Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1538182
MD5:b8547daa28e0e2569a67323723f7b6a3
SHA1:d82928db453bfa7a0b27f0569f43e73678dab73e
SHA256:7bf5806bb4413fdf12d823fadccbad4ff2964b433af0dc9b8cc77c4efb70d480
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to detect virtual machines (SIDT)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7508 cmdline: "C:\Users\user\Desktop\file.exe" MD5: B8547DAA28E0E2569A67323723F7B6A3)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: file.exeAvira: detected
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E07B65 CryptVerifySignatureA,0_2_00E07B65
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.1674349049.00000000053F0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmp

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D9821E0_2_00D9821E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CCD23C0_2_00CCD23C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA23E90_2_00DA23E9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D9333E0_2_00D9333E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA75B80_2_00DA75B8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D0B5010_2_00D0B501
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC55350_2_00CC5535
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D907C30_2_00D907C3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D647450_2_00D64745
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D9170E0_2_00D9170E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D9B8F30_2_00D9B8F3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D978660_2_00D97866
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA09C50_2_00DA09C5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC59BA0_2_00DC59BA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E8094C0_2_00E8094C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA5A860_2_00DA5A86
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D94C220_2_00D94C22
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D9ED200_2_00D9ED20
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D99E090_2_00D99E09
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C92FDA0_2_00C92FDA
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00E02B5A appears 35 times
Source: file.exe, 00000000.00000000.1661957211.0000000000C26000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeStatic PE information: Section: kztqccpr ZLIB complexity 0.9951342998217998
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 1748992 > 1048576
Source: file.exeStatic PE information: Raw size of kztqccpr is bigger than: 0x100000 < 0x1a4e00
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000003.1674349049.00000000053F0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.c20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kztqccpr:EW;wruvxkpy:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x1bacff should be: 0x1b5852
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: kztqccpr
Source: file.exeStatic PE information: section name: wruvxkpy
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DB8E9F push eax; mov dword ptr [esp], esi0_2_00DB99BD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DB8DDB push 274AC200h; mov dword ptr [esp], ebp0_2_00DB9F88
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E790CC push edx; mov dword ptr [esp], 511F954Eh0_2_00E79170
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC50EB push edx; mov dword ptr [esp], 7FFFD334h0_2_00DC50FB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC50EB push edx; mov dword ptr [esp], edi0_2_00DC5112
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC50EB push ecx; mov dword ptr [esp], 63DC95E5h0_2_00DC5157
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC50EB push 73709E6Ch; mov dword ptr [esp], ecx0_2_00DC5173
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC50EB push edx; mov dword ptr [esp], esp0_2_00DC51FC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC50E6 push edx; mov dword ptr [esp], 7FFFD334h0_2_00DC50FB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC50E6 push edx; mov dword ptr [esp], edi0_2_00DC5112
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC50E6 push ecx; mov dword ptr [esp], 63DC95E5h0_2_00DC5157
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC50E6 push 73709E6Ch; mov dword ptr [esp], ecx0_2_00DC5173
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC50E6 push edx; mov dword ptr [esp], esp0_2_00DC51FC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBD082 push ebx; mov dword ptr [esp], edx0_2_00DBD53D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBD082 push edi; mov dword ptr [esp], 1B3D345Bh0_2_00DBD541
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC10B3 push edi; mov dword ptr [esp], esi0_2_00DC11FE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E2D095 push 12B6BF3Fh; mov dword ptr [esp], ebp0_2_00E2D0D5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC1049 push edx; ret 0_2_00DC1058
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC0045 push edi; mov dword ptr [esp], ecx0_2_00DC0047
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6C078 push esi; mov dword ptr [esp], ecx0_2_00E6C0B0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E39047 push edx; mov dword ptr [esp], esi0_2_00E39073
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBF071 push 06BB611Bh; mov dword ptr [esp], esi0_2_00DBF0A9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E51020 push ecx; mov dword ptr [esp], ebp0_2_00E51043
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC3011 push eax; mov dword ptr [esp], 7145E9F3h0_2_00DC303D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC3011 push 3B6ABFE5h; mov dword ptr [esp], eax0_2_00DC3067
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC3011 push edi; mov dword ptr [esp], 7F928B41h0_2_00DC308D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC3011 push 3F339FECh; mov dword ptr [esp], ebp0_2_00DC315C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC1004 push edi; ret 0_2_00DC1013
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E7F002 push 77EDFB63h; mov dword ptr [esp], esi0_2_00E7F041
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D0A03F push eax; mov dword ptr [esp], 3D016E22h0_2_00D0A043
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D0A03F push edi; mov dword ptr [esp], edx0_2_00D0A080
Source: file.exeStatic PE information: section name: entropy: 7.760468854355582
Source: file.exeStatic PE information: section name: kztqccpr entropy: 7.954365764154436

