop edi 0x00000065 jg 00007FF8DD0163CCh 0x0000006b mov bh, 22h 0x0000006d push FFFFFFFFh 0x0000006f add dword ptr [ebp+122D277Bh], ebx 0x00000075 nop 0x00000076 jnl 00007FF8DD0163D0h 0x0000007c push eax 0x0000007d push eax 0x0000007e push edx 0x0000007f jmp 00007FF8DD0163D7h 0x00000084 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D19F9 second address: 3D1A03 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF8DCC5EBCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D3A50 second address: 3D3A77 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF8DD0163DDh 0x00000008 jmp 00007FF8DD0163D7h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D5845 second address: 3D5849 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D3A77 second address: 3D3A7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D5849 second address: 3D586F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FF8DCC5EBCDh 0x0000000c pop eax 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FF8DCC5EBCDh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D3A7B second address: 3D3A85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D3A85 second address: 3D3A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D7963 second address: 3D7971 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8DD0163CAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D5ABA second address: 3D5AC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D5AC0 second address: 3D5AC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D90C5 second address: 3D90C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D90C9 second address: 3D9142 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FF8DD0163D0h 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007FF8DD0163C8h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 mov di, 32E7h 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ecx 0x00000031 call 00007FF8DD0163C8h 0x00000036 pop ecx 0x00000037 mov dword ptr [esp+04h], ecx 0x0000003b add dword ptr [esp+04h], 00000016h 0x00000043 inc ecx 0x00000044 push ecx 0x00000045 ret 0x00000046 pop ecx 0x00000047 ret 0x00000048 cmc 0x00000049 push 00000000h 0x0000004b sub dword ptr [ebp+122D2C8Ch], edx 0x00000051 add ebx, 2DBE94F4h 0x00000057 xchg eax, esi 0x00000058 pushad 0x00000059 jbe 00007FF8DD0163CCh 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3802C6 second address: 3802CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3802CA second address: 3802D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3802D0 second address: 3802E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8DCC5EBD1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3802E5 second address: 3802F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DC875 second address: 3DC879 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DC879 second address: 3DC8CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 mov bx, 84DBh 0x0000000b push 00000000h 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007FF8DD0163C8h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 push 00000000h 0x00000029 jmp 00007FF8DD0163CFh 0x0000002e xchg eax, esi 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FF8DD0163D5h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DC8CF second address: 3DC8E8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FF8DCC5EBCEh 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DD8EE second address: 3DD8F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DD8F3 second address: 3DD909 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF8DCC5EBD2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DE984 second address: 3DE9F2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF8DD0163C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnp 00007FF8DD0163D9h 0x00000010 popad 0x00000011 nop 0x00000012 mov ebx, dword ptr [ebp+122D1EF7h] 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebx 0x0000001d call 00007FF8DD0163C8h 0x00000022 pop ebx 0x00000023 mov dword ptr [esp+04h], ebx 0x00000027 add dword ptr [esp+04h], 00000018h 0x0000002f inc ebx 0x00000030 push ebx 0x00000031 ret 0x00000032 pop ebx 0x00000033 ret 0x00000034 clc 0x00000035 push 00000000h 0x00000037 call 00007FF8DD0163CFh 0x0000003c mov bx, dx 0x0000003f pop ebx 0x00000040 xchg eax, esi 0x00000041 pushad 0x00000042 pushad 0x00000043 jo 00007FF8DD0163C6h 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DA297 second address: 3DA29D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DCB41 second address: 3DCB45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E0B1B second address: 3E0B37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF8DCC5EBD5h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DA29D second address: 3DA350 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007FF8DD0163C8h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 push dword ptr fs:[00000000h] 0x0000002a push 00000000h 0x0000002c push edi 0x0000002d call 00007FF8DD0163C8h 0x00000032 pop edi 0x00000033 mov dword ptr [esp+04h], edi 0x00000037 add dword ptr [esp+04h], 0000001Dh 0x0000003f inc edi 0x00000040 push edi 0x00000041 ret 0x00000042 pop edi 0x00000043 ret 0x00000044 jno 00007FF8DD0163CDh 0x0000004a jmp 00007FF8DD0163D3h 0x0000004f mov dword ptr fs:[00000000h], esp 0x00000056 call 00007FF8DD0163D1h 0x0000005b pushad 0x0000005c sub dword ptr [ebp+122D1D49h], edi 0x00000062 mov esi, dword ptr [ebp+122D29A3h] 0x00000068 popad 0x00000069 pop edi 0x0000006a mov eax, dword ptr [ebp+122D0EBDh] 0x00000070 push FFFFFFFFh 0x00000072 mov bx, si 0x00000075 nop 0x00000076 jns 00007FF8DD0163D4h 0x0000007c push eax 0x0000007d push edx 0x0000007e jng 00007FF8DD0163C6h 0x00000084 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E0B37 second address: 3E0B3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DA350 second address: 3DA35D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37B0BA second address: 37B0CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8DCC5EBCFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37B0CD second address: 37B0D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D82A5 second address: 3D82A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D82A9 second address: 3D82AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D82AF second address: 3D82B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D82B5 second address: 3D82B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3D82B9 second address: 3D82BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E204E second address: 3E2053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DEBFF second address: 3DEC03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3DEC03 second address: 3DEC0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E21F1 second address: 3E21F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E21F6 second address: 3E22BA instructions: 0x00000000 rdtsc 0x00000002 je 00007FF8DD0163D5h 0x00000008 jmp 00007FF8DD0163CFh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jg 00007FF8DD0163CEh 0x00000016 nop 0x00000017 call 00007FF8DD0163D6h 0x0000001c jmp 00007FF8DD0163D2h 0x00000021 pop edi 0x00000022 push dword ptr fs:[00000000h] 0x00000029 sbb bx, 648Fh 0x0000002e mov dword ptr fs:[00000000h], esp 0x00000035 push 00000000h 0x00000037 push ebx 0x00000038 call 00007FF8DD0163C8h 0x0000003d pop ebx 0x0000003e mov dword ptr [esp+04h], ebx 0x00000042 add dword ptr [esp+04h], 0000001Dh 0x0000004a inc ebx 0x0000004b push ebx 0x0000004c ret 0x0000004d pop ebx 0x0000004e ret 0x0000004f mov ebx, 229F63EBh 0x00000054 mov eax, dword ptr [ebp+122D0801h] 0x0000005a push 00000000h 0x0000005c push ebx 0x0000005d call 00007FF8DD0163C8h 0x00000062 pop ebx 0x00000063 mov dword ptr [esp+04h], ebx 0x00000067 add dword ptr [esp+04h], 00000015h 0x0000006f inc ebx 0x00000070 push ebx 0x00000071 ret 0x00000072 pop ebx 0x00000073 ret 0x00000074 mov edi, dword ptr [ebp+122D1FB6h] 0x0000007a push FFFFFFFFh 0x0000007c nop 0x0000007d pushad 0x0000007e push eax 0x0000007f push edx 0x00000080 jno 00007FF8DD0163C6h 0x00000086 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3E22BA second address: 3E22BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F2FC7 second address: 3F2FD1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF8DD0163C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3F2FD1 second address: 3F2FE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF8DCC5EBCCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FB254 second address: 3FB25D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FB25D second address: 3FB261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 400648 second address: 400659 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8DD0163CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 400659 second address: 400675 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF8DCC5EBD2h 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007FF8DCC5EBC6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FFA89 second address: 3FFA8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FFA8F second address: 3FFA99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FF8DCC5EBC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FFA99 second address: 3FFA9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FFBE3 second address: 3FFBE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FFBE7 second address: 3FFBED instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FFBED second address: 3FFC0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FF8DCC5EBC6h 0x0000000a jmp 00007FF8DCC5EBD8h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3FFC0F second address: 3FFC2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8DD0163CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007FF8DD0163C6h 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 400039 second address: 400050 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8DCC5EBD3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 400198 second address: 4001B8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF8DD0163C6h 0x00000008 jmp 00007FF8DD0163D6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4001B8 second address: 4001D6 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF8DCC5EBD9h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4004DB second address: 4004F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FF8DD0163D3h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 37607F second address: 376085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 409B67 second address: 409B7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8DD0163CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 409B7B second address: 409B81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 409B81 second address: 409BBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FF8DD0163C6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 ja 00007FF8DD0163D9h 0x00000016 push ecx 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007FF8DD0163CFh 0x0000001e pop ecx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 409BBD second address: 409BCF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8DCC5EBCBh 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 388A1F second address: 388A24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40E5C4 second address: 40E5D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FF8DCC5EBC6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40E5D0 second address: 40E5F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007FF8DD0163DFh 0x0000000b jmp 00007FF8DD0163D3h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40E5F0 second address: 40E5F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40EFC3 second address: 40EFCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40EFCC second address: 40EFD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40F11D second address: 40F137 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8DD0163D6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 40F137 second address: 40F143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4154D2 second address: 4154D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4154D6 second address: 4154DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4154DA second address: 4154E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4154E0 second address: 4154EC instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF8DCC5EBCEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 414096 second address: 4140C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8DD0163CEh 0x00000007 push edi 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pop edi 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jno 00007FF8DD0163C6h 0x00000019 jmp 00007FF8DD0163CFh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4140C7 second address: 4140D4 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF8DCC5EBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4140D4 second address: 4140DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4140DA second address: 4140DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4140DF second address: 414105 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8DD0163D7h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FF8DD0163CBh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41491A second address: 41491F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41491F second address: 414924 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 414924 second address: 41495D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007FF8DCC5EBD6h 0x0000000d jo 00007FF8DCC5EBC8h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FF8DCC5EBD1h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 414AE1 second address: 414AF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FF8DD0163C6h 0x0000000a jc 00007FF8DD0163CEh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 414C23 second address: 414C29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 414C29 second address: 414C3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FF8DD0163CCh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 414DA8 second address: 414DAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 414DAE second address: 414DB3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 414F0D second address: 414F2A instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF8DCC5EBC6h 0x00000008 jmp 00007FF8DCC5EBCEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 415396 second address: 41539C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41539C second address: 4153A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41A48A second address: 41A4A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF8DD0163CAh 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4192A6 second address: 4192BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 pushad 0x00000007 js 00007FF8DCC5EBC6h 0x0000000d jp 00007FF8DCC5EBC6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C3671 second address: 3C3675 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C3675 second address: 3C369D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jc 00007FF8DCC5EBC6h 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 jmp 00007FF8DCC5EBD2h 0x0000001a pop esi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C369D second address: 3C3719 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF8DD0163CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007FF8DD0163C8h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000017h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 lea eax, dword ptr [ebp+1248942Ah] 0x0000002b push 00000000h 0x0000002d push ebx 0x0000002e call 00007FF8DD0163C8h 0x00000033 pop ebx 0x00000034 mov dword ptr [esp+04h], ebx 0x00000038 add dword ptr [esp+04h], 0000001Ch 0x00000040 inc ebx 0x00000041 push ebx 0x00000042 ret 0x00000043 pop ebx 0x00000044 ret 0x00000045 mov cx, ax 0x00000048 movsx ecx, dx 0x0000004b mov dword ptr [ebp+122D1F98h], esi 0x00000051 push eax 0x00000052 pushad 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007FF8DD0163D2h 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C3C66 second address: 3C3C6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C3DA9 second address: 3C3DAE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C3DAE second address: 3C3DBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C3DBC second address: 3C3DD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8DD0163D5h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C3E9B second address: 3C3EA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C3EA1 second address: 3C3EA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C3EA5 second address: 3C3EA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C3FBB second address: 3C3FEC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8DD0163D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FF8DD0163CCh 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 jo 00007FF8DD0163C6h 0x00000019 pop eax 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C4115 second address: 3C4119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C4119 second address: 3C411F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C411F second address: 3C4132 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c jnp 00007FF8DCC5EBC6h 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C4238 second address: 3C429D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007FF8DD0163C8h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 mov edi, dword ptr [ebp+124598F5h] 0x00000028 sub dword ptr [ebp+122D2C7Ah], ebx 0x0000002e push 00000004h 0x00000030 jo 00007FF8DD0163CCh 0x00000036 mov dword ptr [ebp+122D2C7Ah], ecx 0x0000003c jmp 00007FF8DD0163D3h 0x00000041 nop 0x00000042 jl 00007FF8DD0163D4h 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C429D second address: 3C42A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C48AA second address: 3C48CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 jns 00007FF8DD0163D0h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C48CB second address: 3C48CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C495C second address: 3C4984 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 nop 0x00000006 mov cx, 0422h 0x0000000a lea eax, dword ptr [ebp+1248946Eh] 0x00000010 adc ch, 0000003Ch 0x00000013 or ecx, 6C4A0CE4h 0x00000019 nop 0x0000001a push eax 0x0000001b push edx 0x0000001c jnc 00007FF8DD0163CCh 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4195B9 second address: 4195C3 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF8DCC5EBC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 419705 second address: 419723 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF8DD0163CEh 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 pushad 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 419723 second address: 419745 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FF8DCC5EBC6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007FF8DCC5EBD0h 0x00000013 push esi 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4198B2 second address: 4198E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8DD0163D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007FF8DD0163C8h 0x0000000f pushad 0x00000010 popad 0x00000011 jbe 00007FF8DD0163C8h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f jnp 00007FF8DD0163C6h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4198E5 second address: 4198E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4198E9 second address: 41990C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007FF8DD0163C6h 0x0000000e jmp 00007FF8DD0163D5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 419D1B second address: 419D3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8DCC5EBD0h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007FF8DCC5EBC6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 419D3A second address: 419D3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 419D3E second address: 419D44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 419D44 second address: 419D52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FF8DD0163CCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41BDA4 second address: 41BDA9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41EC81 second address: 41EC89 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 41EC89 second address: 41EC8E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42145F second address: 42146B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42146B second address: 421473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 421473 second address: 421478 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 425612 second address: 425644 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8DCC5EBCDh 0x00000007 jmp 00007FF8DCC5EBCFh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 pop eax 0x00000011 je 00007FF8DCC5EBC6h 0x00000017 push edi 0x00000018 pop edi 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 425644 second address: 425648 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 425648 second address: 425671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8DCC5EBD2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d jnc 00007FF8DCC5EBCCh 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 425671 second address: 42567B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 425796 second address: 42579C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 425C69 second address: 425C6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 425C6D second address: 425C81 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF8DCC5EBC6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007FF8DCC5EBC6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 425DFE second address: 