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2DB40 second address: C2DB44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2DB44 second address: C2DB48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAB712 second address: DAB726 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE9911903F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c jg 00007FE9911903FEh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DABA6D second address: DABA72 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAF836 second address: DAF83A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAF83A second address: DAF846 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAF846 second address: DAF84A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAF84A second address: DAF86C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE990B55936h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push esi 0x00000010 jmp 00007FE990B5593Ah 0x00000015 pop esi 0x00000016 mov eax, dword ptr [eax] 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAF86C second address: DAF870 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAF9E9 second address: DAF9EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAFCDD second address: DAFCE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAFCE1 second address: DAFD48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007FE990B55941h 0x00000010 mov eax, dword ptr [eax] 0x00000012 jmp 00007FE990B5593Eh 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b jne 00007FE990B55944h 0x00000021 pop eax 0x00000022 mov dword ptr [ebp+122D1E7Ch], edx 0x00000028 mov dword ptr [ebp+122D2092h], eax 0x0000002e lea ebx, dword ptr [ebp+12455788h] 0x00000034 jo 00007FE990B55936h 0x0000003a push eax 0x0000003b push ecx 0x0000003c jc 00007FE990B5593Ch 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCFFF6 second address: DCFFFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D96214 second address: D9621F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FE990B55936h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9621F second address: D9623D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FE9911903F6h 0x0000000a jo 00007FE9911903F6h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jnl 00007FE9911903F6h 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9623D second address: D96265 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE990B5593Bh 0x0000000d jmp 00007FE990B55945h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCE7B3 second address: DCE7B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCE7B7 second address: DCE7BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCE7BF second address: DCE7E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9911903FEh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FE991190402h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCE7E3 second address: DCE7E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCEBF7 second address: DCEC0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jo 00007FE9911903F6h 0x0000000b js 00007FE9911903F6h 0x00000011 push eax 0x00000012 pop eax 0x00000013 popad 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCED80 second address: DCED86 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA39DE second address: DA39E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCF725 second address: DCF74B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE990B55943h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnl 00007FE990B55946h 0x0000000f pushad 0x00000010 jnl 00007FE990B55936h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCF9DE second address: DCF9ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edx 0x00000006 pop edx 0x00000007 jc 00007FE9911903F6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD68ED second address: DD690E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE990B55943h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007FE990B55936h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD690E second address: DD6912 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD6E35 second address: DD6E3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD5620 second address: DD562F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9911903FBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD5E6B second address: DD5EA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE990B55942h 0x00000008 jmp 00007FE990B55947h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 ja 00007FE990B55936h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD6F5C second address: DD6F61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD6F61 second address: DD6F7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FE990B55936h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 pushad 0x00000013 push esi 0x00000014 pop esi 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD6F7D second address: DD6F8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDB048 second address: DDB04D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDA6BF second address: DDA6C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDA6C8 second address: DDA6E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE990B55944h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007FE990B55936h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDABDE second address: DDABED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9911903FBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDABED second address: DDABF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDAD64 second address: DDAD68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDAD68 second address: DDAD6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDCCD6 second address: DDCCDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDCCDA second address: DDCCDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDCCDE second address: DDCCE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDD654 second address: DDD659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDD659 second address: DDD67D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FE991190408h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDD81F second address: DDD823 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDD823 second address: DDD853 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FE9911903FCh 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f jmp 00007FE991190407h 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDD853 second address: DDD857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDD857 second address: DDD85B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDD9F5 second address: DDD9FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDDCB3 second address: DDDCBD instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE9911903F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDDCBD second address: DDDCCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE990B5593Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE2F3 second address: DDE311 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE991190402h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE311 second address: DDE315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE315 second address: DDE319 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE319 second address: DDE31F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE390 second address: DDE3AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9911903FEh 0x00000009 popad 0x0000000a pop esi 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jp 00007FE9911903F6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE3AE second address: DDE3CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jne 00007FE990B55936h 0x0000000d jo 00007FE990B55936h 0x00000013 popad 0x00000014 popad 0x00000015 xchg eax, ebx 0x00000016 mov edi, eax 0x00000018 nop 0x00000019 pushad 0x0000001a push edi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE3CB second address: DDE3E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FE991190404h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE3E6 second address: DDE3FC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE990B55936h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007FE990B55938h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE3FC second address: DDE419 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE991190409h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE419 second address: DDE41D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE5E7 second address: DDE5ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE5ED second address: DDE5F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE5F3 second address: DDE5F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDE5F7 second address: DDE5FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDF85B second address: DDF860 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDF860 second address: DDF866 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDF866 second address: DDF86A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDF86A second address: DDF86E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE089C second address: DE08AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9911903FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE002C second address: DE003F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE990B5593Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE1191 second address: DE1196 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA70F0 second address: DA7100 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FE990B55936h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE1196 second address: DE119C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA7100 second address: DA7104 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA7104 second address: DA7120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007FE991190402h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA1F26 second address: DA1F30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FE990B55936h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE4727 second address: DE472B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA1F30 second address: DA1F55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE990B5593Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jp 00007FE990B55936h 0x00000010 jnl 00007FE990B55936h 0x00000016 jns 00007FE990B55936h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE6B5F second address: DE6BD7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE991190406h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jnc 00007FE9911903FCh 0x00000012 push 00000000h 0x00000014 mov esi, 000E32F7h 0x00000019 push 00000000h 0x0000001b jno 00007FE9911903FCh 0x00000021 mov dword ptr [ebp+122D209Dh], esi 0x00000027 xchg eax, ebx 0x00000028 jmp 00007FE991190408h 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 jmp 00007FE991190406h 0x00000036 pop eax 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE819B second address: DE81F5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FE990B55943h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jmp 00007FE990B5593Eh 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 call 00007FE990B55938h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], ecx 0x00000020 add dword ptr [esp+04h], 00000016h 0x00000028 inc ecx 0x00000029 push ecx 0x0000002a ret 0x0000002b pop ecx 0x0000002c ret 0x0000002d mov di, 099Ch 0x00000031 push 00000000h 0x00000033 mov esi, dword ptr [ebp+122D398Eh] 0x00000039 xchg eax, ebx 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE81F5 second address: DE81F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE81F9 second address: DE81FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE9D78 second address: DE9D95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE991190403h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE9D95 second address: DE9DBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE990B55949h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007FE990B55936h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE9DBC second address: DE9DC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA555D second address: DA5561 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA5561 second address: DA556B instructions: 0x00000000 rdtsc 0x00000002 jns 00007FE9911903F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA556B second address: DA5571 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA5571 second address: DA5577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA5577 second address: DA557B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEB5A4 second address: DEB5A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE7EEC second address: DE7EF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEB5A9 second address: DEB5AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE7EF0 second address: DE7EF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE7EF4 second address: DE7F14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE991190404h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEEF50 second address: DEEF54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE7F14 second address: DE7F18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEEF54 second address: DEEF5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE7F18 second address: DE7F1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE7F1E second address: DE7F28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FE990B55936h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE8984 second address: DE8988 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF2F64 second address: DF2F6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF3F9B second address: DF3FAE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnp 00007FE9911903F6h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 push esi 0x00000011 pop esi 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF5EFB second address: DF5F00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF5F00 second address: DF5F06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF5F06 second address: DF5F18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007FE990B55936h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF6F1F second address: DF6F41 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9911903FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007FE9911903FBh 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF6F41 second address: DF6F45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF7E76 second address: DF7E91 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE991190407h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF7F36 second address: DF7F3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF90A4 second address: DF90A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF90A8 second address: DF90FD instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE990B55936h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b mov dword ptr [esp], eax 0x0000000e or dword ptr [ebp+122D2341h], ecx 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007FE990B55938h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 0000001Ah 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 xor bx, 4D94h 0x00000035 push 00000000h 0x00000037 js 00007FE990B5593Ch 0x0000003d push eax 0x0000003e push eax 0x0000003f jc 00007FE990B5593Ch 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFA024 second address: DFA028 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFB1C8 second address: DFB1D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FE990B55936h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFC004 second address: DFC008 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFC008 second address: DFC00E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFC00E second address: DFC03A instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE9911903FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007FE991190406h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFC03A second address: DFC03F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFC03F second address: DFC044 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFD046 second address: DFD09C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007FE990B55938h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 push 00000000h 0x00000025 mov edi, dword ptr [ebp+122D1E81h] 0x0000002b push 00000000h 0x0000002d sub dword ptr [ebp+12480FBFh], eax 0x00000033 xchg eax, esi 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007FE990B55947h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFF10A second address: DFF110 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFF110 second address: DFF115 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF0123 second address: DF01B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a or dword ptr [ebp+122D27F1h], edx 0x00000010 push dword ptr fs:[00000000h] 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007FE9911903F8h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 0000001Ah 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 xor bl, FFFFFFE6h 0x00000034 mov dword ptr fs:[00000000h], esp 0x0000003b push 00000000h 0x0000003d push esi 0x0000003e call 00007FE9911903F8h 0x00000043 pop esi 0x00000044 mov dword ptr [esp+04h], esi 0x00000048 add dword ptr [esp+04h], 0000001Dh 0x00000050 inc esi 0x00000051 push esi 0x00000052 ret 0x00000053 pop esi 0x00000054 ret 0x00000055 mov ebx, 20682CC4h 0x0000005a mov eax, dword ptr [ebp+122D0E05h] 0x00000060 add dword ptr [ebp+122D19CFh], esi 0x00000066 push FFFFFFFFh 0x00000068 mov edi, dword ptr [ebp+122D3A7Ah] 0x0000006e stc 0x0000006f push eax 0x00000070 pushad 0x00000071 push edx 0x00000072 jo 00007FE9911903F6h 0x00000078 pop edx 0x00000079 push eax 0x0000007a push edx 0x0000007b pushad 0x0000007c popad 0x0000007d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF2150 second address: DF2156 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF413B second address: DF413F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF413F second address: DF4149 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE990B5593Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF805C second address: DF8060 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF8060 second address: DF8149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jp 00007FE990B55953h 0x0000000d nop 0x0000000e jmp 00007FE990B55943h 0x00000013 push dword ptr fs:[00000000h] 0x0000001a push eax 0x0000001b jmp 00007FE990B5593Ch 0x00000020 pop ebx 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 push 00000000h 0x0000002a push edi 0x0000002b call 00007FE990B55938h 0x00000030 pop edi 0x00000031 mov dword ptr [esp+04h], edi 0x00000035 add dword ptr [esp+04h], 00000014h 0x0000003d inc edi 0x0000003e push edi 0x0000003f ret 0x00000040 pop edi 0x00000041 ret 0x00000042 call 00007FE990B5593Ch 0x00000047 pushad 0x00000048 mov dword ptr [ebp+122D1B2Ah], eax 0x0000004e mov dword ptr [ebp+124656FDh], ebx 0x00000054 popad 0x00000055 pop ebx 0x00000056 mov eax, dword ptr [ebp+122D14ADh] 0x0000005c ja 00007FE990B55954h 0x00000062 push FFFFFFFFh 0x00000064 jg 00007FE990B5593Ch 0x0000006a nop 0x0000006b pushad 0x0000006c jnp 00007FE990B55938h 0x00000072 push edx 0x00000073 pop edx 0x00000074 jng 00007FE990B55938h 0x0000007a push ecx 0x0000007b pop ecx 0x0000007c popad 0x0000007d push eax 0x0000007e push eax 0x0000007f push edx 0x00000080 jmp 00007FE990B5593Ah 0x00000085 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF8149 second address: DF815B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9911903FEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFA18A second address: DFA1A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE990B55943h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFB2EB second address: DFB2F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFB2F1 second address: DFB2F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFB2F5 second address: DFB30B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9911903FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFB30B second address: DFB3AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FE990B55936h 0x0000000a popad 0x0000000b pop ecx 0x0000000c nop 0x0000000d xor dword ptr [ebp+124567E3h], ebx 0x00000013 push dword ptr fs:[00000000h] 0x0000001a sbb edi, 202D5C00h 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 jmp 00007FE990B55944h 0x0000002c mov eax, dword ptr [ebp+122D0BF5h] 0x00000032 push 00000000h 0x00000034 push esi 0x00000035 call 00007FE990B55938h 0x0000003a pop esi 0x0000003b mov dword ptr [esp+04h], esi 0x0000003f add dword ptr [esp+04h], 00000014h 0x00000047 inc esi 0x00000048 push esi 0x00000049 ret 0x0000004a pop esi 0x0000004b ret 0x0000004c mov ebx, dword ptr [ebp+122D39BAh] 0x00000052 push FFFFFFFFh 0x00000054 push 00000000h 0x00000056 push ebp 0x00000057 call 00007FE990B55938h 0x0000005c pop ebp 0x0000005d mov dword ptr [esp+04h], ebp 0x00000061 add dword ptr [esp+04h], 00000014h 0x00000069 inc ebp 0x0000006a push ebp 0x0000006b ret 0x0000006c pop ebp 0x0000006d ret 0x0000006e pushad 0x0000006f mov di, dx 0x00000072 mov edx, dword ptr [ebp+122D38A6h] 0x00000078 popad 0x00000079 nop 0x0000007a jns 00007FE990B55940h 0x00000080 push eax 0x00000081 push ebx 0x00000082 push eax 0x00000083 push edx 0x00000084 pushad 0x00000085 popad 0x00000086 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFC179 second address: DFC17D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFD20C second address: DFD210 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFD210 second address: DFD21A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FE9911903F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFD21A second address: DFD220 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFD220 second address: DFD2A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9911903FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov edi, dword ptr [ebp+122D38F2h] 0x00000014 push dword ptr fs:[00000000h] 0x0000001b push 00000000h 0x0000001d push ebp 0x0000001e call 00007FE9911903F8h 0x00000023 pop ebp 0x00000024 mov dword ptr [esp+04h], ebp 0x00000028 add dword ptr [esp+04h], 00000014h 0x00000030 inc ebp 0x00000031 push ebp 0x00000032 ret 0x00000033 pop ebp 0x00000034 ret 0x00000035 mov dword ptr [ebp+122D1892h], eax 0x0000003b mov dword ptr fs:[00000000h], esp 0x00000042 jns 00007FE9911903FBh 0x00000048 mov eax, dword ptr [ebp+122D0051h] 0x0000004e jl 00007FE9911903FCh 0x00000054 add ebx, dword ptr [ebp+122D3842h] 0x0000005a push FFFFFFFFh 0x0000005c push eax 0x0000005d call 00007FE9911903FBh 0x00000062 mov dword ptr [ebp+122D1C5Bh], ebx 0x00000068 pop edi 0x00000069 pop ebx 0x0000006a push eax 0x0000006b push eax 0x0000006c push edx 0x0000006d jne 00007FE9911903F8h 0x00000073 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0CE0D second address: E0CE21 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE990B5593Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007FE990B55936h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0E4FA second address: E0E50A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop ecx 0x0000000b popad 0x0000000c push edi 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0E50A second address: E0E513 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0E513 second address: E0E517 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E15936 second address: E1593A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1593A second address: E15940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E15940 second address: E15979 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE990B5593Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jbe 00007FE990B55945h 0x00000010 jmp 00007FE990B5593Fh 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 push eax 0x0000001a push edx 0x0000001b js 00007FE990B5593Ch 0x00000021 ja 00007FE990B55936h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E15979 second address: E159A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE991190403h 0x00000008 je 00007FE9911903F6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [eax] 0x00000013 pushad 0x00000014 js 00007FE9911903F8h 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E159A7 second address: E159BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jl 00007FE990B55936h 0x00000014 push eax 0x00000015 pop eax 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E15D14 second address: E15D1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FE9911903F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E15D1E second address: C2DB40 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 601759DAh 0x0000000f cmc 0x00000010 push dword ptr [ebp+122D112Dh] 0x00000016 cmc 0x00000017 ja 00007FE990B55940h 0x0000001d call dword ptr [ebp+122D2690h] 0x00000023 pushad 0x00000024 jmp 00007FE990B55940h 0x00000029 mov dword ptr [ebp+122D2C43h], eax 0x0000002f xor eax, eax 0x00000031 clc 0x00000032 mov edx, dword ptr [esp+28h] 0x00000036 cld 0x00000037 mov dword ptr [ebp+122D3A16h], eax 0x0000003d pushad 0x0000003e or ecx, dword ptr [ebp+122D3A12h] 0x00000044 add edx, dword ptr [ebp+122D39F2h] 0x0000004a popad 0x0000004b mov esi, 0000003Ch 0x00000050 pushad 0x00000051 mov bh, B8h 0x00000053 mov edi, 5DCCA628h 0x00000058 popad 0x00000059 add esi, dword ptr [esp+24h] 0x0000005d sub dword ptr [ebp+122D1F58h], edx 0x00000063 or dword ptr [ebp+122D1F58h], ebx 0x00000069 lodsw 0x0000006b stc 0x0000006c add eax, dword ptr [esp+24h] 0x00000070 jnp 00007FE990B55937h 0x00000076 mov ebx, dword ptr [esp+24h] 0x0000007a sub dword ptr [ebp+122D2C43h], ecx 0x00000080 push eax 0x00000081 pushad 0x00000082 push eax 0x00000083 push edx 0x00000084 push eax 0x00000085 push edx 0x00000086 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1BBCA second address: E1BBCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1AF95 second address: E1AFB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jbe 00007FE990B55936h 0x0000000c popad 0x0000000d jmp 00007FE990B5593Dh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1B274 second address: E1B2AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FE9911903FEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnc 00007FE9911903FEh 0x00000011 jnc 00007FE9911903FEh 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a pop eax 0x0000001b js 00007FE9911903F6h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1B2AE second address: E1B2D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push edi 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d jmp 00007FE990B55944h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E22EED second address: E22F27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 jnp 00007FE991190410h 0x0000000d jmp 00007FE991190400h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E22F27 second address: E22F2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E29260 second address: E29264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E29264 second address: E2926E instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE990B55936h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2926E second address: E2928F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FE99119040Fh 0x0000000c jmp 00007FE991190403h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E28670 second address: E28677 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E28677 second address: E286A1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jbe 00007FE9911903F6h 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop ebx 0x0000000c jmp 00007FE991190405h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 push edi 0x00000019 pop edi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E286A1 second address: E286C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE990B55942h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a ja 00007FE990B55936h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E286C0 second address: E286CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E286CD second address: E286D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FE990B55936h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E286D7 second address: E286DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E27B92 second address: E27BA3 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE990B5593Ch 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E27BA3 second address: E27BC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE991190402h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E27BC1 second address: E27BCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E27BCC second address: E27BD2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E27BD2 second address: E27BDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FE990B55936h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E28C90 second address: E28CA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE9911903FAh 0x00000008 jng 00007FE9911903F6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2D43D second address: E2D443 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2C382 second address: E2C389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2C389 second address: E2C3A0 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE990B55938h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007FE990B55936h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2C3A0 second address: E2C3B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jns 00007FE9911903FAh 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEBE71 second address: DEBEE5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE990B55940h 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007FE990B55938h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 stc 0x0000002a lea eax, dword ptr [ebp+12491C60h] 0x00000030 push 00000000h 0x00000032 push ebp 0x00000033 call 00007FE990B55938h 0x00000038 pop ebp 0x00000039 mov dword ptr [esp+04h], ebp 0x0000003d add dword ptr [esp+04h], 0000001Bh 0x00000045 inc ebp 0x00000046 push ebp 0x00000047 ret 0x00000048 pop ebp 0x00000049 ret 0x0000004a and edx, 11C71251h 0x00000050 push eax 0x00000051 push edi 0x00000052 push eax 0x00000053 push edx 0x00000054 push ebx 0x00000055 pop ebx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEC3CD second address: DEC3D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEC3D1 second address: DEC3D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEC3D7 second address: C2DB40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9911903FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jmp 00007FE9911903FDh 0x00000011 push dword ptr [ebp+122D112Dh] 0x00000017 pushad 0x00000018 mov edx, dword ptr [ebp+122D1D3Ch] 0x0000001e popad 0x0000001f call dword ptr [ebp+122D2690h] 0x00000025 pushad 0x00000026 jmp 00007FE991190400h 0x0000002b mov dword ptr [ebp+122D2C43h], eax 0x00000031 xor eax, eax 0x00000033 clc 0x00000034 mov edx, dword ptr [esp+28h] 0x00000038 cld 0x00000039 mov dword ptr [ebp+122D3A16h], eax 0x0000003f pushad 0x00000040 or ecx, dword ptr [ebp+122D3A12h] 0x00000046 add edx, dword ptr [ebp+122D39F2h] 0x0000004c popad 0x0000004d mov esi, 0000003Ch 0x00000052 pushad 0x00000053 mov bh, B8h 0x00000055 mov edi, 5DCCA628h 0x0000005a popad 0x0000005b add esi, dword ptr [esp+24h] 0x0000005f sub dword ptr [ebp+122D1F58h], edx 0x00000065 or dword ptr [ebp+122D1F58h], ebx 0x0000006b lodsw 0x0000006d stc 0x0000006e add eax, dword ptr [esp+24h] 0x00000072 jnp 00007FE9911903F7h 0x00000078 mov ebx, dword ptr [esp+24h] 0x0000007c sub dword ptr [ebp+122D2C43h], ecx 0x00000082 push eax 0x00000083 pushad 0x00000084 push eax 0x00000085 push edx 0x00000086 push eax 0x00000087 push edx 0x00000088 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEC483 second address: DEC489 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEC489 second address: DEC4F5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a pushad 0x0000000b jg 00007FE9911903F6h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pop esi 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 jbe 00007FE99119040Ch 0x0000001f pushad 0x00000020 jg 00007FE9911903F6h 0x00000026 jmp 00007FE9911903FEh 0x0000002b popad 0x0000002c mov eax, dword ptr [eax] 0x0000002e pushad 0x0000002f jmp 00007FE991190408h 0x00000034 pushad 0x00000035 push ecx 0x00000036 pop ecx 0x00000037 push ecx 0x00000038 pop ecx 0x00000039 popad 0x0000003a popad 0x0000003b mov dword ptr [esp+04h], eax 0x0000003f pushad 0x00000040 jl 00007FE9911903F8h 0x00000046 push esi 0x00000047 pop esi 0x00000048 js 00007FE9911903FCh 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEC4F5 second address: DEC50E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov dl, 03h 0x00000008 push CB382AA2h 0x0000000d pushad 0x0000000e je 00007FE990B55938h 0x00000014 push edx 0x00000015 pop edx 0x00000016 push edi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEC5AF second address: DEC5B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEC8CA second address: DEC8D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DECD0C second address: DECD46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FE9911903F6h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 add ecx, dword ptr [ebp+122D3A66h] 0x00000017 push 0000001Eh 0x00000019 push 00000000h 0x0000001b push eax 0x0000001c call 00007FE9911903F8h 0x00000021 pop eax 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 add dword ptr [esp+04h], 00000014h 0x0000002e inc eax 0x0000002f push eax 0x00000030 ret 0x00000031 pop eax 0x00000032 ret 0x00000033 push eax 0x00000034 pushad 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DECD46 second address: DECD4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DECFDE second address: DECFF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE991190400h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DED0A9 second address: DED0CC instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE990B55944h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007FE990B55938h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DED0CC second address: DED14F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE9911903FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a xor edi, 6AFC565Ah 0x00000010 lea eax, dword ptr [ebp+12491CA4h] 0x00000016 mov dh, al 0x00000018 call 00007FE9911903FDh 0x0000001d mov ecx, dword ptr [ebp+122D38CEh] 0x00000023 pop edi 0x00000024 push eax 0x00000025 push edi 0x00000026 push ebx 0x00000027 push edi 0x00000028 pop edi 0x00000029 pop ebx 0x0000002a pop edi 0x0000002b mov dword ptr [esp], eax 0x0000002e jbe 00007FE9911903FCh 0x00000034 mov dword ptr [ebp+122D28B8h], ecx 0x0000003a lea eax, dword ptr [ebp+12491C60h] 0x00000040 push 00000000h 0x00000042 push edi 0x00000043 call 00007FE9911903F8h 0x00000048 pop edi 0x00000049 mov dword ptr [esp+04h], edi 0x0000004d add dword ptr [esp+04h], 00000014h 0x00000055 inc edi 0x00000056 push edi 0x00000057 ret 0x00000058 pop edi 0x00000059 ret 0x0000005a or dl, 00000071h 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 jmp 00007FE9911903FFh 0x00000066 pushad 0x00000067 popad 0x00000068 popad 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DED14F second address: DED156 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2C63A second address: E2C653 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9911903FFh 0x00000009 jnp 00007FE9911903F6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2C8E9 second address: E2C8ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2C8ED second address: E2C911 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE991190407h 0x00000007 jp 00007FE9911903F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2C911 second address: E2C93B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pushad 0x00000009 jmp 00007FE990B5593Ah 0x0000000e jne 00007FE990B5593Ch 0x00000014 pushad 0x00000015 push eax 0x00000016 pop eax 0x00000017 jnl 00007FE990B55936h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2CA69 second address: E2CA72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2CA72 second address: E2CA83 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2CE5D second address: E2CE69 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE9911903F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E32C1C second address: E32C22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E31AFF second address: E31B09 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE9911903F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E31B09 second address: E31B15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FE990B55936h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E321F4 second address: E3220E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE991190401h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3220E second address: E32214 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E32214 second address: E3221A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E324E3 second address: E32511 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FE990B5593Eh 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007FE990B55945h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E32A92 second address: E32A96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E32A96 second address: E32AC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE990B55949h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jbe 00007FE990B5593Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E360DB second address: E360F8 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE9911903F6h 0x00000008 jmp 00007FE991190403h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E35DEA second address: E35E03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FE990B55944h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E35E03 second address: E35E0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E38964 second address: E38971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ebx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E38971 second address: E38989 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jo 00007FE9911903F6h 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E38989 second address: E389A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE990B55947h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3CC60 second address: E3CC78 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE9911903F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FE9911903FBh 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3CC78 second address: E3CC80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E43884 second address: E4389F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jnc 00007FE9911903F6h 0x0000000c push eax 0x0000000d pop eax 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jns 00007FE9911903F6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4389F second address: E438A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E43DF4 second address: E43DF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E43DF9 second address: E43E06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FE990B55936h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEC2DC second address: DEC2E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DECAC1 second address: DECAD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a jbe 00007FE990B55936h 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DECAD2 second address: DECAD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DECAD8 second address: DECADC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DECADC second address: DECAE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DECAE0 second address: DECB46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov edi, dword ptr [ebp+122D1C90h] 0x0000000f call 00007FE990B55944h 0x00000014 mov edx, dword ptr [ebp+122D1ACAh] 0x0000001a pop ecx 0x0000001b mov ebx, dword ptr [ebp+12491C9Fh] 0x00000021 mov dword ptr [ebp+122D238Ah], edi 0x00000027 mov edx, dword ptr [ebp+122D2BBFh] 0x0000002d add eax, ebx 0x0000002f sub edx, dword ptr [ebp+122D357Dh] 0x00000035 mov dword ptr [ebp+12454C81h], edi 0x0000003b nop 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007FE990B55949h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DECB46 second address: DECB50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FE9911903F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E44C1E second address: E44C43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FE990B55951h 0x0000000a jmp 00007FE990B55949h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E44C43 second address: E44C49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E48E23 second address: E48E45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE990B55949h 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E48E45 second address: E48E56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FE9911903F6h 0x0000000a pop ebx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ebx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E48E56 second address: E48E5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E49676 second address: E4967A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5164A second address: E51672 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FE990B55936h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007FE990B55938h 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FE990B55944h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E51672 second address: E51682 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FE991190402h 0x00000008 js 00007FE9911903F6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E4FA74 second address: E4FAA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FE990B55943h 0x0000000a jng 00007FE990B55938h 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007FE990B55936h 0x00000018 jo 00007FE990B55936h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E50553 second address: E5057F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jng 00007FE9911903F6h 0x0000000b jmp 00007FE991190407h 0x00000010 jbe 00007FE9911903F6h 0x00000016 popad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5131E second address: E51327 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E54587 second address: E5458B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5458B second address: E5459B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE990B5593Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5459B second address: E545A0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E545A0 second address: E545AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E545AE second address: E545BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007FE9911903F6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E545BD second address: E545C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E545C1 second address: E545CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007FE9911903F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5471B second address: E54731 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE990B55942h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E54731 second address: E54755 instructions: 0x00000000 rdtsc 0x00000002 je 00007FE9911903F6h 0x00000008 jmp 00007FE991190405h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E548A5 second address: E548B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FE990B5593Bh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E548B5 second address: E548D9 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE9911903FAh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007FE9911903FAh 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jp 00007FE9911903F6h 0x0000001e push edi 0x0000001f pop edi 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E548D9 second address: E548E3 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE990B55936h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E54A5B second address: E54A5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E54A5F second address: E54A72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007FE990B5593Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E54A72 second address: E54A86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jbe 00007FE9911903FEh 0x0000000c pushad 0x0000000d popad 0x0000000e jns 00007FE9911903F6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D92CB5 second address: D92CBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D92CBB second address: D92CCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 je 00007FE9911903F6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5F594 second address: E5F599 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5F8C8 second address: E5F8FA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FE9911903F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e popad 0x0000000f pushad 0x00000010 jmp 00007FE991190404h 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FE9911903FAh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5F8FA second address: E5F8FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5FD99 second address: E5FDB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE991190404h 0x00000009 push edi 0x0000000a pop edi 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5FDB6 second address: E5FDC0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE990B5594Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5FF1D second address: E5FF32 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE9911903F6h 0x00000008 jns 00007FE9911903F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5FF32 second address: E5FF3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5FF3E second address: E5FF46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5FF46 second address: E5FF50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E5FF50 second address: E5FF56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E611F3 second address: E611FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E611FA second address: E61202 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E685B5 second address: E685B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E685B9 second address: E685BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E74125 second address: E74129 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E73C72 second address: E73C78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E73C78 second address: E73C8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007FE990B55938h 0x0000000b jg 00007FE990B5593Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E73C8D second address: E73CBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FE991190408h 0x0000000b jmp 00007FE991190400h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7865E second address: E78665 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7DD69 second address: E7DD93 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE991190406h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE9911903FEh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7DD93 second address: E7DD9D instructions: 0x00000000 rdtsc 0x00000002 jng 00007FE990B55936h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7CAB6 second address: E7CAD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FE991190408h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E85FC8 second address: E85FCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E85FCE second address: E85FE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FE9911903F6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007FE9911903F6h 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E85FE3 second address: E86003 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE990B55946h 0x00000007 jbe 00007FE990B55936h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D97D82 second address: D97D86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D97D86 second address: D97D8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D97D8A second address: D97D9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007FE991190412h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8D0E9 second address: E8D0F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8D405 second address: E8D409 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8D409 second address: E8D40D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8D40D second address: E8D413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8D413 second address: E8D42E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE990B55946h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8D42E second address: E8D465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9911903FFh 0x00000009 jmp 00007FE991190408h 0x0000000e popad 0x0000000f pushad 0x00000010 jg 00007FE9911903F6h 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8DA06 second address: E8DA13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007FE990B55936h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E8DA13 second address: E8DA2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jg 00007FE9911903F6h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push ebx 0x00000014 pushad 0x00000015 push esi 0x00000016 pop esi 0x00000017 push esi 0x00000018 pop esi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E917C6 second address: E917CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E917CC second address: E917F5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE9911903F6h 0x00000008 je 00007FE9911903F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 jns 00007FE991190402h 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E98B8A second address: E98BC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE990B55944h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FE990B55949h 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAB33B second address: EAB372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jnc 00007FE991190408h 0x0000000f jnl 00007FE9911903FCh 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 jnl 00007FE9911903F6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAB153 second address: EAB19F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE990B55946h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jng 00007FE990B55936h 0x00000012 popad 0x00000013 pop edi 0x00000014 push eax 0x00000015 push edx 0x00000016 jnc 00007FE990B55950h 0x0000001c pushad 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAB19F second address: EAB1BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FE991190409h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAE90D second address: EAE911 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAE911 second address: EAE91C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAE91C second address: EAE925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAEA6B second address: EAEA88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE991190409h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EAEA88 second address: EAEA95 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE990B55936h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB54E3 second address: EB552B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE9911903FDh 0x00000009 pop edi 0x0000000a push esi 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jmp 00007FE9911903FDh 0x00000012 pop esi 0x00000013 jo 00007FE99119043Eh 0x00000019 pushad 0x0000001a jmp 00007FE991190401h 0x0000001f jmp 00007FE9911903FBh 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EB82DC second address: EB834E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE990B55945h 0x00000008 jmp 00007FE990B55946h 0x0000000d jmp 00007FE990B55944h 0x00000012 popad 0x00000013 jmp 00007FE990B55942h 0x00000018 pop edx 0x00000019 pop eax 0x0000001a jo 00007FE990B55951h 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FE990B55941h 0x00000027 push edx 0x00000028 pop edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC3B1A second address: EC3B1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC3B1E second address: EC3B22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC3B22 second address: EC3B28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC367D second address: EC3681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC3681 second address: EC369E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jne 00007FE9911903F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jmp 00007FE9911903FCh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EC566D second address: EC5678 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBC608 second address: EBC60E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBC60E second address: EBC646 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007FE990B55945h 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007FE990B55942h 0x00000012 pushad 0x00000013 popad 0x00000014 jc 00007FE990B55936h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBC646 second address: EBC662 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007FE9911903F6h 0x0000000d jmp 00007FE9911903FFh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBC662 second address: EBC666 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBC666 second address: EBC66F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBB394 second address: EBB3AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE990B55942h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBB3AA second address: EBB3DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 ja 00007FE9911903FEh 0x0000000f jmp 00007FE9911903FFh 0x00000014 push eax 0x00000015 push edx 0x00000016 jnl 00007FE9911903F6h 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBB3DA second address: EBB3DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBB4E9 second address: EBB4FF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jo 00007FE9911903F6h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBB4FF second address: EBB529 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jo 00007FE990B55936h 0x0000000b pushad 0x0000000c popad 0x0000000d jl 00007FE990B55936h 0x00000013 popad 0x00000014 push edx 0x00000015 jmp 00007FE990B55943h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBB529 second address: EBB561 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jne 00007FE9911903FEh 0x0000000e jmp 00007FE9911903FBh 0x00000013 push eax 0x00000014 jmp 00007FE991190402h 0x00000019 pop eax 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EBB561 second address: EBB567 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE04E3 second address: DE04F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE9911903FFh 0x00000009 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: C2DBA0 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: C2DAF6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: C32F4A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: C32128 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 54C0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 5760000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 7760000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC3011 rdtsc 0_2_00DC3011
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC09D4 sidt fword ptr [esp-02h]0_2_00DC09D4
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7628Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E126B6 GetSystemInfo,VirtualAlloc,0_2_00E126B6
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC3011 rdtsc 0_2_00DC3011
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, file.exe, 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 1Program Manager
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E06CA7 GetSystemTime,GetFileTime,0_2_00E06CA7