425E08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FF8DD0163C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 425FD4 second address: 425FD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42BDE1 second address: 42BDE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42BDE7 second address: 42BDEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42BDEC second address: 42BDF1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42BDF1 second address: 42BE0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FF8DCC5EBD1h 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42BE0D second address: 42BE11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42BE11 second address: 42BE20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42BE20 second address: 42BE31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF8DD0163C6h 0x0000000a jl 00007FF8DD0163C6h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42BE31 second address: 42BE36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42BF8B second address: 42BFA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8DD0163D2h 0x00000007 jng 00007FF8DD0163C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C4441 second address: 3C4453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 3C4453 second address: 3C4474 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov dword ptr [ebp+122D1EF7h], esi 0x0000000e push 00000004h 0x00000010 mov edi, 660C1661h 0x00000015 mov edx, dword ptr [ebp+122D28DFh] 0x0000001b push eax 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 pop eax 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42C25A second address: 42C2A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnl 00007FF8DCC5EBC6h 0x0000000d jno 00007FF8DCC5EBC6h 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007FF8DCC5EBCAh 0x0000001a popad 0x0000001b jmp 00007FF8DCC5EBCDh 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 jnl 00007FF8DCC5EBD6h 0x00000029 jmp 00007FF8DCC5EBD0h 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42C2A4 second address: 42C2AE instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF8DD0163C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42C2AE second address: 42C2BC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF8DCC5EBC8h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42CE06 second address: 42CE0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42CE0A second address: 42CE0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42FC83 second address: 42FC9F instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF8DD0163C6h 0x00000008 jmp 00007FF8DD0163CEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42FC9F second address: 42FCAF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007FF8DCC5EBC6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42FCAF second address: 42FCB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42FCB3 second address: 42FCBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42FF84 second address: 42FF89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42FF89 second address: 42FF8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 42FF8F second address: 42FF95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 436986 second address: 4369A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8DCC5EBD9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4369A3 second address: 4369A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4369A7 second address: 4369CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007FF8DCC5EBDFh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4369CE second address: 4369F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jbe 00007FF8DD0163C6h 0x0000000b jbe 00007FF8DD0163C6h 0x00000011 popad 0x00000012 pushad 0x00000013 jng 00007FF8DD0163C6h 0x00000019 jmp 00007FF8DD0163CAh 0x0000001e push ecx 0x0000001f pop ecx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 436B7A second address: 436B9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FF8DCC5EBC6h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF8DCC5EBD3h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 436B9C second address: 436BA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 436BA0 second address: 436BAA instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF8DCC5EBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 437872 second address: 43789A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF8DD0163C6h 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d jmp 00007FF8DD0163CCh 0x00000012 popad 0x00000013 pushad 0x00000014 push edi 0x00000015 pop edi 0x00000016 je 00007FF8DD0163C6h 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43789A second address: 43789E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 437B5B second address: 437B61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 437B61 second address: 437B6B instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF8DCC5EBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 437B6B second address: 437B75 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF8DD0163CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4383EA second address: 4383F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 438703 second address: 438707 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 438707 second address: 438711 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF8DCC5EBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 43D6B9 second address: 43D6C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4419E7 second address: 4419EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 441084 second address: 441088 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 441088 second address: 4410A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8DCC5EBCEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007FF8DCC5EBCEh 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4410A6 second address: 4410BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jnp 00007FF8DD0163C6h 0x0000000b jmp 00007FF8DD0163CCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4410BF second address: 4410E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007FF8DCC5EBD6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4410E1 second address: 4410E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4413C4 second address: 4413CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 441692 second address: 4416A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jg 00007FF8DD0163C6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4416A0 second address: 4416A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4416A9 second address: 4416AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4416AD second address: 4416D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8DCC5EBD8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF8DCC5EBCBh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 443102 second address: 44310D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FF8DD0163C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 44944D second address: 449457 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FF8DCC5EBC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 449457 second address: 44945D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 44945D second address: 449463 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 449463 second address: 449469 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 449469 second address: 44946D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 44946D second address: 449477 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF8DD0163C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 449477 second address: 449485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007FF8DCC5EBC6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 449485 second address: 449489 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4495BD second address: 4495C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4495C1 second address: 4495C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4495C7 second address: 4495D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4495D2 second address: 4495E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pop edi 0x0000000d jnc 00007FF8DD0163CEh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4495E7 second address: 4495F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FF8DCC5EBC6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4495F7 second address: 4495FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4498C5 second address: 4498CF instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF8DCC5EBCEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4498CF second address: 4498DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007FF8DD0163C6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 449A42 second address: 449A72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8DCC5EBCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FF8DCC5EBCDh 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FF8DCC5EBCFh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 449A72 second address: 449A8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF8DD0163D8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 449A8E second address: 449A92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 449A92 second address: 449A9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 449BFF second address: 449C11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8DCC5EBCEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 449D64 second address: 449D9F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF8DD0163CDh 0x0000000b jmp 00007FF8DD0163CBh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FF8DD0163D9h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 449D9F second address: 449DB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8DCC5EBD1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 44A18D second address: 44A193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 44A193 second address: 44A197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 44A2F9 second address: 44A2FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 453F5D second address: 453F6D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8DCC5EBCAh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 453F6D second address: 453F77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FF8DD0163C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 453F77 second address: 453FA9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8DCC5EBCCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c jmp 00007FF8DCC5EBD1h 0x00000011 push eax 0x00000012 push edx 0x00000013 jns 00007FF8DCC5EBC6h 0x00000019 jne 00007FF8DCC5EBC6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 453FA9 second address: 453FB3 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF8DD0163C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45FE70 second address: 45FE75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45FE75 second address: 45FE7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45FE7D second address: 45FE81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45FE81 second address: 45FE9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF8DD0163D4h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 45FE9D second address: 45FEBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007FF8DCC5EBD1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 462DCC second address: 462DEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8DD0163D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007FF8DD0163C6h 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46451B second address: 464525 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF8DCC5EBC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 464525 second address: 46452F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46452F second address: 464543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8DCC5EBD0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 464543 second address: 464547 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 464547 second address: 46454D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46F4EE second address: 46F507 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8DD0163D3h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46F507 second address: 46F522 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8DCC5EBD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46F522 second address: 46F528 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46E11C second address: 46E120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47987C second address: 479885 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 479885 second address: 479899 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF8DCC5EBCEh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47D82F second address: 47D846 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8DD0163CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4822D6 second address: 4822DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4822DA second address: 4822F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF8DD0163D3h 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48259D second address: 4825BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007FF8DCC5EBCAh 0x0000000a jmp 00007FF8DCC5EBD0h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4825BE second address: 4825D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007FF8DD0163CCh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4825D7 second address: 4825E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8DCC5EBCAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4825E5 second address: 482600 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF8DD0163D5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 482777 second address: 48279F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF8DCC5EBD1h 0x00000008 jmp 00007FF8DCC5EBD2h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48279F second address: 4827A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4835BF second address: 4835CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007FF8DCC5EBD6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4835CC second address: 4835F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF8DD0163CAh 0x00000009 jmp 00007FF8DD0163D6h 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 486428 second address: 486433 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 486433 second address: 486452 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 jmp 00007FF8DD0163D8h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 493452 second address: 493456 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A2A7A second address: 4A2A7F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A2A7F second address: 4A2A88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A2A88 second address: 4A2A8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A2A8C second address: 4A2A90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A4685 second address: 4A46B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jl 00007FF8DD0163C6h 0x0000000c jmp 00007FF8DD0163D6h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A46B2 second address: 4A46C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF8DCC5EBD0h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A46C9 second address: 4A46DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF8DD0163D1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AC488 second address: 4AC492 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF8DCC5EBC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AB67A second address: 4AB67E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AB67E second address: 4AB69A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF8DCC5EBCEh 0x0000000d jo 00007FF8DCC5EBC6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ABA93 second address: 4ABAAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8DD0163CCh 0x00000007 push edi 0x00000008 js 00007FF8DD0163C6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ABBEC second address: 4ABC0D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8DCC5EBCCh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jnl 00007FF8DCC5EBC6h 0x00000012 jl 00007FF8DCC5EBC6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ABC0D second address: 4ABC13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ABC13 second address: 4ABC18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ABDC3 second address: 4ABE1B instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF8DD0163F3h 0x00000008 push edi 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop edi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jne 00007FF8DD0163D8h 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ABFD4 second address: 4AC002 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8DCC5EBD9h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c ja 00007FF8DCC5EC07h 0x00000012 jg 00007FF8DCC5EBD2h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AC002 second address: 4AC008 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AC008 second address: 4AC011 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edi 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AC1AF second address: 4AC1D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF8DD0163D6h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ja 00007FF8DD0163CEh 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AC1D5 second address: 4AC1DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AC1DF second address: 4AC1E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AC1E6 second address: 4AC1F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF8DCC5EBCAh 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AFB67 second address: 4AFB74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FF8DD0163C6h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B397D second address: 4B3991 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF8DCC5EBC6h 0x00000008 jnl 00007FF8DCC5EBC6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B3991 second address: 4B3999 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B6242 second address: 4B6247 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B7EFC second address: 4B7F06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FF8DD0163C6h 0x0000000a rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 3BAD83 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 3C386D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4BD0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4E60000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4C60000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003AD19B rdtsc 1_2_003AD19B
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003A6907 sidt fword ptr [esp-02h]1_2_003A6907
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7360Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003F40BE GetSystemInfo,VirtualAlloc,1_2_003F40BE
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exe, file.exe, 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003AD19B rdtsc 1_2_003AD19B
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003A5886 LdrInitializeThunk,1_2_003A5886
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, file.exe, 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
Source: C:\Users\user\Desktop\file.exeCode function: 1_2_003ECF63 GetSystemTime,GetFileTime,1_2_003ECF63

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		41
Disable or Modify Tools		LSASS Memory641
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Bypass User Account Control		271
Virtualization/Sandbox Evasion		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS271
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets24
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
Obfuscated Files or Information		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
Software Packing		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
Bypass User Account Control		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe53%VirustotalBrowse
file.exe100%AviraTR/Crypt.XPACK.Gen
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1532973
Start date and time:2024-10-14 08:32:06 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 17s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:14
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.evad.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 58%
  • Number of executed functions: 29
  • Number of non-executed functions: 27
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, ctldl.windowsupdate.com, time.windows.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File
Process:C:\Users\user\Desktop\file.exe
File Type:CSV text
Category:dropped
Size (bytes):226
Entropy (8bit):5.360398796477698
Encrypted:false
SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:3A8957C6382192B71471BD14359D0B12
SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:true
Reputation:high, very likely benign file
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.936868828590309
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:1'794'048 bytes
MD5:94aee77a927d3436bf79fdcde9bb7086
SHA1:987c32b911cd5cc1dfa067904e49daf2d0646638
SHA256:e077a9e696c374df6d6b934c72c2b59810dd21897049e16836798b3c61074afc
SHA512:f2cfd8139a1c9e272d07d493fdc37b24b72285c037443c285400eaac5492da54e648448b1a4983bfb1a98062715ffde7a593dbe51e812eb64cc56c7721e9b69d
SSDEEP:49152:etrUpqFilMIhxbBboAHvp1BVhMIt8R1T5DLokJ:etrUsShxdbtvp1lMIG/Z
TLSH:148533AEAE10F57BC05A4E310433D6D122ECA490992F91D61F19B37B991370A7927CFA
File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$...........`G.. ...`....@.. ........................G...........`................................

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x876000
Entrypoint Section:.taggant
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FF8DCB2092Ah

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x20000x40000x1200a7577fb950d2dd5f543d94b1434a8060False0.9325086805555556data7.7974602758469205IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0xa0000x2ba0000x200be42b036af63c56aecc71f973b4cf317unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
wxfyokhm0x2c40000x1b00000x1afe00a9a9919e2b815dc046aa76a15a8d1e2bFalse0.9952554043053545data7.955041807116184IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ybvuafeo0x4740000x20000x400dfd56e884447d6cedfcddaa71299ee94False0.8173828125data6.314118788998932IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant0x4760000x40000x220066eac0d02cb069f44fc056b00babf914False0.0978860294117647DOS executable (COM)1.1225373699862689IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x60900x30cdata0.42948717948717946
RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

Imports

DLLImport
kernel32.dlllstrcpy

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:1
Start time:02:33:01
Start date:14/10/2024
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\file.exe"
Imagebase:0x200000
File size:1'794'048 bytes
MD5 hash:94AEE77A927D3436BF79FDCDE9BB7086
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:5.5%
    Dynamic/Decrypted Code Coverage:2.6%
    Signature Coverage:3%
    Total number of Nodes:466
    Total number of Limit Nodes:18
    execution_graph 7161 3edf3f 7163 3edf4b 7161->7163 7164 3edf63 7163->7164 7166 3edf8d 7164->7166 7167 3ede79 7164->7167 7169 3ede85 7167->7169 7177 3e8e16 GetCurrentThreadId 7169->7177 7171 3ede98 7172 3eded6 7171->7172 7173 3edf11 7171->7173 7175 3edeb2 7171->7175 7172->7175 7181 3eb550 7172->7181 7174 3edf16 CreateFileMappingA 7173->7174 7174->7175 7178 3e8e2e 7177->7178 7179 3e8e75 7178->7179 7180 3e8e64 Sleep 7178->7180 7179->7171 7180->7178 7183 3eb567 7181->7183 7182 3eb5d0 CreateFileA 7185 3eb615 7182->7185 7183->7182 7184 3eb664 7183->7184 7184->7175 7185->7184 7187 3eac2f CloseHandle 7185->7187 7188 3eac43 7187->7188 7188->7184 7189 3f40be GetSystemInfo 7190 3f40de 7189->7190 7191 3f411c VirtualAlloc 7189->7191 7190->7191 7204 3f440a 7191->7204 7193 3f4163 7195 3f440a VirtualAlloc GetModuleFileNameA VirtualProtect 7193->7195 7203 3f4238 7193->7203 7194 3f4254 GetModuleFileNameA VirtualProtect 7197 3f41fc 7194->7197 7196 3f418d 7195->7196 7198 3f440a VirtualAlloc GetModuleFileNameA VirtualProtect 7196->7198 7196->7203 7199 3f41b7 7198->7199 7200 3f440a VirtualAlloc GetModuleFileNameA VirtualProtect 7199->7200 7199->7203 7201 3f41e1 7200->7201 7201->7197 7202 3f440a VirtualAlloc GetModuleFileNameA VirtualProtect 7201->7202 7201->7203 7202->7203 7203->7194 7203->7197 7206 3f4412 7204->7206 7207 3f443e 7206->7207 7208 3f4426 7206->7208 7210 3f42d6 2 API calls 7207->7210 7214 3f42d6 7208->7214 7211 3f444f 7210->7211 7216 3f4461 7211->7216 7219 3f42de 7214->7219 7217 3f4472 VirtualAlloc 7216->7217 7218 3f445d 7216->7218 7217->7218 7220 3f42f1 7219->7220 7222 3f4334 7220->7222 7223 3f4929 7220->7223 7226 3f4930 7223->7226 7225 3f497a 7225->7222 7226->7225 7228 3f4837 7226->7228 7232 3f4aea 7226->7232 7231 3f484c 7228->7231 7229 3f490c 7229->7226 7230 3f48d6 GetModuleFileNameA 7230->7231 7231->7229 7231->7230 7234 3f4afe 7232->7234 7233 3f4b16 7233->7226 7234->7233 7235 3f4c39 VirtualProtect 7234->7235 7235->7234 7447 3ee09d 7448 3e8e16 2 API calls 7447->7448 7449 3ee0a9 7448->7449 7450 3ee0c2 7449->7450 7451 3ee111 MapViewOfFileEx 7449->7451 7451->7450 7452 39dd9a LoadLibraryA 7453 3e7a5b 7455 3e7a18 LoadLibraryA 7453->7455 7456 3ee522 7455->7456 7457 3eaad8 7458 3e8e16 2 API calls 7457->7458 7459 3eaae4 7458->7459 7460 3e9528 2 API calls 7459->7460 7461 3eab02 7459->7461 7460->7461 7462 3eab33 GetModuleHandleExA 7461->7462 7463 3eab0a 7461->7463 7462->7463 7464 3f5058 7466 3f5064 7464->7466 7467 3f5076 7466->7467 7468 3f4c7f 2 API calls 7467->7468 7469 3f5088 7468->7469 7236 4c10d48 7237 4c10d93 OpenSCManagerW 7236->7237 7239 4c10ddc 7237->7239 7240 4c11308 7241 4c11349 ImpersonateLoggedOnUser 7240->7241 7242 4c11376 7241->7242 7470 3eced1 7471 3e8e16 2 API calls 7470->7471 7472 3ecedd GetCurrentProcess 7471->7472 7473 3ecf29 7472->7473 7475 3eceed 7472->7475 7474 3ecf2e DuplicateHandle 7473->7474 7478 3ecf24 7474->7478 7475->7473 7476 3ecf18 7475->7476 7479 3eac6e 7476->7479 7482 3eac98 7479->7482 7480 3ead2b 7480->7478 7482->7480 7483 3eac56 7482->7483 7486 3e8cc1 7483->7486 7487 3e8cd7 7486->7487 7488 3e8cf1 7487->7488 7490 3e8ca5 7487->7490 7488->7480 7491 3eac2f CloseHandle 7490->7491 7492 3e8cb5 7491->7492 7492->7488 7243 4c11510 7244 4c11558 ControlService 7243->7244 7245 4c1158f 7244->7245 7493 4c110f0 7494 4c11131 7493->7494 7497 3ebb6a 7494->7497 7495 4c11151 7498 3e8e16 2 API calls 7497->7498 7499 3ebb76 7498->7499 7500 3ebb9f 7499->7500 7501 3ebb8f 7499->7501 7503 3ebba4 CloseHandle 7500->7503 7502 3eac56 CloseHandle 7501->7502 7504 3ebb95 7502->7504 7503->7504 7504->7495 7505 3f510e 7507 3f511a 7505->7507 7508 3f512c 7507->7508 7513 3ea48e 7508->7513 7510 3f513b 7511 3f5154 7510->7511 7512 3f4c7f GetModuleFileNameA VirtualProtect 7510->7512 7512->7511 7515 3ea49a 7513->7515 7516 3ea4af 7515->7516 7517 3ea4dc 18 API calls 7516->7517 7518 3ea4cd 7516->7518 7517->7518 7246 3ea62d 7249 3ea475 7246->7249 7252 3ea4dc 7249->7252 7251 3ea48a 7254 3ea4e9 7252->7254 7255 3ea4ff 7254->7255 7256 3ea524 7255->7256 7266 3ea507 7255->7266 7275 3f5331 7255->7275 7257 3e8e16 2 API calls 7256->7257 7261 3ea529 7257->7261 7258 3ea5e7 7263 3ea605 LoadLibraryExA 7258->7263 7264 3ea5f1 LoadLibraryExW 7258->7264 7259 3ea5d4 7297 3ea314 7259->7297 7271 3e9528 7261->7271 7270 3ea5ab 7263->7270 7264->7270 7266->7258 7266->7259 7268 3ea568 7277 3e9e54 7268->7277 7272 3e9576 7271->7272 7273 3e9539 7271->7273 7272->7266 7272->7268 7273->7272 7301 3e93c9 7273->7301 7321 3f5340 7275->7321 7278 3e9e7a 7277->7278 7279 3e9e70 7277->7279 7329 3e96a7 7278->7329 7279->7270 7284 3e9f74 7284->7279 7361 3ea666 7284->7361 7287 3e9eca 7287->7284 7288 3e9ef7 7287->7288 7339 3e9885 7287->7339 7343 3e9b20 7288->7343 7291 3e9f02 7291->7284 7348 3e9a97 7291->7348 7293 3e9f2f 7293->7284 7294 3e9f57 7293->7294 7352 3f4f86 7293->7352 7294->7284 7356 3f4c7f 7294->7356 7298 3ea31f 7297->7298 7299 3ea32f 7298->7299 7300 3ea340 LoadLibraryExA 7298->7300 7299->7270 7300->7299 7303 3e93f6 7301->7303 7302 3e94fc 7302->7273 7303->7302 7304 3e9424 PathAddExtensionA 7303->7304 7305 3e943f 7303->7305 7304->7305 7309 3e9461 7305->7309 7313 3e906a 7305->7313 7307 3e94aa 7307->7302 7308 3e94d3 7307->7308 7311 3e906a lstrcmpiA 7307->7311 7308->7302 7312 3e906a lstrcmpiA 7308->7312 7309->7302 7309->7307 7310 3e906a lstrcmpiA 7309->7310 7310->7307 7311->7308 7312->7302 7314 3e9088 7313->7314 7315 3e909f 7314->7315 7317 3e8fe7 7314->7317 7315->7309 7318 3e9012 7317->7318 7319 3e9044 lstrcmpiA 7318->7319 7320 3e905a 7318->7320 7319->7320 7320->7315 7322 3f5350 7321->7322 7323 3e8e16 2 API calls 7322->7323 7328 3f53a2 7322->7328 7324 3f53b8 7323->7324 7325 3e9528 2 API calls 7324->7325 7326 3f53ca 7325->7326 7327 3e9528 2 API calls 7326->7327 7326->7328 7327->7328 7330 3e971c 7329->7330 7331 3e96c3 7329->7331 7330->7279 7333 3e974d VirtualAlloc 7330->7333 7331->7330 7332 3e96f3 VirtualAlloc 7331->7332 7332->7330 7334 3e9792 7333->7334 7334->7284 7335 3e97ca 7334->7335 7338 3e97f2 7335->7338 7336 3e9869 7336->7287 7337 3e980b VirtualAlloc 7337->7336 7337->7338 7338->7336 7338->7337 7341 3e98a5 7339->7341 7342 3e98a0 7339->7342 7340 3e98d8 lstrcmpiA 7340->7341 7340->7342 7341->7340 7341->7342 7342->7288 7344 3e9c2c 7343->7344 7346 3e9b4d 7343->7346 7344->7291 7346->7344 7363 3e9632 7346->7363 7371 3ea743 7346->7371 7349 3e9ac0 7348->7349 7350 3e9b01 7349->7350 7351 3e9ad8 VirtualProtect 7349->7351 7350->7293 7351->7349 7351->7350 7353 3f5053 7352->7353 7355 3f4fa2 7352->7355 7353->7294 7354 3f4aea VirtualProtect 7354->7355 7355->7353 7355->7354 7357 3f4d13 7356->7357 7359 3f4c90 7356->7359 7357->7284 7358 3f4929 2 API calls 7358->7359 7359->7357 7359->7358 7360 3f4aea VirtualProtect 7359->7360 7360->7359 7396 3ea672 7361->7396 7364 3ea475 18 API calls 7363->7364 7366 3e9645 7364->7366 7365 3e968b 7365->7346 7366->7365 7367 3e9697 7366->7367 7369 3e966e 7366->7369 7368 3ea666 3 API calls 7367->7368 7368->7365 7369->7365 7370 3ea666 3 API calls 7369->7370 7370->7365 7373 3ea74c 7371->7373 7374 3ea75b 7373->7374 7375 3ea763 7374->7375 7377 3e8e16 2 API calls 7374->7377 7376 3ea790 GetProcAddress 7375->7376 7378 3ea786 7376->7378 7379 3ea76d 7377->7379 7379->7375 7380 3ea77d 7379->7380 7382 3ea1a4 7380->7382 7383 3ea290 7382->7383 7384 3ea1c3 7382->7384 7383->7378 7384->7383 7385 3ea200 lstrcmpiA 7384->7385 7386 3ea22a 7384->7386 7385->7384 7385->7386 7386->7383 7388 3ea0ed 7386->7388 7389 3ea0fe 7388->7389 7390 3ea12e lstrcpyn 7389->7390 7395 3ea189 7389->7395 7392 3ea14a 7390->7392 7390->7395 7391 3e9632 17 API calls 7393 3ea178 7391->7393 7392->7391 7392->7395 7394 3ea743 17 API calls 7393->7394 7393->7395 7394->7395 7395->7383 7397 3ea681 7396->7397 7399 3e8e16 2 API calls 7397->7399 7402 3ea689 7397->7402 7398 3ea6d7 FreeLibrary 7400 3ea6be 