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		41
Disable or Modify Tools		LSASS Memory641
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Bypass User Account Control		271
Virtualization/Sandbox Evasion		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS271
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets24
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
Obfuscated Files or Information		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
Software Packing		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
Bypass User Account Control		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe100%AviraTR/Crypt.XPACK.Gen
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1538182
Start date and time:2024-10-20 18:52:08 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 25s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.evad.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): SIHClient.exe
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • VT rate limit hit for: file.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File
Process:C:\Users\user\Desktop\file.exe
File Type:CSV text
Category:dropped
Size (bytes):226
Entropy (8bit):5.360398796477698
Encrypted:false
SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:3A8957C6382192B71471BD14359D0B12
SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:true
Reputation:high, very likely benign file
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.940815379126467
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:1'748'992 bytes
MD5:b8547daa28e0e2569a67323723f7b6a3
SHA1:d82928db453bfa7a0b27f0569f43e73678dab73e
SHA256:7bf5806bb4413fdf12d823fadccbad4ff2964b433af0dc9b8cc77c4efb70d480
SHA512:5f17d89407b7dbcf962a5e17e4c3ab97409253f912be565aae16f7fd3c57d6acf4e77ca52e90d15f2da877962f1dd28989fba9992573cb745dbcdc29d3882ef9
SSDEEP:24576:QI6PvCbo869amxCZbnOqBwthH7mV4EONUy6xyIP0J+Sowx9rGEwqQnYWlN31cdvz:p6PAWUTOOmexONU0+yhQ9lxGZzVBNp
TLSH:A285335A3AF1EA71F84DD235EDCBD25FA9A06B384CD483951B8ED08B1F591C2C0E194E
File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............E.. ...`....@.. ........................E...........`................................