7398->7400 7401 3ea693 7399->7401 7401->7402 7403 3ea6a3 7401->7403 7402->7398 7405 3ea054 7403->7405 7406 3ea0b7 7405->7406 7407 3ea077 7405->7407 7406->7400 7407->7406 7409 3e8c10 7407->7409 7410 3e8c19 7409->7410 7411 3e8c31 7410->7411 7413 3e8bf7 7410->7413 7411->7406 7414 3ea666 3 API calls 7413->7414 7415 3e8c04 7414->7415 7415->7410 7519 3ed64d 7521 3ed659 7519->7521 7522 3e8e16 2 API calls 7521->7522 7523 3ed665 7522->7523 7525 3ed685 7523->7525 7526 3ed559 7523->7526 7528 3ed565 7526->7528 7529 3ed579 7528->7529 7530 3e8e16 2 API calls 7529->7530 7531 3ed591 7530->7531 7532 3ed5a6 7531->7532 7552 3ed472 7531->7552 7536 3ed5ae 7532->7536 7544 3ed517 IsBadWritePtr 7532->7544 7539 3ed5ff CreateFileW 7536->7539 7540 3ed622 CreateFileA 7536->7540 7537 3e9528 2 API calls 7538 3ed5e1 7537->7538 7538->7536 7541 3ed5e9 7538->7541 7543 3ed5ef 7539->7543 7540->7543 7546 3ead6c 7541->7546 7545 3ed539 7544->7545 7545->7536 7545->7537 7547 3ead79 7546->7547 7548 3eadb2 CreateFileA 7547->7548 7551 3eae74 7547->7551 7549 3eadfe 7548->7549 7550 3eac2f CloseHandle 7549->7550 7549->7551 7550->7551 7551->7543 7554 3ed481 GetWindowsDirectoryA 7552->7554 7555 3ed4ab 7554->7555 7416 3ed3e6 7418 3ed3f2 7416->7418 7419 3e8e16 2 API calls 7418->7419 7420 3ed3fe 7419->7420 7422 3ed41e 7420->7422 7423 3ed33d 7420->7423 7425 3ed349 7423->7425 7426 3ed35d 7425->7426 7427 3e8e16 2 API calls 7426->7427 7428 3ed375 7427->7428 7436 3e957a 7428->7436 7431 3e9528 2 API calls 7432 3ed398 7431->7432 7433 3ed3a0 7432->7433 7434 3ed3bc GetFileAttributesW 7432->7434 7435 3ed3cd GetFileAttributesA 7432->7435 7434->7433 7435->7433 7437 3e962e 7436->7437 7438 3e958e 7436->7438 7437->7431 7437->7433 7438->7437 7439 3e93c9 2 API calls 7438->7439 7439->7438 7556 3ea985 7558 3ea991 7556->7558 7559 3ea9a5 7558->7559 7561 3ea9cd 7559->7561 7562 3ea9e6 7559->7562 7564 3ea9ef 7562->7564 7565 3ea9fe 7564->7565 7566 3e8e16 2 API calls 7565->7566 7573 3eaa06 7565->7573 7567 3eaa10 7566->7567 7571 3e9528 2 API calls 7567->7571 7572 3eaa2b 7567->7572 7568 3eaaa9 GetModuleHandleW 7570 3eaa3e 7568->7570 7569 3eaab7 GetModuleHandleA 7569->7570 7571->7572 7572->7570 7572->7573 7573->7568 7573->7569 7574 3a90c1 7577 3f5631 7574->7577 7578 3f440a 3 API calls 7577->7578 7579 3f5649 7578->7579 7580 3f5672 7579->7580 7582 3f440a 3 API calls 7579->7582 7581 3f56a8 7580->7581 7584 3f440a 3 API calls 7580->7584 7583 3f56de 7581->7583 7585 3f440a 3 API calls 7581->7585 7582->7580 7587 3f440a 3 API calls 7583->7587 7592 3f5714 7583->7592 7584->7581 7585->7583 7586 3f5d47 7588 3f5dc2 7586->7588 7589 3f5d8a 7586->7589 7590 3f5d64 7586->7590 7587->7592 7597 3f440a 3 API calls 7588->7597 7598 3f5deb 7588->7598 7595 3f440a 3 API calls 7589->7595 7593 3f440a 3 API calls 7590->7593 7591 3f5842 7594 3f440a 3 API calls 7591->7594 7592->7586 7596 3f5780 7592->7596 7599 3f440a 3 API calls 7592->7599 7601 3f5d85 7593->7601 7602 3f585e 7594->7602 7595->7601 7596->7591 7603 3f440a 3 API calls 7596->7603 7597->7598 7604 3f440a 3 API calls 7598->7604 7680 3f5e91 7598->7680 7600 3f5757 7599->7600 7600->7596 7609 3f440a 3 API calls 7600->7609 7606 3f440a 3 API calls 7601->7606 7605 3f440a 3 API calls 7602->7605 7607 3f57b6 7603->7607 7608 3f5e21 7604->7608 7610 3f587a 7605->7610 7606->7588 7611 3f440a 3 API calls 7607->7611 7612 3f440a 3 API calls 7608->7612 7609->7596 7614 3f440a 3 API calls 7610->7614 7615 3f57d2 7611->7615 7613 3f5e3d 7612->7613 7616 3f440a 3 API calls 7613->7616 7617 3f5896 7614->7617 7618 3f440a 3 API calls 7615->7618 7619 3f5e59 7616->7619 7620 3f440a 3 API calls 7617->7620 7621 3f57ee 7618->7621 7622 3f440a 3 API calls 7619->7622 7623 3f58b2 7620->7623 7624 3f440a 3 API calls 7621->7624 7625 3f5e75 7622->7625 7626 3f440a 3 API calls 7623->7626 7627 3f580a 7624->7627 7628 3f440a 3 API calls 7625->7628 7629 3f58ce 7626->7629 7630 3f440a 3 API calls 7627->7630 7628->7680 7631 3f58f7 7629->7631 7634 3f440a 3 API calls 7629->7634 7632 3f5826 7630->7632 7635 3f592d 7631->7635 7637 3f440a 3 API calls 7631->7637 7633 3f440a 3 API calls 7632->7633 7633->7591 7634->7631 7636 3f440a 3 API calls 7635->7636 7638 3f5949 7636->7638 7637->7635 7639 3f5972 7638->7639 7640 3f440a 3 API calls 7638->7640 7641 3f5a27 7639->7641 7643 3f440a 3 API calls 7639->7643 7640->7639 7642 3f5a95 7641->7642 7646 3f440a 3 API calls 7641->7646 7645 3f5b1f 7642->7645 7652 3f440a 3 API calls 7642->7652 7644 3f599b 7643->7644 7648 3f440a 3 API calls 7644->7648 7647 3f440a 3 API calls 7645->7647 7649 3f5a5d 7646->7649 7650 3f5b3b 7647->7650 7651 3f59b7 7648->7651 7654 3f440a 3 API calls 7649->7654 7655 3f5b64 7650->7655 7659 3f440a 3 API calls 7650->7659 7656 3f440a 3 API calls 7651->7656 7653 3f5acb 7652->7653 7657 3f440a 3 API calls 7653->7657 7658 3f5a79 7654->7658 7660 3f440a 3 API calls 7655->7660 7661 3f59d3 7656->7661 7662 3f5ae7 7657->7662 7663 3f440a 3 API calls 7658->7663 7659->7655 7664 3f5b80 7660->7664 7665 3f440a 3 API calls 7661->7665 7667 3f440a 3 API calls 7662->7667 7663->7642 7668 3f5ba9 7664->7668 7672 3f440a 3 API calls 7664->7672 7666 3f59ef 7665->7666 7669 3f440a 3 API calls 7666->7669 7671 3f5b03 7667->7671 7670 3f440a 3 API calls 7668->7670 7673 3f5a0b 7669->7673 7674 3f5bc5 7670->7674 7675 3f440a 3 API calls 7671->7675 7672->7668 7676 3f440a 3 API calls 7673->7676 7677 3f440a 3 API calls 7674->7677 7675->7645 7676->7641 7678 3f5be1 7677->7678 7679 3f440a 3 API calls 7678->7679 7681 3f5bfd 7679->7681 7682 3f5c42 7681->7682 7683 3f440a 3 API calls 7681->7683 7682->7586 7686 3f440a 3 API calls 7682->7686 7684 3f5c26 7683->7684 7685 3f440a 3 API calls 7684->7685 7685->7682 7687 3f5c78 7686->7687 7688 3f5cbd 7687->7688 7689 3f440a 3 API calls 7687->7689 7690 3f5ce6 7688->7690 7692 3f440a 3 API calls 7688->7692 7691 3f5ca1 7689->7691 7693 3f440a 3 API calls 7690->7693 7694 3f440a 3 API calls 7691->7694 7692->7690 7695 3f5d02 7693->7695 7694->7688 7696 3f5d2b 7695->7696 7697 3f440a 3 API calls 7695->7697 7698 3f440a 3 API calls 7696->7698 7697->7696 7698->7586 7699 3f50c2 7701 3f50ce 7699->7701 7702 3f50e0 7701->7702 7703 3ea475 18 API calls 7702->7703 7704 3f50ef 7703->7704 7705 3f5108 7704->7705 7706 3f4c7f 2 API calls 7704->7706 7706->7705 7440 3ed760 7442 3ed769 7440->7442 7443 3e8e16 2 API calls 7442->7443 7444 3ed775 7443->7444 7445 3ed7c5 ReadFile 7444->7445 7446 3ed78e 7444->7446 7445->7446

    Executed Functions

    Function 003F40BE Relevance: 3.1, APIs: 2, Instructions: 107memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 557 3f40be-3f40d8 GetSystemInfo 558 3f40de-3f4116 557->558 559 3f411c-3f4165 VirtualAlloc call 3f440a 557->559 558->559 563 3f424b call 3f4254 559->563 564 3f416b-3f418f call 3f440a 559->564 569 3f4250 563->569 564->563 570 3f4195-3f41b9 call 3f440a 564->570 571 3f4252-3f4253 569->571 570->563 574 3f41bf-3f41e3 call 3f440a 570->574 574->563 577 3f41e9-3f41f6 574->577 578 3f421c-3f4233 call 3f440a 577->578 579 3f41fc-3f4217 577->579 582 3f4238-3f423a 578->582 583 3f4246 579->583 582->563 584 3f4240 582->584 583->571 584->583
    APIs
    • GetSystemInfo.KERNELBASE(?,-120C5FEC), ref: 003F40CA
    • VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 003F412B
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID: AllocInfoSystemVirtual
    • String ID:
    • API String ID: 3440192736-0
    • Opcode ID: f14ce953cc523d56535175f96669cfb7d464d31c242f30674ae0027566b7bb9d
    • Instruction ID: ccb1c4e5ba5c76943ac0e8881960e951b47a6218ab269285342f10cac484d58f
    • Opcode Fuzzy Hash: f14ce953cc523d56535175f96669cfb7d464d31c242f30674ae0027566b7bb9d
    • Instruction Fuzzy Hash: 8D4120B6E00206ABE365DF65C845FA6BBACFB59700F000162B707DE992E77095D0CFA0
    Function 003A5886 Relevance: .1, Instructions: 59COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: fa678bff8a0075da902ff092af32ec8689ce76e13e56adee0825688fe81f9147
    • Instruction ID: ef282d9e9fc6cb1bfe084ef9fbef59533582b5280ce3c564e7e1ddd6367f1d95
    • Opcode Fuzzy Hash: fa678bff8a0075da902ff092af32ec8689ce76e13e56adee0825688fe81f9147
    • Instruction Fuzzy Hash: B81162B3641A0A9EDB039A284C113EE3BD1CB43331F268226E005EF593C6B94D9AC320
    Function 003E7A5B Relevance: 9.9, APIs: 1, Strings: 4, Instructions: 1189libraryCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 003EE50C
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: 1002$O/5$V$g-r
    • API String ID: 1029625771-2227675188
    • Opcode ID: a35b728bbb1370447af8b88a035a5655a3fe5d44d20f8cb1ccaafc9161fa179f
    • Instruction ID: 92cc8e0964f6114cd082cc00739f7305a1ce6ccad011d04a597a06a73e2570ca
    • Opcode Fuzzy Hash: a35b728bbb1370447af8b88a035a5655a3fe5d44d20f8cb1ccaafc9161fa179f
    • Instruction Fuzzy Hash: 97D2AFB460825EDFEB16DF29C848ADF3BA5EB08304F100125AD5692EA5E37A4D74DF18
    Function 003EA4E9 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 317 3ea4e9-3ea501 call 3ea353 320 3ea50c-3ea516 317->320 321 3ea507 317->321 323 3ea51c-3ea51f call 3f5331 320->323 324 3ea524-3ea535 call 3e8e16 call 3e9528 320->324 322 3ea5c4-3ea5ce 321->322 326 3ea5e7-3ea5eb 322->326 327 3ea5d4-3ea5e2 call 3ea314 322->327 323->324 336 3ea53a-3ea53c 324->336 331 3ea605-3ea60e LoadLibraryExA 326->331 332 3ea5f1-3ea600 LoadLibraryExW 326->332 335 3ea614 327->335 331->335 332->335 337 3ea61e-3ea621 335->337 338 3ea5bf call 3e8ec1 336->338 339 3ea542-3ea543 336->339 338->322 341 3ea546-3ea549 339->341 342 3ea54f-3ea550 341->342 343 3ea555-3ea55c 341->343 342->341 344 3ea568-3ea56f 343->344 345 3ea562-3ea563 343->345 346 3ea584-3ea595 344->346 347 3ea575-3ea57e 344->347 345->338 348 3ea59b call 3efdba 346->348 349 3ea5a0-3ea619 call 3e9e54 call 3efd6f call 3e8ec1 346->349 347->346 348->349 349->337