File Icon

Icon Hash:90cececece8e8eb0

Static PE Info

General

Entrypoint:0x858000
Entrypoint Section:.taggant
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FE990B35A2Ah
jng 00007FE990B35A40h
add byte ptr [eax], al
jmp 00007FE990B37A25h
inc ecx
push bx
dec esi
dec ebp
das
xor al, 36h
dec edi
bound ecx, dword ptr [ecx+4Ah]
dec edx
insd
push edi
dec eax
dec eax
jbe 00007FE990B35A92h
push esi
dec edx
popad
je 00007FE990B35A8Bh
push edx
dec esi
jc 00007FE990B35A9Ah
cmp byte ptr [ebx], dh
push edx
jns 00007FE990B35A67h
or eax, 49674B0Ah
cmp byte ptr [edi+43h], dl
jnc 00007FE990B35A6Dh
bound eax, dword ptr [ecx+30h]
pop edx
inc edi
push esp
push 43473163h
aaa
push edi
dec esi
xor ebp, dword ptr [ebx+59h]
push edi
push edx
pop eax
je 00007FE990B35A77h
xor dl, byte ptr [ebx+2Bh]
popad
jne 00007FE990B35A6Ch
dec eax
dec ebp
jo 00007FE990B35A63h
xor dword ptr [edi], esi
inc esp
dec edx
dec ebp
jns 00007FE990B35A70h
insd
jnc 00007FE990B35A90h
aaa
inc esp
inc ecx
inc ebx
xor dl, byte ptr [ecx+4Bh]
inc edx
inc esp
bound esi, dword ptr [ebx]
or eax, 63656B0Ah
jno 00007FE990B35A78h
push edx
insb
js 00007FE990B35A91h
outsb
inc ecx
jno 00007FE990B35A72h
push ebp
inc esi
pop edx
xor eax, dword ptr [ebx+36h]
push eax
aaa
imul edx, dword ptr [ebx+58h], 4Eh
aaa
inc ebx
jbe 00007FE990B35A6Ch
dec ebx
js 00007FE990B35A63h
jne 00007FE990B35A51h
push esp
inc bp
outsb
inc edx
popad
dec ebx
insd
dec ebp
inc edi
xor dword ptr [ecx+36h], esp
push 0000004Bh
sub eax, dword ptr [ebp+33h]
jp 00007FE990B35A7Ch
dec edx
xor bh, byte ptr [edx+56h]
bound eax, dword ptr [edi+66h]
jbe 00007FE990B35A5Ah
dec eax
or eax, 506C720Ah
aaa
xor dword ptr fs:[ebp+62h], ecx
arpl word ptr [esi], si
inc esp
jo 00007FE990B35A93h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x20000x40000x1200a31347b341e49077c2ce357aeef873eaFalse0.9296875data7.760468854355582IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0xa0000x2a60000x2000a7dcb431da93a3bd5bb35423b7288baunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
kztqccpr0x2b00000x1a60000x1a4e00563857a29c13a6fe5319b4c82ad4944fFalse0.9951342998217998data7.954365764154436IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
wruvxkpy0x4560000x20000x4005faf69ab1c2a7a2ea977eb799390f7edFalse0.84375data6.442930837212029IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant0x4580000x40000x2200f83e0540b997de94b4d143fbb0643ceaFalse0.404296875DOS executable (COM)4.290940072196973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x60900x30cdata0.42948717948717946
RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