    APIs
    • LoadLibraryExW.KERNEL32(?,?,?), ref: 003EA5FA
    • LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 003EA60E
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: .dll$.exe$1002
    • API String ID: 1029625771-847511843
    • Opcode ID: ee27334e1470a6d0f2c8d753fbdb8931d54256ade8aa76e17b62ddddd4fd9615
    • Instruction ID: cd4ed6e2d0a6a49fa47399709bfed59cc37da4b059940ceb5a3ccc528a96ee78
    • Opcode Fuzzy Hash: ee27334e1470a6d0f2c8d753fbdb8931d54256ade8aa76e17b62ddddd4fd9615
    • Instruction Fuzzy Hash: 5331BF31404AA9FFCF27AF52D804AAD7B75FF05310F144225F8465A1E1D730A9A0EB62
    Function 003EA9EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 357 3ea9ef-3eaa00 call 3ea353 360 3eaa0b-3eaa14 call 3e8e16 357->360 361 3eaa06 357->361 367 3eaa1a-3eaa26 call 3e9528 360->367 368 3eaa48-3eaa4f 360->368 363 3eaa9f-3eaaa3 361->363 365 3eaaa9-3eaab2 GetModuleHandleW 363->365 366 3eaab7-3eaaba GetModuleHandleA 363->366 369 3eaac0 365->369 366->369 374 3eaa2b-3eaa2d 367->374 372 3eaa9a call 3e8ec1 368->372 373 3eaa55-3eaa5c 368->373 371 3eaaca-3eaacc 369->371 372->363 373->372 375 3eaa62-3eaa69 373->375 374->372 377 3eaa33-3eaa38 374->377 375->372 378 3eaa6f-3eaa76 375->378 377->372 379 3eaa3e-3eaac5 call 3e8ec1 377->379 378->372 380 3eaa7c-3eaa90 378->380 379->371 380->372
    APIs
    • GetModuleHandleW.KERNEL32(?,?,?,?,003EA981,?,00000000,00000000), ref: 003EAAAC
    • GetModuleHandleA.KERNEL32(00000000,?,?,?,003EA981,?,00000000,00000000), ref: 003EAABA
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID: HandleModule
    • String ID: .dll
    • API String ID: 4139908857-2738580789
    • Opcode ID: 637300b5f8caf1dae8f47c47a9507ea84821feae0968ab07cb3cf95b0eed42cf
    • Instruction ID: 4cf3ab8abdb9b2866d19241f68f4fe8a6abe48386a2b618dddcd0b1bc3b4d298
    • Opcode Fuzzy Hash: 637300b5f8caf1dae8f47c47a9507ea84821feae0968ab07cb3cf95b0eed42cf
    • Instruction Fuzzy Hash: B511A030608BA6EEEB339F16DA0876C76B4BF00341F044336A805585D0D7B4E9D1DA93
    Function 003ED349 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 384 3ed349-3ed357 385 3ed35d-3ed364 384->385 386 3ed369 384->386 387 3ed370-3ed386 call 3e8e16 call 3e957a 385->387 386->387 392 3ed38c-3ed39a call 3e9528 387->392 393 3ed3a5 387->393 398 3ed3a0 392->398 399 3ed3b1-3ed3b6 392->399 395 3ed3a9-3ed3ac 393->395 397 3ed3dc-3ed3e3 call 3e8ec1 395->397 398->395 401 3ed3bc-3ed3c8 GetFileAttributesW 399->401 402 3ed3cd-3ed3d0 GetFileAttributesA 399->402 404 3ed3d6-3ed3d7 401->404 402->404 404->397
    APIs
    • GetFileAttributesW.KERNELBASE(00BFF6EC,-120C5FEC), ref: 003ED3C2
    • GetFileAttributesA.KERNEL32(00000000,-120C5FEC), ref: 003ED3D0
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: 872cfc779cce535bab415613eb16f06892e134a4d1600a1502d7a5e875e89878
    • Instruction ID: 58ad27f3329a560b81274636f2db196d68803120696e1a6a10e40fa15fc821cc
    • Opcode Fuzzy Hash: 872cfc779cce535bab415613eb16f06892e134a4d1600a1502d7a5e875e89878
    • Instruction Fuzzy Hash: CB01AF747041A4FAEB23AFA6D90D79D7F70BF40340F604325E6026A4E1D7B08A91EB52
    Function 003E93C9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 473 3e93c9-3e93f9 475 3e93ff-3e9414 473->475 476 3e9524-3e9525 473->476 475->476 478 3e941a-3e941e 475->478 479 3e9424-3e9436 PathAddExtensionA 478->479 480 3e9440-3e9447 478->480 483 3e943f 479->483 481 3e944d-3e945c call 3e906a 480->481 482 3e9469-3e9470 480->482 487 3e9461-3e9463 481->487 485 3e9476-3e947d 482->485 486 3e94b2-3e94b9 482->486 483->480 488 3e9496-3e94a5 call 3e906a 485->488 489 3e9483-3e948c 485->489 490 3e94bf-3e94d5 call 3e906a 486->490 491 3e94db-3e94e2 486->491 487->476 487->482 499 3e94aa-3e94ac 488->499 489->488 494 3e9492 489->494 490->476 490->491 492 3e94e8-3e94fe call 3e906a 491->492 493 3e9504-3e950b 491->493 492->476 492->493 493->476 498 3e9511-3e951e call 3e90a3 493->498 494->488 498->476 499->476 499->486
    APIs
    • PathAddExtensionA.KERNELBASE(?,00000000), ref: 003E942B
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID: ExtensionPath
    • String ID: \\?\
    • API String ID: 158807944-4282027825
    • Opcode ID: 3df65cb3f108f77ea11be74afce8d6c5bf23b3718e82437cdaf5a754ae1ca8f5
    • Instruction ID: 8b4f20daea08d96829009481e507b2d5524ad96f26914168235ede6222665c5a
    • Opcode Fuzzy Hash: 3df65cb3f108f77ea11be74afce8d6c5bf23b3718e82437cdaf5a754ae1ca8f5
    • Instruction Fuzzy Hash: 4331F93560025AFEDF23DF96C809FAEB7B9AF05304F010262F911A91D0D7729A65DB51
    Function 04C10D42 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 504 4c10d42-4c10d97 506 4c10d99-4c10d9c 504->506 507 4c10d9f-4c10da3 504->507 506->507 508 4c10da5-4c10da8 507->508 509 4c10dab-4c10dda OpenSCManagerW 507->509 508->509 510 4c10de3-4c10df7 509->510 511 4c10ddc-4c10de2 509->511 511->510
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04C10DCD
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1431776191.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_4c10000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID: U?4
    • API String ID: 1889721586-4264680371
    • Opcode ID: d3123578b8fee445248de6cf9de4f3a9328276a101912e1ae91315424759adcd
    • Instruction ID: 8fd0dca31b9d8008811313ebfbd4b693129143dfe8d33902f09423828abf7a82
    • Opcode Fuzzy Hash: d3123578b8fee445248de6cf9de4f3a9328276a101912e1ae91315424759adcd
    • Instruction Fuzzy Hash: 432138B6C012099FCB50DF9AD885BDEFBB1EB89710F14822AD818AB344C774A541CBA4
    Function 04C10D48 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 513 4c10d48-4c10d97 515 4c10d99-4c10d9c 513->515 516 4c10d9f-4c10da3 513->516 515->516 517 4c10da5-4c10da8 516->517 518 4c10dab-4c10dda OpenSCManagerW 516->518 517->518 519 4c10de3-4c10df7 518->519 520 4c10ddc-4c10de2 518->520 520->519
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04C10DCD
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1431776191.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_4c10000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID: U?4
    • API String ID: 1889721586-4264680371
    • Opcode ID: 8bb3d0adb53839d9c50bbec17d2cc0296d5dcc0f04fdf3449106de0ccf3e3acf
    • Instruction ID: 5c2cb5a05300a7da03e6a2177040706dc671cc53247e8d477182c1a65192b4ee
    • Opcode Fuzzy Hash: 8bb3d0adb53839d9c50bbec17d2cc0296d5dcc0f04fdf3449106de0ccf3e3acf
    • Instruction Fuzzy Hash: 282135B6C002099FCB10DF9AD885BDEFBF5EB88310F14821AD808AB244C774A540CBA4
    Function 04C11509 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56serviceCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 522 4c11509-4c11550 523 4c11558-4c1158d ControlService 522->523 524 4c11596-4c115b7 523->524 525 4c1158f-4c11595 523->525 525->524
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 04C11580
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1431776191.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_4c10000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID: U?4
    • API String ID: 253159669-4264680371
    • Opcode ID: 742bfd6cb4e605a9729b0228e5f2c0397f762333b188c377dc6f9d554fc059ce
    • Instruction ID: 12df6e24dd64de5b30281a056fa7214a64b89e3e5f96db73108e1b36fbb69bd2
    • Opcode Fuzzy Hash: 742bfd6cb4e605a9729b0228e5f2c0397f762333b188c377dc6f9d554fc059ce
    • Instruction Fuzzy Hash: B32144B1C003098FDB20CF9AC485BDEFBF4EB48320F108029E919A3250C778AA45CFA1
    Function 04C11510 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54serviceCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 527 4c11510-4c1158d ControlService 529 4c11596-4c115b7 527->529 530 4c1158f-4c11595 527->530 530->529
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 04C11580
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1431776191.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_4c10000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID: U?4
    • API String ID: 253159669-4264680371
    • Opcode ID: 6ea1d0dc113f5959db122c5c96328707183c879002467cfc0f70da4f5798ba0e
    • Instruction ID: 36d2a226a3ac0059c216058a8fc74b36e5ea1c90cdb017a26a4e44025584efc2
    • Opcode Fuzzy Hash: 6ea1d0dc113f5959db122c5c96328707183c879002467cfc0f70da4f5798ba0e
    • Instruction Fuzzy Hash: BF1114B1D003498FDB20CF9AC485BDEFBF4EB48320F148029E959A3250D778AA44CFA5
    Function 04C11301 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 532 4c11301-4c11341 533 4c11349-4c11374 ImpersonateLoggedOnUser 532->533 534 4c11376-4c1137c 533->534 535 4c1137d-4c1139e 533->535 534->535
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 04C11367
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1431776191.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_4c10000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID: U?4
    • API String ID: 2216092060-4264680371
    • Opcode ID: 3b6478f155a27308ddf2d4e3fa0d8088d80af4510aa47b13e8977db3e70be2d8
    • Instruction ID: 0d2591f3a55abbbbf60562dbd659bd00ba034c94ee8b4fca531154ac380eab84
    • Opcode Fuzzy Hash: 3b6478f155a27308ddf2d4e3fa0d8088d80af4510aa47b13e8977db3e70be2d8
    • Instruction Fuzzy Hash: C31113B1C003498FDB20DF9AC485BDEFBF4EB48320F14842AD558A3250D778A945CFA5
    Function 04C11308 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 537 4c11308-4c11374 ImpersonateLoggedOnUser 539 4c11376-4c1137c 537->539 540 4c1137d-4c1139e 537->540 539->540
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 04C11367
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1431776191.0000000004C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_4c10000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID: U?4
    • API String ID: 2216092060-4264680371
    • Opcode ID: aa99e6ad87df84d080467ed38a730b3827ebee9fc5999bfab32e6ff75deb1ca6
    • Instruction ID: 0a6ee816ad1d1a35418fc15443311c7a25cef81594e394bbe9221647d38f1f37
    • Opcode Fuzzy Hash: aa99e6ad87df84d080467ed38a730b3827ebee9fc5999bfab32e6ff75deb1ca6
    • Instruction Fuzzy Hash: 4811F2B18003498FDB20DF9AC945BDEBBF8EB48320F24842AD558A3650D778A945CFA5
    Function 003EAAD8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 542 3eaad8-3eaaeb call 3e8e16 545 3eab2e-3eab42 call 3e8ec1 GetModuleHandleExA 542->545 546 3eaaf1-3eaafd call 3e9528 542->546 552 3eab4c-3eab4e 545->552 549 3eab02-3eab04 546->549 549->545 551 3eab0a-3eab11 549->551 553 3eab1a-3eab47 call 3e8ec1 551->553 554 3eab17 551->554 553->552 554->553
    APIs
      • Part of subcall function 003E8E16: GetCurrentThreadId.KERNEL32 ref: 003E8E25
      • Part of subcall function 003E8E16: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 003E8E68
    • GetModuleHandleExA.KERNELBASE(?,?,?), ref: 003EAB3C
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID: CurrentHandleModuleSleepThread
    • String ID: .dll
    • API String ID: 683542999-2738580789
    • Opcode ID: 609cd5fc39199cea548adaf9f0f60483dc8de0bae6b9f5762b389ecccc1e7499
    • Instruction ID: 929c7dbbb028190fb4bf69c9afb674bca5d3d04dcdf6602041730dc205faa22c
    • Opcode Fuzzy Hash: 609cd5fc39199cea548adaf9f0f60483dc8de0bae6b9f5762b389ecccc1e7499
    • Instruction Fuzzy Hash: F3F090316046A6AFCF129F56C846B9E7BB6FF54300F108211FE058D0D2D731D4A19A22
    Function 003ED565 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 585 3ed565-3ed573 586 3ed579-3ed580 585->586 587 3ed585 585->587 588 3ed58c-3ed598 call 3e8e16 586->588 587->588 591 3ed59e-3ed5a8 call 3ed472 588->591 592 3ed5b3-3ed5c3 call 3ed517 588->592 591->592 599 3ed5ae 591->599 597 3ed5c9-3ed5d0 592->597 598 3ed5d5-3ed5e3 call 3e9528 592->598 600 3ed5f4-3ed5f9 597->600 598->600 605 3ed5e9-3ed5ea call 3ead6c 598->605 599->600 603 3ed5ff-3ed61d CreateFileW 600->603 604 3ed622-3ed637 CreateFileA 600->604 606 3ed63d-3ed63e 603->606 604->606 609 3ed5ef 605->609 608 3ed643-3ed64a call 3e8ec1 606->608 609->608
    APIs
    • CreateFileW.KERNELBASE(00BFF6EC,?,?,-120C5FEC,?,?,?,-120C5FEC,?), ref: 003ED617
      • Part of subcall function 003ED517: IsBadWritePtr.KERNEL32(?,00000004), ref: 003ED525
    • CreateFileA.KERNEL32(?,?,?,-120C5FEC,?,?,?,-120C5FEC,?), ref: 003ED637
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID: CreateFile$Write
    • String ID:
    • API String ID: 1125675974-0
    • Opcode ID: 5212c8e72ca19e189d7db763def657ea149605b8218e7c994c848ae9a98edfff
    • Instruction ID: b08dd9eb5ccfc570c75da06a170d3248d3a4627f9327cda839cdf1b425ee15d9
    • Opcode Fuzzy Hash: 5212c8e72ca19e189d7db763def657ea149605b8218e7c994c848ae9a98edfff
    • Instruction Fuzzy Hash: AC1126311001AAFADF239F92DD09BEE3E32BF45308F404225B915294E1CB36CAB1EB51
    Function 003ECED1 Relevance: 3.0, APIs: 2, Instructions: 41COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 003E8E16: GetCurrentThreadId.KERNEL32 ref: 003E8E25
      • Part of subcall function 003E8E16: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 003E8E68
    • GetCurrentProcess.KERNEL32(-120C5FEC), ref: 003ECEDE
    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 003ECF44
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID: Current$DuplicateHandleProcessSleepThread
    • String ID:
    • API String ID: 2846201637-0
    • Opcode ID: ee9524a406481e40e2139b9334918aa7098623cf259eed51c6da2c82233e87eb
    • Instruction ID: 64cbedce39224861698e2ab82476da6e8782706a9a5f3460f16ad13926501030
    • Opcode Fuzzy Hash: ee9524a406481e40e2139b9334918aa7098623cf259eed51c6da2c82233e87eb
    • Instruction Fuzzy Hash: 91011D326001AAFBCF23AFA6DC49C9E3B7ABF883507005B15F91595091CB32D563EB61
    Function 003F4461 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 37memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,cA?,003F445D,?,?,?,?,?,cA?,?,?,003F4163), ref: 003F4481
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID: cA?
    • API String ID: 4275171209-3939827474
    • Opcode ID: c54e95a89ee15a9ef8c806d75e5786da74ea6428bcc8d83e7a3d7224e81199b5
    • Instruction ID: 5373b3bac845c4e9256d01f1023dd32069aeeb23b34e2170209538357fd003c7
    • Opcode Fuzzy Hash: c54e95a89ee15a9ef8c806d75e5786da74ea6428bcc8d83e7a3d7224e81199b5
    • Instruction Fuzzy Hash: 15F0F9B1900309EFE7218F05CC05B6A7BB4FF48321F118015F54AAB691D37084D0DF50
    Function 003E8E16 Relevance: 3.0, APIs: 2, Instructions: 33sleepthreadCOMMON
    Download Yara Rule
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 003E8E25
    • Sleep.KERNELBASE(00000005,00050000,00000000), ref: 003E8E68
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID: CurrentSleepThread
    • String ID:
    • API String ID: 1164918020-0
    • Opcode ID: 6d26a981ea83114a5e8dc96b8bee1c50b86d3a0742c150f3b6e15043031f4c9e
    • Instruction ID: baa5d71db21cde5e945af338a8bcfc43ca25cba06c0437e53a11f0fff323ee0b
    • Opcode Fuzzy Hash: 6d26a981ea83114a5e8dc96b8bee1c50b86d3a0742c150f3b6e15043031f4c9e
    • Instruction Fuzzy Hash: ECF0B431605699EFD7229F62C94475EB2B4FF8031AF300279E50685581CBB51D85EA81
    Function 003F4AEA Relevance: 1.6, APIs: 1, Instructions: 112COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 6796a4668fce4a60607f270018c849706daf364cdb462a4ad3c3d566607ddcf9
    • Instruction ID: 4de2f664da2c98476d1466b25c92a423654eed16d5f4c71e7c9c395e880fc04f
    • Opcode Fuzzy Hash: 6796a4668fce4a60607f270018c849706daf364cdb462a4ad3c3d566607ddcf9
    • Instruction Fuzzy Hash: A6417BB1902209EFDB26CF14CA84BBB7BA5FF40310F159094E642AB692C371AD90DB51
    Function 003EB550 Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 003EB605
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: d13b741d25461b9ee9c8fe312bd96a49bea876e8126ed2a2d4c9ea41ddf899c8
    • Instruction ID: e772911612c6d156f8b2f130237d6ac4c46a07ca5ac8b1efe9634f0226686376
    • Opcode Fuzzy Hash: d13b741d25461b9ee9c8fe312bd96a49bea876e8126ed2a2d4c9ea41ddf899c8
    • Instruction Fuzzy Hash: A431E271A00258FBDB229F62DC46F9EB7B8FF44314F208265F915AA1D1D771A941CF10
    Function 003EAD6C Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 003EADEE
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 5bb210ace25b767e9b50adbb04728197a56528031214a296008f2644432ee7f2
    • Instruction ID: 0370bc7bb178ecfa2ac16650ce1e60866127961c51588a45101f2307f35291d5
    • Opcode Fuzzy Hash: 5bb210ace25b767e9b50adbb04728197a56528031214a296008f2644432ee7f2
    • Instruction Fuzzy Hash: 64312571600604BAEB319F65DC46F8AB7B8FF40724F204365FA10EE0D1C3B1B9418B51
    Function 003F4837 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,?), ref: 003F48E4
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID: FileModuleName
    • String ID:
    • API String ID: 514040917-0
    • Opcode ID: 61d7b03acbd14f0e7235820e94f0a8febbff537a6a4d95c2c952d5bfadd2c97c
    • Instruction ID: 6f5cca1e04e9bd2fe307c6b8d0b4a49f5ba46dbf9b4bb0c1e4adabb4978d9c8b
    • Opcode Fuzzy Hash: 61d7b03acbd14f0e7235820e94f0a8febbff537a6a4d95c2c952d5bfadd2c97c
    • Instruction Fuzzy Hash: 81119371B0122C9BFB329A148C48BFF77BCEF95751F1140A9EA45A6045D7F49E808AA1
    Function 003EE09D Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 003E8E16: GetCurrentThreadId.KERNEL32 ref: 003E8E25
      • Part of subcall function 003E8E16: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 003E8E68
    • MapViewOfFileEx.KERNELBASE(?,?,?,?,?,?,-120C5FEC), ref: 003EE124
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID: CurrentFileSleepThreadView
    • String ID:
    • API String ID: 2270672837-0
    • Opcode ID: 1868b85577a1fe63a063b334a1d65a5e08d466d0c3a42657d58f2fe4c19f6943
    • Instruction ID: c0ee74e62aa88032b010c336b784752a3671bf8f9aa57fc561bb47b23c689092
    • Opcode Fuzzy Hash: 1868b85577a1fe63a063b334a1d65a5e08d466d0c3a42657d58f2fe4c19f6943
    • Instruction Fuzzy Hash: 40110C325001AAEBCF136FA6DD09D9E7B66BF94380B044611F911594A1C736C9B2EB61
    Function 003EDE85 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID: CurrentSleepThread
    • String ID:
    • API String ID: 1164918020-0
    • Opcode ID: 23efcba5d8f202170014425d7607f0f107f8ab76ea2d91f1a49bbb9934efd549
    • Instruction ID: 680fc7ca440aee21e67798370c74d2cc10c3920b17d5c2b774e299a1e7e395e9
    • Opcode Fuzzy Hash: 23efcba5d8f202170014425d7607f0f107f8ab76ea2d91f1a49bbb9934efd549
    • Instruction Fuzzy Hash: 951161325001AAEACF13AFA6C80DE9F7B79AF94344F018610F916594E1C735D962EB20
    Function 003ED769 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 003E8E16: GetCurrentThreadId.KERNEL32 ref: 003E8E25