Imports

DLLImport
kernel32.dlllstrcpy

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:12:52:58
Start date:20/10/2024
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\file.exe"
Imagebase:0xc20000
File size:1'748'992 bytes
MD5 hash:B8547DAA28E0E2569A67323723F7B6A3
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:3.9%
    Dynamic/Decrypted Code Coverage:3.6%
    Signature Coverage:4.2%
    Total number of Nodes:331
    Total number of Limit Nodes:17
    execution_graph 6770 e07de1 6775 e02b5a GetCurrentThreadId 6770->6775 6772 e07ded 6773 e07e55 MapViewOfFileEx 6772->6773 6774 e07e06 6772->6774 6773->6774 6776 e02b72 6775->6776 6776->6772 6777 e07c83 6779 e07c8f 6777->6779 6781 e07ca7 6779->6781 6782 e07cd1 6781->6782 6783 e07bbd 6781->6783 6785 e07bc9 6783->6785 6786 e02b5a GetCurrentThreadId 6785->6786 6787 e07bdc 6786->6787 6788 e07c55 6787->6788 6789 e07c1a 6787->6789 6792 e07bf6 6787->6792 6790 e07c5a CreateFileMappingA 6788->6790 6789->6792 6793 e05294 6789->6793 6790->6792 6795 e052ab 6793->6795 6794 e05314 CreateFileA 6797 e05359 6794->6797 6795->6794 6796 e053a8 6795->6796 6796->6792 6797->6796 6799 e04973 CloseHandle 6797->6799 6800 e04987 6799->6800 6800->6796 6801 54c0d48 6802 54c0d93 OpenSCManagerW 6801->6802 6804 54c0ddc 6802->6804 6805 54c1308 6806 54c1349 ImpersonateLoggedOnUser 6805->6806 6807 54c1376 6806->6807 6808 db8e9f 6809 db917d LoadLibraryA 6808->6809 6811 e074a4 6813 e074ad 6811->6813 6814 e02b5a GetCurrentThreadId 6813->6814 6815 e074b9 6814->6815 6816 e07509 ReadFile 6815->6816 6817 e074d2 6815->6817 6816->6817 6818 e13706 6820 e13712 6818->6820 6821 e13724 6820->6821 6826 e041d2 6821->6826 6823 e13733 6824 e1374c 6823->6824 6825 e13277 GetModuleFileNameA VirtualProtect 6823->6825 6825->6824 6828 e041de 6826->6828 6829 e041f3 6828->6829 6831 e04211 6829->6831 6832 e04220 6829->6832 6834 e0422d 6832->6834 6835 e04243 6834->6835 6836 e04268 6835->6836 6848 e0424b 6835->6848 6855 e13929 6835->6855 6837 e02b5a GetCurrentThreadId 6836->6837 6841 e0426d 6837->6841 6838 e04318 6877 e04058 6838->6877 6839 e0432b 6843 e04335 LoadLibraryExW 6839->6843 6844 e04349 LoadLibraryExA 6839->6844 6851 e0326c 6841->6851 6846 e042ef 6843->6846 6844->6846 6848->6838 6848->6839 6849 e042ac 6857 e03b98 6849->6857 6852 e032ba 6851->6852 6854 e0327d 6851->6854 6852->6848 6852->6849 6854->6852 6881 e0310d 6854->6881 6901 e13938 6855->6901 6858 e03bb4 6857->6858 6859 e03bbe 6857->6859 6858->6846 6909 e033eb 6859->6909 6864 e03cb8 6864->6858 6941 e043aa 6864->6941 6867 e03c0e 6867->6864 6870 e03c3b 6867->6870 6919 e035c9 6867->6919 6923 e03864 6870->6923 6871 e03c46 6871->6864 6928 e037db 6871->6928 6873 e03c73 6873->6864 6874 e03c9b 6873->6874 6932 e1357e 6873->6932 6874->6864 6936 e13277 6874->6936 6878 e04063 6877->6878 6879 e04073 6878->6879 6880 e04084 LoadLibraryExA 6878->6880 6879->6846 6880->6879 6883 e0313a 6881->6883 6882 e03240 6882->6854 6883->6882 6884 e03183 6883->6884 6885 e03168 PathAddExtensionA 6883->6885 6889 e031a5 6884->6889 6893 e02dae 6884->6893 6885->6884 6886 e031ee 6886->6882 6888 e03217 6886->6888 6891 e02dae lstrcmpiA 6886->6891 6888->6882 6892 e02dae lstrcmpiA 6888->6892 6889->6882 6889->6886 6890 e02dae lstrcmpiA 6889->6890 6890->6886 6891->6888 6892->6882 6894 e02dcc 6893->6894 6895 e02de3 6894->6895 6897 e02d2b 6894->6897 6895->6889 6899 e02d56 6897->6899 6898 e02d9e 6898->6895 6899->6898 6900 e02d88 lstrcmpiA 6899->6900 6900->6898 6902 e13948 6901->6902 6903 e02b5a GetCurrentThreadId 6902->6903 6908 e1399a 6902->6908 6904 e139b0 6903->6904 6905 e0326c 2 API calls 6904->6905 6906 e139c2 6905->6906 6907 e0326c 2 API calls 6906->6907 6906->6908 6907->6908 6910 e03407 6909->6910 6911 e03460 6909->6911 6910->6911 6912 e03437 VirtualAlloc 6910->6912 6911->6858 6913 e03491 VirtualAlloc 6911->6913 6912->6911 6914 e034d6 6913->6914 6914->6864 6915 e0350e 6914->6915 6918 e03536 6915->6918 6916 e035ad 6916->6867 6917 e0354f VirtualAlloc 6917->6916 6917->6918 6918->6916 6918->6917 6921 e035e4 6919->6921 6922 e035e9 6919->6922 6920 e0361c lstrcmpiA 6920->6921 6920->6922 6921->6870 6922->6920 6922->6921 6924 e03970 6923->6924 6926 e03891 6923->6926 6924->6871 6926->6924 6943 e03376 6926->6943 6951 e04487 6926->6951 6929 e03804 6928->6929 6930 e03845 6929->6930 6931 e0381c VirtualProtect 6929->6931 6930->6873 6931->6929 6931->6930 6933 e1364b 6932->6933 6934 e1359a 6932->6934 6933->6874 6934->6933 6971 e130e2 6934->6971 6937 e13288 6936->6937 6939 e1330b 6936->6939 6937->6939 6940 e130e2 VirtualProtect 6937->6940 6975 e12f21 6937->6975 6939->6864 6940->6937 6984 e043b6 6941->6984 6953 e041b9 6943->6953 6945 e033cf 6945->6926 6946 e03389 6946->6945 6947 e033db 6946->6947 6949 e033b2 6946->6949 6948 e043aa 2 API calls 6947->6948 6948->6945 6949->6945 6950 e043aa 2 API calls 6949->6950 6950->6945 6956 e04490 6951->6956 6954 e04220 17 API calls 6953->6954 6955 e041ce 6954->6955 6955->6946 6957 e0449f 6956->6957 6959 e02b5a GetCurrentThreadId 6957->6959 6962 e044a7 6957->6962 6958 e044d4 GetProcAddress 6964 e044ca 6958->6964 6960 e044b1 6959->6960 6961 e044c1 6960->6961 6960->6962 6965 e03ee8 6961->6965 6962->6958 6966 e03f07 6965->6966 6970 e03fd4 6965->6970 6967 e03f44 lstrcmpiA 6966->6967 6968 e03f6e 6966->6968 6966->6970 6967->6966 6967->6968 6969 e03e31 16 API calls 6968->6969 6968->6970 6969->6970 6970->6964 6973 e130f6 6971->6973 6972 e1310e 6972->6934 6973->6972 6974 e13231 VirtualProtect 6973->6974 6974->6973 6978 e12f28 6975->6978 6977 e12f72 6977->6937 6978->6977 6979 e130e2 VirtualProtect 6978->6979 6980 e12e2f 6978->6980 6979->6978 6981 e12e44 6980->6981 6982 e12ece GetModuleFileNameA 6981->6982 6983 e12f04 6981->6983 6982->6981 6983->6978 6985 e043c5 6984->6985 6987 e02b5a GetCurrentThreadId 6985->6987 6989 e043cd 6985->6989 6986 e0441b FreeLibrary 6992 e04402 6986->6992 6988 e043d7 6987->6988 6988->6989 6990 e043e7 6988->6990 6989->6986 6993 e03d98 6990->6993 6994 e03dfb 6993->6994 6995 e03dbb 6993->6995 6994->6992 6995->6994 6997 e02954 6995->6997 6998 e0295d 6997->6998 6999 e02975 6998->6999 7000 e0293b GetCurrentThreadId FreeLibrary 6998->7000 6999->6994 7000->6998 7001 e046c9 7003 e046d5 7001->7003 7004 e046e9 7003->7004 7006 e04711 7004->7006 7007 e0472a 7004->7007 7009 e04733 7007->7009 7010 e04742 7009->7010 7011 e0474a 7010->7011 7012 e02b5a GetCurrentThreadId 7010->7012 7013 e047fb GetModuleHandleA 7011->7013 7014 e047ed GetModuleHandleW 7011->7014 7015 e04754 7012->7015 7018 e04782 7013->7018 7014->7018 7016 e0476f 7015->7016 7017 e0326c 2 API calls 7015->7017 7016->7011 7016->7018 7017->7016 7019 e0712a 7021 e07136 7019->7021 7022 e02b5a GetCurrentThreadId 7021->7022 7023 e07142 7022->7023 7025 e07162 7023->7025 7026 e07081 7023->7026 7028 e0708d 7026->7028 7029 e070a1 7028->7029 7030 e02b5a GetCurrentThreadId 7029->7030 7031 e070b9 7030->7031 7039 e032be 7031->7039 7034 e0326c 2 API calls 7035 e070dc 7034->7035 7036 e070e4 7035->7036 7037 e07100 GetFileAttributesW 7035->7037 7038 e07111 GetFileAttributesA 7035->7038 7037->7036 7038->7036 7040 e03372 7039->7040 7041 e032d2 7039->7041 7040->7034 7040->7036 7041->7040 7042 e0310d 2 API calls 7041->7042 7042->7041 7043 e07391 7045 e0739d 7043->7045 7046 e02b5a GetCurrentThreadId 7045->7046 7047 e073a9 7046->7047 7049 e073c9 7047->7049 7050 e0729d 7047->7050 7052 e072a9 7050->7052 7053 e072bd 7052->7053 7054 e02b5a GetCurrentThreadId 7053->7054 7055 e072d5 7054->7055 7056 e072ea 7055->7056 7076 e071b6 7055->7076 7060 e072f2 7056->7060 7068 e0725b IsBadWritePtr 7056->7068 7063 e07343 CreateFileW 7060->7063 7064 e07366 CreateFileA 7060->7064 7061 e0326c 2 API calls 7062 e07325 7061->7062 7062->7060 7065 e0732d 7062->7065 7067 e07333 7063->7067 7064->7067 7070 e04ab0 7065->7070 7069 e0727d 7068->7069 7069->7060 7069->7061 7072 e04abd 7070->7072 7071 e04af6 CreateFileA 7074 e04b42 7071->7074 7072->7071 7073 e04bb8 7072->7073 7073->7067 7074->7073 7075 e04973 CloseHandle 7074->7075 7075->7073 7078 e071c5 GetWindowsDirectoryA 7076->7078 7079 e071ef 7078->7079 7080 e04371 7081 e041b9 17 API calls 7080->7081 7082 e04384 7081->7082 7083 e13650 7085 e1365c 7083->7085 7086 e1366e 7085->7086 7087 e13277 2 API calls 7086->7087 7088 e13680 7087->7088 7089 e06c15 7090 e02b5a GetCurrentThreadId 7089->7090 7091 e06c21 GetCurrentProcess 7090->7091 7092 e06c6d 7091->7092 7095 e06c31 7091->7095 7093 e06c72 DuplicateHandle 7092->7093 7094 e06c68 7093->7094 7095->7092 7096 e06c5c 7095->7096 7098 e049b2 7096->7098 7101 e049dc 7098->7101 7099 e04a6f 7099->7094 7101->7099 7102 e0499a 7101->7102 7105 e02a05 7102->7105 7106 e02a1b 7105->7106 7107 e02a35 7106->7107 7109 e029e9 7106->7109 7107->7099 7110 e04973 CloseHandle 7109->7110 7111 e029f9 7110->7111 7111->7107 7112 e126b6 GetSystemInfo 7113 e12714 VirtualAlloc 7112->7113 7114 e126d6 7112->7114 7127 e12a02 7113->7127 7114->7113 7116 e1275b 7117 e12a02 VirtualAlloc GetModuleFileNameA VirtualProtect 7116->7117 7125 e12830 7116->7125 7119 e12785 7117->7119 7118 e1284c GetModuleFileNameA VirtualProtect 7126 e127f4 7118->7126 7120 e12a02 VirtualAlloc GetModuleFileNameA VirtualProtect 7119->7120 7119->7125 7121 e127af 7120->7121 7122 e12a02 VirtualAlloc GetModuleFileNameA VirtualProtect 7121->7122 7121->7125 7123 e127d9 7122->7123 7124 e12a02 VirtualAlloc GetModuleFileNameA VirtualProtect 7123->7124 7123->7125 7123->7126 7124->7125 7125->7118 7125->7126 7129 e12a0a 7127->7129 7130 e12a36 7129->7130 7131 e12a1e 7129->7131 7133 e128ce 2 API calls 7130->7133 7137 e128ce 7131->7137 7134 e12a47 7133->7134 7139 e12a59 7134->7139 7142 e128d6 7137->7142 7140 e12a6a VirtualAlloc 7139->7140 7141 e12a55 7139->7141 7140->7141 7143 e128e9 7142->7143 7144 e12f21 2 API calls 7143->7144 7145 e1292c 7143->7145 7144->7145 7146 e136ba 7148 e136c6 7146->7148 7149 e136d8 7148->7149 7150 e041b9 17 API calls 7149->7150 7151 e136e7 7150->7151 7152 e13700 7151->7152 7153 e13277 2 API calls 7151->7153 7153->7152 7154 54c1510 7155 54c1558 ControlService 7154->7155 7156 54c158f 7155->7156 7157 54c10f0 7158 54c1131 7157->7158 7161 e058ae 7158->7161 7159 54c1151 7162 e02b5a GetCurrentThreadId 7161->7162 7163 e058ba 7162->7163 7164 e058e3 7163->7164 7165 e058d3 7163->7165 7167 e058e8 CloseHandle 7164->7167 7166 e0499a CloseHandle 7165->7166 7168 e058d9 7166->7168 7167->7168 7168->7159 7169 e0481c 7170 e02b5a GetCurrentThreadId 7169->7170 7171 e04828 7170->7171 7172 e04846 7171->7172 7173 e0326c 2 API calls 7171->7173 7174 e04877 GetModuleHandleExA 7172->7174 7175 e0484e 7172->7175 7173->7172 7174->7175