      • Part of subcall function 003E8E16: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 003E8E68
    • ReadFile.KERNELBASE(?,00000000,?,00000400,?,-120C5FEC,?,?,003EB498,?,?,00000400,?,00000000,?,00000000), ref: 003ED7D5
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID: CurrentFileReadSleepThread
    • String ID:
    • API String ID: 1253362762-0
    • Opcode ID: e80e3d7d2115c33c97262a9482966ee00f7ff0694dd44a228d52914bcd46a57a
    • Instruction ID: 5377c8dca08d00ccbe332d7a6c5f9966296402718015639dc9e7cf1bd69863f2
    • Opcode Fuzzy Hash: e80e3d7d2115c33c97262a9482966ee00f7ff0694dd44a228d52914bcd46a57a
    • Instruction Fuzzy Hash: F1F03C3250449AEBCF135FA6D809D8E3F26BF84340F104625F905490A1C732C4A1EB61
    Function 0039DD9A Relevance: 1.5, APIs: 1, Instructions: 23libraryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 6f4d0db01453de04ee3b47c73214756efc1fbf12273efaa3a9eec5bb618dd8e3
    • Instruction ID: c25d7231eed71374402e4135d691562f627392188369d624b79e0636de0e306f
    • Opcode Fuzzy Hash: 6f4d0db01453de04ee3b47c73214756efc1fbf12273efaa3a9eec5bb618dd8e3
    • Instruction Fuzzy Hash: A8E065B1518B108FD7123F28C5C966CBBE4EF44260F130A2EDAC047B10DA741881CB87
    Function 003E8FE7 Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID: lstrcmpi
    • String ID:
    • API String ID: 1586166983-0
    • Opcode ID: fe34fe9b8be164ed7cf1823634507946e25c79dcf38a6c4f8c36f3c50364b03f
    • Instruction ID: 553e3bc0746e5436b8de226f9fe0703e1bfea4a6fddfcd5121d78b1136239d05
    • Opcode Fuzzy Hash: fe34fe9b8be164ed7cf1823634507946e25c79dcf38a6c4f8c36f3c50364b03f
    • Instruction Fuzzy Hash: 0101FB71A0015DFFDF229FA6CC04EDEBB7AEF49780F4002B1B405A45A1D7329A62DB64
    Function 003EBB6A Relevance: 1.3, APIs: 1, Instructions: 25COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 003E8E16: GetCurrentThreadId.KERNEL32 ref: 003E8E25
      • Part of subcall function 003E8E16: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 003E8E68
    • CloseHandle.KERNELBASE(003EB52D,-120C5FEC,?,?,003EB52D,?), ref: 003EBBA8
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID: CloseCurrentHandleSleepThread
    • String ID:
    • API String ID: 4003616898-0
    • Opcode ID: 717193c345c5f966dd962620bfa215f67ff118a809128a8d2e296b222034ae7a
    • Instruction ID: e4e3a161c3ea7c0e161a3844a03e2b9aa87bcb11abffa2a8e63b77ad6b18bcda
    • Opcode Fuzzy Hash: 717193c345c5f966dd962620bfa215f67ff118a809128a8d2e296b222034ae7a
    • Instruction Fuzzy Hash: D5E04FB2A045F2A6CE237F7BD84AC4FBA28AFD03507104331B40A9D4E6DF31D4929631
    Function 003EAC2F Relevance: 1.3, APIs: 1, Instructions: 8COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNELBASE(?,?,003E8CB5,?,?), ref: 003EAC35
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: e0ea105751e0941fee90a5d5e649f67a8a6b5ad7580eb48c5e1ad37b252a6808
    • Instruction ID: d51d5e890eb601dbedfedee8af889095705532a6db83220ac8a30a10a03758f2
    • Opcode Fuzzy Hash: e0ea105751e0941fee90a5d5e649f67a8a6b5ad7580eb48c5e1ad37b252a6808
    • Instruction Fuzzy Hash: D6B09231104519BBCF22BF52EC07C4DBF6AFF11398B108220F916984618B72E9719B91

    Non-executed Functions

    Function 00385906 Relevance: 12.9, Strings: 9, Instructions: 1637COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID: ;n$%2k$02Eo$7?x$?A_g$^Ck$qk{$rre$%n?
    • API String ID: 0-1590372342
    • Opcode ID: eea98d88a66382f3e8bd0fae769071146fdf5b9190968aa2505c7cf8419595f7
    • Instruction ID: 9ad6cc06b03574431c9087425b50bc8f9ea497ab760e0da910e4408ad43af428
    • Opcode Fuzzy Hash: eea98d88a66382f3e8bd0fae769071146fdf5b9190968aa2505c7cf8419595f7
    • Instruction Fuzzy Hash: F6B206F3A082109FE3146E29EC8567AFBE9EFD4720F16853DEAC4C7744EA3558058692
    Function 0038ACC4 Relevance: 12.5, Strings: 9, Instructions: 1281COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID: hs}$!*9J$'<o$0w~$Jw$RTwO$\]Wx$`yq]$1_
    • API String ID: 0-1206449864
    • Opcode ID: c32c7f4ea28fd88524b5d0b99ab4dd6826c846cf43265f476d7e2bc263c5c48b
    • Instruction ID: 2af37771c183bf63529221a4535d6a7e3de3bfe77c212630e002e1ec85531bb0
    • Opcode Fuzzy Hash: c32c7f4ea28fd88524b5d0b99ab4dd6826c846cf43265f476d7e2bc263c5c48b
    • Instruction Fuzzy Hash: 678207F360C200AFE3046F2DEC8567ABBE9EF94320F16463DEAD583744EA3558158697
    Function 0037ECCF Relevance: 11.6, Strings: 8, Instructions: 1578COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID: N~{$%-g$'x?$3;G$?+{$Gs~v$bu?$^~v
    • API String ID: 0-3558397994
    • Opcode ID: e3ff974da9b4382fd1b9de514b4377689abd433b1bce409c644d56abd95e1b03
    • Instruction ID: 2321cee937f1911c172f8542dc4c8a0533d6896a3002c0d54f14980622d9f86c
    • Opcode Fuzzy Hash: e3ff974da9b4382fd1b9de514b4377689abd433b1bce409c644d56abd95e1b03
    • Instruction Fuzzy Hash: A3B216F390C2149FE304AE2DEC8567ABBE5EF94320F1A893DEAC4C7744E63558458687
    Function 00379AD0 Relevance: 10.4, Strings: 7, Instructions: 1624COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID: 3@}_$Axwl$D{'~$N;N$mbz$"~[$7vZ
    • API String ID: 0-2379289627
    • Opcode ID: 9a8f5ee5b9cbce0eeaa73f8533293d35fc1ccb96f7797f9829a428f5b3ae53e4
    • Instruction ID: 550de585884d9ca6593ed6ff40a960d4868d1b8628d951475f7623e1db04d6b7
    • Opcode Fuzzy Hash: 9a8f5ee5b9cbce0eeaa73f8533293d35fc1ccb96f7797f9829a428f5b3ae53e4
    • Instruction Fuzzy Hash: 5FB2F9F360C2009FE704AE2DEC8577AB7E9EBD4720F1A853DE6C4C7744EA3598058696
    Function 003876FB Relevance: 7.6, Strings: 5, Instructions: 1375COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID: 5>8]$7@e$V?w$f@Wo$T/
    • API String ID: 0-1998706179
    • Opcode ID: 606849173a5ec4d1c963e43aac0f350fb5dfb3ed04202a5ebd093e47cacfb677
    • Instruction ID: 68f2b75d017be9f3c5ce5afdf029764d896f905cbced2a2f30c24179c2b1f3bb
    • Opcode Fuzzy Hash: 606849173a5ec4d1c963e43aac0f350fb5dfb3ed04202a5ebd093e47cacfb677
    • Instruction Fuzzy Hash: 3C9205F360C2049FE3046E2DEC8567AFBE9EF94720F1A4A3DE6C587744EA7558018687
    Function 00383EA7 Relevance: 6.6, Strings: 4, Instructions: 1568COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID: 1v#$!1v#$'\v$@({o
    • API String ID: 0-2131753385
    • Opcode ID: cf6f23086f0e7efad992ddbd5ae769250344060360b06d9afeabc403c01fd37c
    • Instruction ID: eeb9595a7e22973b5e6b48bb0eda445162e53d4bbf85bcacdc54a532195fc965
    • Opcode Fuzzy Hash: cf6f23086f0e7efad992ddbd5ae769250344060360b06d9afeabc403c01fd37c
    • Instruction Fuzzy Hash: 03A2E7F3A0C204AFE3046E2DEC8567AFBE9EB94720F1A463DE6C4C7744E63558148697
    Function 003ECF63 Relevance: 3.0, APIs: 2, Instructions: 43timeCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 003E8E16: GetCurrentThreadId.KERNEL32 ref: 003E8E25
      • Part of subcall function 003E8E16: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 003E8E68
    • GetSystemTime.KERNEL32(?,-120C5FEC), ref: 003ECF98
    • GetFileTime.KERNEL32(?,?,?,?,-120C5FEC), ref: 003ECFDB
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID: Time$CurrentFileSleepSystemThread
    • String ID:
    • API String ID: 3818558864-0
    • Opcode ID: 8e3057b0384c54c10ddcc6e3730e10101a516d55ddd3944b2e0a3bccc7419c5f
    • Instruction ID: 14b0c32e9d786c93df953488442a1235c1bdd0d9551c03b99ce2a0533e74dcd0
    • Opcode Fuzzy Hash: 8e3057b0384c54c10ddcc6e3730e10101a516d55ddd3944b2e0a3bccc7419c5f
    • Instruction Fuzzy Hash: 0301EC326144D6EBCF225F6AD80DD8EBF76EFC5310B004222F815895A1C732D8A2DB20
    Function 003822E5 Relevance: 2.9, Strings: 1, Instructions: 1658COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID: ~k
    • API String ID: 0-3788400470
    • Opcode ID: 22dcdb36e319c7f7e9d36bc61684d1addfbd1a1423d9356d9e359dcb3272a05d
    • Instruction ID: 8e0c9f66cc9044c409f341f332e8fd727a2625612c9ee2d0a3e02d0d80d0cdd0
    • Opcode Fuzzy Hash: 22dcdb36e319c7f7e9d36bc61684d1addfbd1a1423d9356d9e359dcb3272a05d
    • Instruction Fuzzy Hash: 31B2E6F390C2049FE304AE29DC8567AFBE9EF94720F1A892DE6C4C3744EA7558058797
    Function 002F83BE Relevance: 2.7, Strings: 2, Instructions: 210COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID: *BN_$_
    • API String ID: 0-2216255536
    • Opcode ID: 40f03baa2b339b7ea3b34c75de917b0e833c87ff446aea7da17d324b421c2768
    • Instruction ID: 6a662939da6d4c6e8049f1d1eed03566006d38e410cfadb465fc51165767e04a
    • Opcode Fuzzy Hash: 40f03baa2b339b7ea3b34c75de917b0e833c87ff446aea7da17d324b421c2768
    • Instruction Fuzzy Hash: E05136F3A487086FF3046A29EC55B7AB7D9DBD4320F1A423DE6C587384FD3A58058286
    Function 0032920C Relevance: 2.7, Strings: 2, Instructions: 197COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID: !.>$!.>
    • API String ID: 0-702899907
    • Opcode ID: 2dfa374ede5e682fe996b661ca7ce49137ea98816a32abc5482f56049e37b60b
    • Instruction ID: 3fd3a197fdcce57f2e21a9faa4d8dc3b357937238faf75a5ef60ec99f1617f10
    • Opcode Fuzzy Hash: 2dfa374ede5e682fe996b661ca7ce49137ea98816a32abc5482f56049e37b60b
    • Instruction Fuzzy Hash: B651D4B3A0C6205FE3146E2DEC8577ABBD5EB84324F16892EEAC9C3744E9345941C7C6
    Function 003EDE21 Relevance: 1.5, APIs: 1, Instructions: 24encryptionCOMMON
    Download Yara Rule
    APIs
    • CryptVerifySignatureA.ADVAPI32(?,?,?,?,?,?), ref: 003EDE68
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID: CryptSignatureVerify
    • String ID:
    • API String ID: 1015439381-0