    Executed Functions

    Function 00E126B6 Relevance: 3.1, APIs: 2, Instructions: 107memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 134 e126b6-e126d0 GetSystemInfo 135 e12714-e1275d VirtualAlloc call e12a02 134->135 136 e126d6-e1270e 134->136 140 e12843 call e1284c 135->140 141 e12763-e12787 call e12a02 135->141 136->135 146 e12848 140->146 141->140 147 e1278d-e127b1 call e12a02 141->147 148 e1284a-e1284b 146->148 147->140 151 e127b7-e127db call e12a02 147->151 151->140 154 e127e1-e127ee 151->154 155 e12814-e1282b call e12a02 154->155 156 e127f4-e1280f 154->156 159 e12830-e12832 155->159 160 e1283e 156->160 159->140 161 e12838 159->161 160->148 161->160
    APIs
    • GetSystemInfo.KERNELBASE(?,-116A5FEC), ref: 00E126C2
    • VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 00E12723
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID: AllocInfoSystemVirtual
    • String ID:
    • API String ID: 3440192736-0
    • Opcode ID: 2a1010bef56b3670ecaf6f5f85bd588d0c1341f8c89e9b0a46a2dbfae6f4da52
    • Instruction ID: 5f1b8c6de306f8babbe517a7fc418526646f1090506b2d06cef186ae7b50ce5f
    • Opcode Fuzzy Hash: 2a1010bef56b3670ecaf6f5f85bd588d0c1341f8c89e9b0a46a2dbfae6f4da52
    • Instruction Fuzzy Hash: 68410FB2D04246AFE739CF60CC45BD6B7ACBF48741F140166E603EE982E67095E4CBA4
    Function 00E0422D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • LoadLibraryExW.KERNEL32(?,?,?), ref: 00E0433E
    • LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 00E04352
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: .dll$.exe$1002
    • API String ID: 1029625771-847511843
    • Opcode ID: 115bc69827a7ac971e2e402a3805c77609257146bb8ce53dee512cf8466d9996
    • Instruction ID: cd0397661cac3164656e799179b469a251c957b1af457750245345dd9dd06724
    • Opcode Fuzzy Hash: 115bc69827a7ac971e2e402a3805c77609257146bb8ce53dee512cf8466d9996
    • Instruction Fuzzy Hash: 01315AF1504206EFDF25AFA0DA04AAD7BB5FF48341F10A129FA027A1E1C73599E0DB51
    Function 00E04733 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 40 e04733-e04744 call e04097 43 e0474a 40->43 44 e0474f-e04758 call e02b5a 40->44 45 e047e3-e047e7 43->45 51 e0478c-e04793 44->51 52 e0475e-e0476a call e0326c 44->52 47 e047fb-e047fe GetModuleHandleA 45->47 48 e047ed-e047f6 GetModuleHandleW 45->48 50 e04804 47->50 48->50 54 e0480e-e04810 50->54 55 e04799-e047a0 51->55 56 e047de call e02c05 51->56 58 e0476f-e04771 52->58 55->56 59 e047a6-e047ad 55->59 56->45 58->56 60 e04777-e0477c 58->60 59->56 61 e047b3-e047ba 59->61 60->56 62 e04782-e04809 call e02c05 60->62 61->56 63 e047c0-e047d4 61->63 62->54 63->56
    APIs
    • GetModuleHandleW.KERNEL32(?,?,?,?,00E046C5,?,00000000,00000000), ref: 00E047F0
    • GetModuleHandleA.KERNEL32(00000000,?,?,?,00E046C5,?,00000000,00000000), ref: 00E047FE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID: HandleModule
    • String ID: .dll
    • API String ID: 4139908857-2738580789
    • Opcode ID: fac40e1222f3e2ca3c24fa9aa9d25419acf4dd0cc0f2b3c33d55592d8f7ca18d
    • Instruction ID: 927072c475ef8ddc73fe3da5aced75649035b33d0e7e6d9689120b9ec9916aa0
    • Opcode Fuzzy Hash: fac40e1222f3e2ca3c24fa9aa9d25419acf4dd0cc0f2b3c33d55592d8f7ca18d
    • Instruction Fuzzy Hash: 381186F1104A06EFEB36AF54CA0C7AD76B1FF01349F046226E602798E1D77598E4CA51
    Function 00E0708D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 67 e0708d-e0709b 68 e070a1-e070a8 67->68 69 e070ad 67->69 70 e070b4-e070ca call e02b5a call e032be 68->70 69->70 75 e070d0-e070de call e0326c 70->75 76 e070e9 70->76 81 e070e4 75->81 82 e070f5-e070fa 75->82 77 e070ed-e070f0 76->77 79 e07120-e07127 call e02c05 77->79 81->77 84 e07100-e0710c GetFileAttributesW 82->84 85 e07111-e07114 GetFileAttributesA 82->85 87 e0711a-e0711b 84->87 85->87 87->79
    APIs
    • GetFileAttributesW.KERNELBASE(016C13B4,-116A5FEC), ref: 00E07106
    • GetFileAttributesA.KERNEL32(00000000,-116A5FEC), ref: 00E07114
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: 0068613bd858db9bf29b4736b701497da28b76c8090b3428e6cd051f67d483c0
    • Instruction ID: dbf633bec264adde11ef15e7d1d4943b6a438680ad637671e5a8c8919cdeeb61
    • Opcode Fuzzy Hash: 0068613bd858db9bf29b4736b701497da28b76c8090b3428e6cd051f67d483c0
    • Instruction Fuzzy Hash: FE018170A09105FAEF219F64C9097AC7FB0FF10348F20A255E583790D1C3716AD1EA44
    Function 00E0310D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 88 e0310d-e0313d 90 e03143-e03158 88->90 91 e03268-e03269 88->91 90->91 93 e0315e-e03162 90->93 94 e03184-e0318b 93->94 95 e03168-e0317a PathAddExtensionA 93->95 96 e03191-e031a0 call e02dae 94->96 97 e031ad-e031b4 94->97 100 e03183 95->100 106 e031a5-e031a7 96->106 98 e031f6-e031fd 97->98 99 e031ba-e031c1 97->99 104 e03203-e03219 call e02dae 98->104 105 e0321f-e03226 98->105 102 e031c7-e031d0 99->102 103 e031da-e031e9 call e02dae 99->103 100->94 102->103 107 e031d6 102->107 113 e031ee-e031f0 103->113 104->91 104->105 110 e03248-e0324f 105->110 111 e0322c-e03242 call e02dae 105->111 106->91 106->97 107->103 110->91 112 e03255-e03262 call e02de7 110->112 111->91 111->110 112->91 113->91 113->98
    APIs
    • PathAddExtensionA.KERNELBASE(?,00000000), ref: 00E0316F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID: ExtensionPath
    • String ID: \\?\
    • API String ID: 158807944-4282027825
    • Opcode ID: c7705661efca11f8d0e07b7bf5d961ad0c86398f1bb0e0c6175b20854b2866c9
    • Instruction ID: 7408218b994f0806b30d8d5bc1e8b96ec119e370a593ea2cacc644d705bfc2e9
    • Opcode Fuzzy Hash: c7705661efca11f8d0e07b7bf5d961ad0c86398f1bb0e0c6175b20854b2866c9
    • Instruction Fuzzy Hash: B331DD3560120ABEDF25DFA4CC09F9EB7BABF48705F001255FA02B54A0D7729AA1DB54
    Function 00E0481C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 119 e0481c-e0482f call e02b5a 122 e04872-e04886 call e02c05 GetModuleHandleExA 119->122 123 e04835-e04841 call e0326c 119->123 129 e04890-e04892 122->129 126 e04846-e04848 123->126 126->122 128 e0484e-e04855 126->128 130 e0485b 128->130 131 e0485e-e0488b call e02c05 128->131 130->131 131->129
    APIs
      • Part of subcall function 00E02B5A: GetCurrentThreadId.KERNEL32 ref: 00E02B69
    • GetModuleHandleExA.KERNELBASE(?,?,?), ref: 00E04880
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID: CurrentHandleModuleThread
    • String ID: .dll
    • API String ID: 2752942033-2738580789
    • Opcode ID: aee181327f4b97aff2f2e69f83cbd893b5da3c406b487f10f656d40e1f665005
    • Instruction ID: 98a67112797935ac63b8e098e3882c862bf9fc2eac95cd223956d33be2b6d88e
    • Opcode Fuzzy Hash: aee181327f4b97aff2f2e69f83cbd893b5da3c406b487f10f656d40e1f665005
    • Instruction Fuzzy Hash: 5BF06DB1104244ABDB14DFA4CA8ABAD7BF4BF58340F10A418FB026A0D2C331C9E19A61
    Function 00E072A9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 162 e072a9-e072b7 163 e072c9 162->163 164 e072bd-e072c4 162->164 165 e072d0-e072dc call e02b5a 163->165 164->165 168 e072e2-e072ec call e071b6 165->168 169 e072f7-e07307 call e0725b 165->169 168->169 174 e072f2 168->174 175 e07319-e07327 call e0326c 169->175 176 e0730d-e07314 169->176 177 e07338-e0733d 174->177 175->177 182 e0732d-e0732e call e04ab0 175->182 176->177 180 e07343-e07361 CreateFileW 177->180 181 e07366-e0737b CreateFileA 177->181 183 e07381-e07382 180->183 181->183 187 e07333 182->187 184 e07387-e0738e call e02c05 183->184 187->184
    APIs
    • CreateFileW.KERNELBASE(016C13B4,?,?,-116A5FEC,?,?,?,-116A5FEC,?), ref: 00E0735B
      • Part of subcall function 00E0725B: IsBadWritePtr.KERNEL32(?,00000004), ref: 00E07269
    • CreateFileA.KERNEL32(?,?,?,-116A5FEC,?,?,?,-116A5FEC,?), ref: 00E0737B
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID: CreateFile$Write
    • String ID:
    • API String ID: 1125675974-0
    • Opcode ID: 8a4dcef7257f5ac7d23cba78fde643235308e03dbf20b303c66babf793561d1f
    • Instruction ID: d26722fca87bb71ad4c6729d8c9ca5a78a84a6b7250227f2a01620a8cd041207
    • Opcode Fuzzy Hash: 8a4dcef7257f5ac7d23cba78fde643235308e03dbf20b303c66babf793561d1f
    • Instruction Fuzzy Hash: 8711D67290820AEAEF229F90C909BED3EB2BF14344F145115B982790F1C779A9E1EB51
    Function 00E06C15 Relevance: 3.0, APIs: 2, Instructions: 41COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 189 e06c15-e06c2b call e02b5a GetCurrentProcess 192 e06c31-e06c34 189->192 193 e06c6d-e06c8f call e02c05 DuplicateHandle 189->193 192->193 195 e06c3a-e06c3d 192->195 198 e06c99-e06c9b 193->198 195->193 197 e06c43-e06c56 call e029b4 195->197 197->193 201 e06c5c-e06c94 call e049b2 call e02c05 197->201 201->198
    APIs
      • Part of subcall function 00E02B5A: GetCurrentThreadId.KERNEL32 ref: 00E02B69
    • GetCurrentProcess.KERNEL32(-116A5FEC), ref: 00E06C22
    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E06C88
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID: Current$DuplicateHandleProcessThread
    • String ID:
    • API String ID: 3748180921-0
    • Opcode ID: 8693c2857efb27bb23d5674312bb0c422cdbc4fa5da0c89f4d300580b5904ba5
    • Instruction ID: ecdeeff2112a4c0334a004a2475554a6d4060622a7a4de901875d271377ef24e
    • Opcode Fuzzy Hash: 8693c2857efb27bb23d5674312bb0c422cdbc4fa5da0c89f4d300580b5904ba5
    • Instruction Fuzzy Hash: C501FB7220010ABBDF22AFA4CD88DEE7BB5FF983547045515FA43A5091C736D0B2EB61
    Function 00E12A59 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 37memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 206 e12a59-e12a64 207 e12a93-e12aa0 206->207 208 e12a6a-e12a8c VirtualAlloc 206->208 210 e12ad1-e12ad3 207->210 211 e12aa6-e12ab2 207->211 208->207 213 e12ab8-e12abb 211->213 214 e12ac1-e12ac4 213->214 215 e12ac9-e12ace 213->215 214->213 215->210
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,[',00E12A55,?,?,?,?,?,[',?,?,00E1275B), ref: 00E12A79
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID: ['
    • API String ID: 4275171209-3224859803
    • Opcode ID: aa38bbdf51c7d06fbe8891e9ae9db3ca8647d6914a46db0cc55b26fb04c36b3c
    • Instruction ID: 5822191b8133a72a42df0ddff6382f467569e6da377faa4d9edf319cefa7562e
    • Opcode Fuzzy Hash: aa38bbdf51c7d06fbe8891e9ae9db3ca8647d6914a46db0cc55b26fb04c36b3c
    • Instruction Fuzzy Hash: 28F06DB1904206AFE724CF15CD09B99BBE4FF45762F148068E54AAB591E3B198D0CB54
    Function 00E058AE Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 25COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 216 e058ae-e058cd call e02b5a call e029b4 221 e058e3-e058f3 call e02c05 CloseHandle 216->221 222 e058d3-e058d4 call e0499a 216->222 228 e058fd-e058ff 221->228 225 e058d9-e058f8 call e02c05 222->225 225->228
    APIs
      • Part of subcall function 00E02B5A: GetCurrentThreadId.KERNEL32 ref: 00E02B69
    • CloseHandle.KERNELBASE(?,-116A5FEC,?,?,00E05271,?), ref: 00E058EC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID: CloseCurrentHandleThread
    • String ID: qR
    • API String ID: 3305057742-396825488
    • Opcode ID: 3dea0c8681e45e2f99b34294d6086a29c0ff01e753d89b94bf10d1acc883ee66
    • Instruction ID: 13b5de8dd95157e29a7b2b7335a4e65fb47e1d0994be52c7ac75233a9102c1d9
    • Opcode Fuzzy Hash: 3dea0c8681e45e2f99b34294d6086a29c0ff01e753d89b94bf10d1acc883ee66
    • Instruction Fuzzy Hash: 92E04F63200542B6CA246AB8D94DD9F7BE8EFD4384740A635FA03BA0C5EA31C4D2DA30
    Function 00E130E2 Relevance: 1.6, APIs: 1, Instructions: 112COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 246 e130e2-e130f0 247 e13113-e1311d call e12f77 246->247 248 e130f6-e13108 246->248 252 e13123 247->252 253 e13128-e13131 247->253 248->247 254 e1310e 248->254 255 e13272-e13274 252->255 256 e13137-e1313e 253->256 257 e13149-e13150 253->257 254->255 256->257 258 e13144 256->258 259 e13156 257->259 260 e1315b-e1316b 257->260 258->255 259->255 260->255 261 e13171-e1317d call e1304c 260->261 264 e13180-e13184 261->264 264->255 265 e1318a-e13194 264->265 266 e131bb-e131be 265->266 267 e1319a-e131ad 265->267 268 e131c1-e131c4 266->268 267->266 272 e131b3-e131b5 267->272 270 e1326a-e1326d 268->270 271 e131ca-e131d1 268->271 270->264 273 e131d7-e131dd 271->273 274 e131ff-e13218 271->274 272->266 272->270 275 e131e3-e131e8 273->275 276 e131fa 273->276 280 e13231-e13239 VirtualProtect 274->280 281 e1321e-e1322c 274->281 275->276 277 e131ee-e131f4 275->277 278 e13262-e13265 276->278 277->274 277->276 278->268 282 e1323f-e13242 280->282 281->282 282->278 283 e13248-e13261 282->283 283->278
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ab5d025c7bcfcd3756e8edb52c3e93bfb298bd8e8fcdf4e3a2de143198ca77a0
    • Instruction ID: def48993cbeaf037e5c3255a2890ebbe4ca6ee398a2b4018e4927955887944fd
    • Opcode Fuzzy Hash: ab5d025c7bcfcd3756e8edb52c3e93bfb298bd8e8fcdf4e3a2de143198ca77a0
    • Instruction Fuzzy Hash: AD418CB2A05209EFEB24DF64C844BED7BB5FF05318F24A054E902BA5A1C335AED4DB50
    Function 00E05294 Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 286 e05294-e052a5 287 e052d4-e052dd call e02c38 286->287 288 e052ab-e052bf call e02c38 286->288 292 e052e3-e052f4 call e04a76 287->292 293 e053ba-e053bd call e02c5d 287->293 298 e053c2 288->298 299 e052c5-e052d3 288->299 302 e05314-e05353 CreateFileA 292->302 303 e052fa-e052fe 292->303 293->298 301 e053c9-e053cd 298->301 299->287 304 e05377-e0537a 302->304 305 e05359-e05376 302->305 307 e05311 303->307 308 e05304-e05310 call e09afe 303->308 309 e05380-e05397 call e0297a 304->309 310 e053ad-e053b5 call e04905 304->310 305->304 307->302 308->307 309->301 318 e0539d-e053a8 call e04973 309->318 310->298 318->298
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 00E05349
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: a11633323b1775ebf369d85e9a69923043eafe82d27ae9b858ad4c9803409bdd
    • Instruction ID: d7aa4eb5b625e0280f0f46ad8a45adcb665ce46c575813d36da547ada89c3876
    • Opcode Fuzzy Hash: a11633323b1775ebf369d85e9a69923043eafe82d27ae9b858ad4c9803409bdd
    • Instruction Fuzzy Hash: 82317E72A00609FAEB20DF64DC45FAEBBB8EB44314F209169F606AA1D1C7759981CF10
    Function 00E04AB0 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 321 e04ab0-e04abf call e02c38 324 e04bc5 321->324 325 e04ac5-e04ad6 call e04a76 321->325 326 e04bcc-e04bd0 324->326 329 e04af6-e04b3c CreateFileA 325->329 330 e04adc-e04ae0 325->330 331 e04b42-e04b63 329->331 332 e04b87-e04b8a 329->332 333 e04af3 330->333 334 e04ae6-e04af2 call e09afe 330->334 331->332 342 e04b69-e04b86 331->342 335 e04b90-e04ba7 call e0297a 332->335 336 e04bbd-e04bc0 call e04905 332->336 333->329 334->333 335->326 344 e04bad-e04bb8 call e04973 335->344 336->324 342->332 344->324
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 00E04B32
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: 8ba7c1cd59440ca49ee2e6af68d1497abf9b4da5417ca8d97b5d47edf0b78a26
    • Instruction ID: cc2282723e544d534a78892fdd4ce0d8e5b164d125a43e4a0f4723d8e8bc86a9
    • Opcode Fuzzy Hash: 8ba7c1cd59440ca49ee2e6af68d1497abf9b4da5417ca8d97b5d47edf0b78a26
    • Instruction Fuzzy Hash: 18315EF1A40205BAEB30DF64DC45F99BBB8AB04728F208369F716BA1D1D7B1A581CB54
    Function 00E12E2F Relevance: 1.6, APIs: 1, Instructions: 65COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,?), ref: 00E12EDC
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID: FileModuleName
    • String ID:
    • API String ID: 514040917-0
    • Opcode ID: 834bbfa34e01865351168d1b813f916fb5bf8674c49bfa60d0a6f74a2549a5e2
    • Instruction ID: c6f5c1139f1372f68d2041eb38ac4766c7820786e2ae88a4f67e76291efad210
    • Opcode Fuzzy Hash: 834bbfa34e01865351168d1b813f916fb5bf8674c49bfa60d0a6f74a2549a5e2
    • Instruction Fuzzy Hash: 43119371B01229AFEB314A04CC48BEEB77CAF18754F1050A9EA05BA141E7749DD28AA9
    Function 054C0D42 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 054C0DCD
    Memory Dump Source
    • Source File: 00000000.00000002.1809485237.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_54c0000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 669a488f9b91e59f3cf43461c83c215f67a224b90768050660c4bdeb35fc0524
    • Instruction ID: 4478e2e4ce40baee2aa3c6229824eb7039d8f8081b6cbde610e9798528b0bc15
    • Opcode Fuzzy Hash: 669a488f9b91e59f3cf43461c83c215f67a224b90768050660c4bdeb35fc0524
    • Instruction Fuzzy Hash: 232107BA805218DFCB50CF99D884BDEFBF4FB88720F14855AD809AB345D734A540CBA5
    Function 054C0D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 054C0DCD
    Memory Dump Source
    • Source File: 00000000.00000002.1809485237.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_54c0000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 88a49dd265b1ad5cf0fa2ba0c1850da1cdefb2c1f9c6982e283e2827ee7b0611
    • Instruction ID: 3c6d2aab5cbb915f2da28d133e540c8416c69a11a3aedb5ccb7575dd3a40f0f2
    • Opcode Fuzzy Hash: 88a49dd265b1ad5cf0fa2ba0c1850da1cdefb2c1f9c6982e283e2827ee7b0611
    • Instruction Fuzzy Hash: AE2104BA801218DFCB50CF99D884ADEFBB4FB88720F14856AD809AB305D734A540CBA5
    Function 054C1510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 054C1580
    Memory Dump Source
    • Source File: 00000000.00000002.1809485237.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_54c0000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: b78fe12ee3f6c0fedebf87d13e202be84a604f96634e764cf6c638d1d2ed5359
    • Instruction ID: f8113648ce1464e24c214ca349ce913df33a972a9c310a08ac9a10da869ca3b1
    • Opcode Fuzzy Hash: b78fe12ee3f6c0fedebf87d13e202be84a604f96634e764cf6c638d1d2ed5359
    • Instruction Fuzzy Hash: 2B1114B5900249CFDB10CF9AC484BDEFBF4EB48320F10842AE959A3251D378A644CFA5
    Function 054C1509 Relevance: 1.6, APIs: 1, Instructions: 53serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 054C1580
    Memory Dump Source
    • Source File: 00000000.00000002.1809485237.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_54c0000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: dc115d77c6bb5dfc273280d5affc3fefa5798e17e327d1c658c7ad6130e9f226
    • Instruction ID: 536379076036ec258151ad09e98f1da2811f6b6f56b22740fe507af6a72aef29
    • Opcode Fuzzy Hash: dc115d77c6bb5dfc273280d5affc3fefa5798e17e327d1c658c7ad6130e9f226
    • Instruction Fuzzy Hash: E51114B6D00249CFDB10CF9AC584BDEFBF4AB48320F10842AE559A7251D338A684CFA5
    Function 00E07DE1 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00E02B5A: GetCurrentThreadId.KERNEL32 ref: 00E02B69
    • MapViewOfFileEx.KERNELBASE(?,?,?,?,?,?,-116A5FEC), ref: 00E07E68
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID: CurrentFileThreadView
    • String ID:
    • API String ID: 1949693742-0
    • Opcode ID: 7146212ddbfaaa46d4f8280cf9ef0e92b728476be10ef6e7f3375d326e099398
    • Instruction ID: 3d423306416f78d99e0c501e58581281c9ac85c8e83d141c3ba30878fbd526cf
    • Opcode Fuzzy Hash: 7146212ddbfaaa46d4f8280cf9ef0e92b728476be10ef6e7f3375d326e099398
    • Instruction Fuzzy Hash: 5311273250410AEBCF12AFE4CC09D9F3BA6BF49344B046559FA42650A1C336D8F2EB61
    Function 00E07BC9 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID: CurrentThread
    • String ID:
    • API String ID: 2882836952-0
    • Opcode ID: 1d91c3d14ee0caf3901e5e3ae29727f74158b95810863d80253e9541c673d36f
    • Instruction ID: baeaa96c5c54323a2f6fd670bcb211985d82df6120e1f792c8d9b8a4323366b3
    • Opcode Fuzzy Hash: 1d91c3d14ee0caf3901e5e3ae29727f74158b95810863d80253e9541c673d36f
    • Instruction Fuzzy Hash: 78117C3250410AEBDF12AFA4D98CA9EBBB5AF48344F146414B942690A1C736D9E1EFA0
    Function 054C1301 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 054C1367
    Memory Dump Source
    • Source File: 00000000.00000002.1809485237.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_54c0000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 3c8c1d679946fefe9dd470dfef91682d68fcc025820fe7b04792f45cbe481bf1
    • Instruction ID: cfd944bf84a348a06d28039e55d1f1ba75ebb22e275d2e88fec9253395f01676
    • Opcode Fuzzy Hash: 3c8c1d679946fefe9dd470dfef91682d68fcc025820fe7b04792f45cbe481bf1
    • Instruction Fuzzy Hash: 4F1155B1800249CFDB10CF9AC885BDEFBF8EF48324F20846AD458A3250C378A584CFA4
    Function 054C1308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 054C1367
    Memory Dump Source
    • Source File: 00000000.00000002.1809485237.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_54c0000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: d5f2e0dee7157e22d925819de52df3d4222f750787392f24bd3f74702a57b423
    • Instruction ID: d89b4239347e0a023982b3cf9841874ca7dc07237d5e27e25315aba88b021851
    • Opcode Fuzzy Hash: d5f2e0dee7157e22d925819de52df3d4222f750787392f24bd3f74702a57b423
    • Instruction Fuzzy Hash: 321133B1800249CFDB10CF9AC544BDEFBF8EB48324F20846AD558A3251C778A984CFA5
    Function 00E074AD Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00E02B5A: GetCurrentThreadId.KERNEL32 ref: 00E02B69
    • ReadFile.KERNELBASE(?,00000000,?,00000400,?,-116A5FEC,?,?,00E051DC,?,?,00000400,?,00000000,?,00000000), ref: 00E07519
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID: CurrentFileReadThread
    • String ID:
    • API String ID: 2348311434-0
    • Opcode ID: 0847d9e085398333f552726e7096b44ee0a9e7700420998f7d73c28af4e87bd9
    • Instruction ID: d76cc11329bedf6f012ef9747548cdbe48c13437834a5360c2861286f91f121f
    • Opcode Fuzzy Hash: 0847d9e085398333f552726e7096b44ee0a9e7700420998f7d73c28af4e87bd9
    • Instruction Fuzzy Hash: 91F01972504049EBDF129FA4CD09DDE3BA6BF99340B046015FA02690A1D732D4E2EB61
    Function 00DB8E9F Relevance: 1.5, APIs: 1, Instructions: 22libraryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: dc01ca37abf5c60239a4479ebc9e0a38b3696adaa851c48128c7a4dde68b32f2
    • Instruction ID: c544e6cbdfb863889ec0793ed67b7c4b94f3e4b6d257ecb90272e56034848370
    • Opcode Fuzzy Hash: dc01ca37abf5c60239a4479ebc9e0a38b3696adaa851c48128c7a4dde68b32f2
    • Instruction Fuzzy Hash: 85E0DFB6A0A501CFC2019F1CC84481DB3E6AFDC350F16492CA7D7C3301DA308810AB73
    Function 00E02D2B Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID: lstrcmpi
    • String ID:
    • API String ID: 1586166983-0
    • Opcode ID: a630ce5038fa456f955b4d0573b22a2d7a3de63895a6120b619e4434670f7cc1
    • Instruction ID: 511c17a34fe5a0b21aa73eca6c7129322d47686414d4863362a57d1d3970ed09
    • Opcode Fuzzy Hash: a630ce5038fa456f955b4d0573b22a2d7a3de63895a6120b619e4434670f7cc1
    • Instruction Fuzzy Hash: D801FB32A04509BFCF219FA4CC08EDEBBB6FF84345F005165F602A80A4D7328AA1DB60
    Function 00E04973 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNELBASE(?,?,00E029F9,?,?), ref: 00E04979
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: d023f78eb8ca3a8d2c9f5d1d43fa886ccf1e084615f67f55f5816550dbbf55db
    • Instruction ID: 1374bd1daacd7bde1d2ba0d693047cf5919bf7a44d18ab5bbd964428eaf106ae
    • Opcode Fuzzy Hash: d023f78eb8ca3a8d2c9f5d1d43fa886ccf1e084615f67f55f5816550dbbf55db
    • Instruction Fuzzy Hash: B7B09B7110010D7BCB11FF51DC0584D7F65BF513557418120FA06541A58771D560DBD4