    • Opcode ID: cba6c8ede4ca25d42de369cc6f2e449017edaa66b62d85833825778d45eaede0
    • Instruction ID: 43fcf1c18ae82eb591543a8893466f488b550eed536048655c05a609d011b7f5
    • Opcode Fuzzy Hash: cba6c8ede4ca25d42de369cc6f2e449017edaa66b62d85833825778d45eaede0
    • Instruction Fuzzy Hash: 6EF01C3260024AFFCF42CFA5C94899D7B71FF54344B108169F9159A651D37196A0EF40
    Function 00269601 Relevance: 1.5, Strings: 1, Instructions: 222COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID: yl83
    • API String ID: 0-3740393379
    • Opcode ID: 701bc649031f346676e90b19dcdd64ea04e89284f928d1c5e8aed2cdf12dd5fb
    • Instruction ID: 955f818e02a0b30289c301fd19288e7105c53ff9b87b60dfedad3f1aa43d79ba
    • Opcode Fuzzy Hash: 701bc649031f346676e90b19dcdd64ea04e89284f928d1c5e8aed2cdf12dd5fb
    • Instruction Fuzzy Hash: C461F7F3A082009BE314AE2DDD4573AB7E6DBD4720F1A863EDBC8D7380E97958058646
    Function 002CB774 Relevance: 1.4, Strings: 1, Instructions: 174COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID: _A>S
    • API String ID: 0-1893022764
    • Opcode ID: f780df3fa36d8209c6d5d24216f123774e98f197a68143676f2c6d89e3e066a1
    • Instruction ID: 26ed4ac86ed75ab7cd60b0c031efd63440604be4a53a427a5487e8774617ddb8
    • Opcode Fuzzy Hash: f780df3fa36d8209c6d5d24216f123774e98f197a68143676f2c6d89e3e066a1
    • Instruction Fuzzy Hash: 31517BF3A083084FE714AD29DCC577AB7D5EBD4320F1A863DDAC4C7744EA39480A8296
    Function 003A96FC Relevance: 1.4, Strings: 1, Instructions: 132COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID: ,eo}
    • API String ID: 0-1231928504
    • Opcode ID: 9d6a6681e0233c4d953bda196ac06f3033e6f07690a98d0e5c49b0802ca5531e
    • Instruction ID: 6f2e532d4f1b793e1db72eab4a37f06997faf3e79ee54ac31a4dd7e2ae9851e3
    • Opcode Fuzzy Hash: 9d6a6681e0233c4d953bda196ac06f3033e6f07690a98d0e5c49b0802ca5531e
    • Instruction Fuzzy Hash: 6741C3B250C505DFD706EF29D8806BEB7E9EB9A310F22092FD9C6C7E00E6325851DB56
    Function 0038D2CB Relevance: .3, Instructions: 257COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 330774bc894de14e950cc1a504a8ba71617b3e2233cd01bd446f8a6371dde9df
    • Instruction ID: a86fccbac468743e0efa6569a054e3c02e0feb95491d69cbc294fcffa1158dc0
    • Opcode Fuzzy Hash: 330774bc894de14e950cc1a504a8ba71617b3e2233cd01bd446f8a6371dde9df
    • Instruction Fuzzy Hash: E971D6F36081109FE310AA2DED8577AB7E5EFD8320F19893DDAC4C3744EA3598158697
    Function 002D733E Relevance: .3, Instructions: 253COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 09ad17b9b9ffe64237d44f1ac04377d46fd684d1ba337d2ea17e105841151da8
    • Instruction ID: 4a533504bf2958d94cfe2ed1fefacba9d187572d3ceb11eefd3eb2648673e847
    • Opcode Fuzzy Hash: 09ad17b9b9ffe64237d44f1ac04377d46fd684d1ba337d2ea17e105841151da8
    • Instruction Fuzzy Hash: B88146F3A192049BE308AE29DC5577AF7D6EBD4320F2B453DE6C983780E9395C018786
    Function 0027C891 Relevance: .2, Instructions: 244COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e1d5312dfaadb40feeab3ba323017d4b2ef041c26730daa67021282aaf8668a3
    • Instruction ID: 85bed347993b0b3df9430d7cffe6c361d2fc0c1037deb95015036702807846c5
    • Opcode Fuzzy Hash: e1d5312dfaadb40feeab3ba323017d4b2ef041c26730daa67021282aaf8668a3
    • Instruction Fuzzy Hash: A481CEB7F216224BF3444974DD58362268397D1321F3F82788E5C6BBCADCBE5C0A5284
    Function 0024E254 Relevance: .2, Instructions: 160COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ae589fe24cef872f75684e7bfa3e3d90a94de4bc8aec77a2242023e8f0433915
    • Instruction ID: 4eef1ffe3da5c24900bd57c6046b60e9f3e75c2e95cc20ae03af9350ddcd49b4
    • Opcode Fuzzy Hash: ae589fe24cef872f75684e7bfa3e3d90a94de4bc8aec77a2242023e8f0433915
    • Instruction Fuzzy Hash: EB4115F3E146104FF3549928DC8937ABADADB94720F2B853DDAC4D7388E8788D058786
    Function 003A8061 Relevance: .2, Instructions: 156COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5f4d42a3920b8e70aa488d60c5487da9e0bc7260e60cdfaa674c60f7066e202f
    • Instruction ID: 63184668d5da2487a58d17cfa6196461ff52f5cad7621beb1ca57582152e3e92
    • Opcode Fuzzy Hash: 5f4d42a3920b8e70aa488d60c5487da9e0bc7260e60cdfaa674c60f7066e202f
    • Instruction Fuzzy Hash: 114126B390C500EFD2165F299C1567AFBEAEBD5320F36092EE5C687A40DE7108469787
    Function 0029BB13 Relevance: .2, Instructions: 152COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b8102df7f5b18e84dbe1a578c8d9eb05f0c13110f61cc7eb0910839d429befc6
    • Instruction ID: 640f47cdc3c77a6eb1a482639cead9743f23852da749c89b4328da9f936083b2
    • Opcode Fuzzy Hash: b8102df7f5b18e84dbe1a578c8d9eb05f0c13110f61cc7eb0910839d429befc6
    • Instruction Fuzzy Hash: 8341ADF3A183185BE308693CEC6437A77D9DBA4730F1A423DE686D73C0F97998054286
    Function 002B743F Relevance: .1, Instructions: 137COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b49fce26b4d1f6279f1632e1ed9a8338a1748e4268f90e253abb16b62dee53a7
    • Instruction ID: 64dd3c76af33ccbe1e352eaf52430776169ae70d1d8d27cf99866c369f6ba039
    • Opcode Fuzzy Hash: b49fce26b4d1f6279f1632e1ed9a8338a1748e4268f90e253abb16b62dee53a7
    • Instruction Fuzzy Hash: D6412BB3A083184BE3006A6DDC84767F7D9EFD4760F1A863DDA88D3B44E57A59014296
    Function 00415C1E Relevance: .1, Instructions: 135COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 3c402daf871df9f40256d01c3482c4a615f0294a646da385ac1ed307935a7882
    • Instruction ID: aa425d17acfb7f697ee5080ce6506a0f756da6e1c035ef85f2190152409cde6e
    • Opcode Fuzzy Hash: 3c402daf871df9f40256d01c3482c4a615f0294a646da385ac1ed307935a7882
    • Instruction Fuzzy Hash: 54412BB3A081105FE304AE2DDC4567AF7EAEFE4220F1A463EEAC4D7344E6755C1186D2
    Function 003AD19B Relevance: .1, Instructions: 110COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b08e576d89b4915d99aafec680452b351b4b1630f01823194c27c9899684188a
    • Instruction ID: 95557afcba77c543b4e1db810f4e0833b723613cbbb204d15cb6bf8c01ce4a6a
    • Opcode Fuzzy Hash: b08e576d89b4915d99aafec680452b351b4b1630f01823194c27c9899684188a
    • Instruction Fuzzy Hash: D34135B250C600AFD306AF29D8816AAFBF4EF99721F06482EE6C5C3211D7305844CB57
    Function 00438334 Relevance: .0, Instructions: 43COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 11f2b9e2d1e92ae06f94bef68b98f2802a96a1977a5fb2ba5685d92873ead194
    • Instruction ID: a1cfbb41cbdb77c7048bd8704072fac6a945ae721c14d8228e827911c4479ee5
    • Opcode Fuzzy Hash: 11f2b9e2d1e92ae06f94bef68b98f2802a96a1977a5fb2ba5685d92873ead194
    • Instruction Fuzzy Hash: DA01A2B280C308DFE355BE68DC867AAF7E4FB18310F06481DDAE4D3610E735A5509A87
    Function 003A6907 Relevance: .0, Instructions: 34COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: aad6913e724e6a42b22072699cbb5f2128882da2ecb4159fc1108a38bf7c58de
    • Instruction ID: 89570e40649875a83e06b6609cc79268000607b844e26aaf717b3f30940d9013
    • Opcode Fuzzy Hash: aad6913e724e6a42b22072699cbb5f2128882da2ecb4159fc1108a38bf7c58de
    • Instruction Fuzzy Hash: DF01E4B1A0020ADADB24CF44C1096EBBBB5FF49721F1682A9D8069BA51D3705CD4EB4D
    Function 003EC499 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 003E8E16: GetCurrentThreadId.KERNEL32 ref: 003E8E25
      • Part of subcall function 003E8E16: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 003E8E68
      • Part of subcall function 003ED517: IsBadWritePtr.KERNEL32(?,00000004), ref: 003ED525
    • wsprintfA.USER32 ref: 003EC4DF
    • LoadImageA.USER32(?,?,?,?,?,?), ref: 003EC5A3
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID: CurrentImageLoadSleepThreadWritewsprintf
    • String ID: %8x$%8x
    • API String ID: 2375920415-2046107164
    • Opcode ID: b694c4bac6f6f97a99dab8d4c1cee2d19b69b957d7c8d9674a3adbb72408c314
    • Instruction ID: 52060726ea3e57fe1af1a604aadce0db87b481e387acc0fc0513b50ef0d63902
    • Opcode Fuzzy Hash: b694c4bac6f6f97a99dab8d4c1cee2d19b69b957d7c8d9674a3adbb72408c314
    • Instruction Fuzzy Hash: 9C311771A0015AFBCF229F95DC49EEEBB79FF88300F108125F911A61A1C7319A62DB60
    Function 003ED06A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesExW.KERNEL32(00BFF6EC,00004020,00000000,-120C5FEC), ref: 003ED157
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.1429049002.000000000039C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00200000, based on PE: true
    • Associated: 00000001.00000002.1428936705.0000000000200000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1428973608.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429012449.0000000000206000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.000000000020A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004B5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429049002.00000000004C4000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429348653.00000000004C5000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429500786.0000000000674000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000001.00000002.1429521004.0000000000676000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_200000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: 62a5a24727c84feaeb880b307c66ae54a5a32ea89da341a689f5d2507b1e29a5
    • Instruction ID: 8b9791a1858f24e6070c33f56676458fc39dac3ad96d14cb17dfa61455d6fca0
    • Opcode Fuzzy Hash: 62a5a24727c84feaeb880b307c66ae54a5a32ea89da341a689f5d2507b1e29a5
    • Instruction Fuzzy Hash: 4531ADB5604355EFDB268F56C84879EBFB4FF04300F008229E9566B6A0C371EAA5DF80