    Non-executed Functions

    Function 00D9ED20 Relevance: 14.1, Strings: 10, Instructions: 1649COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID:
    • String ID: %r?o$(1>w$9)7$Alyw$R,c$Vhgv$_m]{$;}W$=_7$]:w
    • API String ID: 0-1110246121
    • Opcode ID: e2125527fd07da5b444599a9120b62968ef55eeb987c887667c7f5d4951fb768
    • Instruction ID: 24e0b040318ed3f07aa8f825009c0f641d7f9551edb025fad103e925e48a883a
    • Opcode Fuzzy Hash: e2125527fd07da5b444599a9120b62968ef55eeb987c887667c7f5d4951fb768
    • Instruction Fuzzy Hash: A4B207F3A082009FE7046E2DEC8567AFBE5EF94720F1A463DE6C5C3744E63598058697
    Function 00D99E09 Relevance: 14.1, Strings: 10, Instructions: 1634COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID:
    • String ID: E:v$Gj=$HSsv$XGpW$YGpW$ck~$m&,$tx/T$ygo{$?~~
    • API String ID: 0-61830977
    • Opcode ID: bb853069c85fea821268f05d5de1fb2c1732db31f893e458b4c38a926dbfe83d
    • Instruction ID: 99d2ec6d2cddd55924eadffdab62dd4c8d3fc536d0c7619e59e5ac2974e2b99f
    • Opcode Fuzzy Hash: bb853069c85fea821268f05d5de1fb2c1732db31f893e458b4c38a926dbfe83d
    • Instruction Fuzzy Hash: 25B22BF3A0C2109FE3046E2DEC8567ABBE5EF94720F164A3DEAC5D3744EA3558048697
    Function 00D9821E Relevance: 12.9, Strings: 9, Instructions: 1671COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID:
    • String ID: %M.w$AK9$B?y$J*G$O7$][X}$t))$ys/$I_M
    • API String ID: 0-3145474106
    • Opcode ID: b12eb47795e11c4d7da2ad9c78ecda506d2efac68d9d2be9466d7995d8bcb497
    • Instruction ID: 0e467b76864b99ac91a9c7649e6b057fdeacd9e445b6d21c69faaa0892cbf179
    • Opcode Fuzzy Hash: b12eb47795e11c4d7da2ad9c78ecda506d2efac68d9d2be9466d7995d8bcb497
    • Instruction Fuzzy Hash: 40B21BF360C2049FE3046E2DEC8567ABBE5EFD4320F1A893DE6C5C7744EA3598058696
    Function 00D9170E Relevance: 11.5, Strings: 8, Instructions: 1549COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID:
    • String ID: aw$&'}u$2K:$6fcz$P9=^$V(=|$k7o$#>
    • API String ID: 0-1328526277
    • Opcode ID: aba8374bc0b37a87ae39f9f5f15d6807674cf6000cda29c57bac920af32e8863
    • Instruction ID: f2c3e7252170a80f6227877d099c806e70f28920b899b8cfeabd76c93115a6b4
    • Opcode Fuzzy Hash: aba8374bc0b37a87ae39f9f5f15d6807674cf6000cda29c57bac920af32e8863
    • Instruction Fuzzy Hash: C8B2F4F3A087049FE304AE2DEC8567AFBE9EF94720F16893DE6C483744E63558448697
    Function 00DA23E9 Relevance: 9.1, Strings: 6, Instructions: 1608COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID:
    • String ID: =ya$B4l0$`xW~$r4^k$0s]$Mo
    • API String ID: 0-1535774666
    • Opcode ID: c0d402f41cf274d49b4ab48c5c3e7aba7fde6dd746dde5fed384a073064e34d7
    • Instruction ID: a2c13a0c72eb1c6f5eb2abfe7362a13b1d1b5f3231a6f030ccbf0ccb82144928
    • Opcode Fuzzy Hash: c0d402f41cf274d49b4ab48c5c3e7aba7fde6dd746dde5fed384a073064e34d7
    • Instruction Fuzzy Hash: 5CB2E5F3A0C2049FE3046E29EC8567AFBE9EF94720F16492EE6C4C7744EA3558058797
    Function 00DA5A86 Relevance: 7.8, Strings: 5, Instructions: 1583COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID:
    • String ID: Z,9w$\X_?$\X_?$^vW$~?
    • API String ID: 0-1247011714
    • Opcode ID: e5878bc43838fd19117d7c7dad666e4a64f7d08bca30cc181d3ec5bc01a90c85
    • Instruction ID: a363971435255a25a3a886fec0d7ecc03c54a18e6d4e545ddbff2a6b588c7aac
    • Opcode Fuzzy Hash: e5878bc43838fd19117d7c7dad666e4a64f7d08bca30cc181d3ec5bc01a90c85
    • Instruction Fuzzy Hash: E5B2E7F390C2009FE304AE29DC8567AFBE9EF94720F1A892DE5C5D7344E63598418797
    Function 00D9B8F3 Relevance: 6.6, Strings: 4, Instructions: 1605COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID:
    • String ID: /Vi$7'|?$@`s9$dRi1
    • API String ID: 0-55975688
    • Opcode ID: 726b0072f17593f3486ccfe73edbdf3ac3763caca50c26ebf297a60e9691145e
    • Instruction ID: 0fd1782738df7fd164e3ea4adbc751f97e49815013529d7648ff1c3a55cd6b06
    • Opcode Fuzzy Hash: 726b0072f17593f3486ccfe73edbdf3ac3763caca50c26ebf297a60e9691145e
    • Instruction Fuzzy Hash: BAB2F5F3A0C204AFE3046E2DEC8567AFBE9EF94320F1A492DE6C4C7744E63558458697
    Function 00D94C22 Relevance: 6.6, Strings: 4, Instructions: 1604COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID:
    • String ID: ;}}W$Ae^$dQ=${%.
    • API String ID: 0-3518392150
    • Opcode ID: 81de7d93b064b3ac56b7e1fd0e125cba38449520dbf6be437d231371c478513c
    • Instruction ID: 50acf696cd0f114dea1c1a7900425268260fc2793040051183f82b95fc2238a3
    • Opcode Fuzzy Hash: 81de7d93b064b3ac56b7e1fd0e125cba38449520dbf6be437d231371c478513c
    • Instruction Fuzzy Hash: 7BB2C2F3608204AFE304AE29EC8567ABBE9EFD4720F16893DE6C4C3744E63558458697
    Function 00DA09C5 Relevance: 6.6, Strings: 4, Instructions: 1577COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID:
    • String ID: 7s[$a;$z/g$z5w
    • API String ID: 0-500784102
    • Opcode ID: 45deac6894c180ebdbf804b64b5d683e02dd16218883707be6ac77639ce85979
    • Instruction ID: c2c4d80c9493819b22984ac265a458cdbe2635035566538a86a34231b06770b6
    • Opcode Fuzzy Hash: 45deac6894c180ebdbf804b64b5d683e02dd16218883707be6ac77639ce85979
    • Instruction Fuzzy Hash: FEB218F3A0C2109FD3046E2DEC8566AFBE9EF94720F1A493DEAC4D7744E63598058792
    Function 00DA75B8 Relevance: 5.4, Strings: 3, Instructions: 1617COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID:
    • String ID: 9h)$QtS$tGk
    • API String ID: 0-3196727211
    • Opcode ID: fa680ae1e3b781b5758000bfa2acb3cca2d75c5e2d85eef149c6fb70b0f08bc5
    • Instruction ID: 175fb7a14aa00c5a4016e85574edd6b61e5b3a0c6260d5312bd4d63812a6be0c
    • Opcode Fuzzy Hash: fa680ae1e3b781b5758000bfa2acb3cca2d75c5e2d85eef149c6fb70b0f08bc5
    • Instruction Fuzzy Hash: 0BB227F360C2049FE308AE2DEC8567ABBE5EF94720F16893DE6C5C3744EA3558058697
    Function 00D9333E Relevance: 5.2, Strings: 3, Instructions: 1451COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID:
    • String ID: Eho$T3{$a~o
    • API String ID: 0-1881485383
    • Opcode ID: d152323f91bbf4cbd319776fc9002520c760bb46effabaacccb428512ae717d8
    • Instruction ID: 909458a3a09b8d3b00ce63156c266e1df5feabc673b3d7ae01b0c49afd7ae388
    • Opcode Fuzzy Hash: d152323f91bbf4cbd319776fc9002520c760bb46effabaacccb428512ae717d8
    • Instruction Fuzzy Hash: 50A205F360C2049FE704AE2DEC8567ABBE5EF94720F16893DE6C4C7744EA3598018796
    Function 00D907C3 Relevance: 4.5, Strings: 3, Instructions: 717COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID:
    • String ID: 3,>~$/M$7/?
    • API String ID: 0-1484068146
    • Opcode ID: 3cfc79dd72c6d3cbc02414d7fa53a7ad7ad31da9d124a3dde7c74df82a2174ce
    • Instruction ID: d4ebec8a092b5c3716a9eec50780d706c2002b7236b4e2f8ce4eeccd8a6d4cdc
    • Opcode Fuzzy Hash: 3cfc79dd72c6d3cbc02414d7fa53a7ad7ad31da9d124a3dde7c74df82a2174ce
    • Instruction Fuzzy Hash: B222F6F360C6149FD304AE2DEC8567ABBE9EF98720F16852DEAC4C3744E63558048796
    Function 00D97866 Relevance: 4.0, Strings: 3, Instructions: 250COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID:
    • String ID: 9_M$CSA$$F<v_
    • API String ID: 0-4005504553
    • Opcode ID: aabebbeea39845c95de338a021938c4335001f76ef6b259ea0a87cc15ecfc097
    • Instruction ID: 1fc718671064342c4ed3e5b608585f5287b70bfba0e887623804e07c10bcb71f
    • Opcode Fuzzy Hash: aabebbeea39845c95de338a021938c4335001f76ef6b259ea0a87cc15ecfc097
    • Instruction Fuzzy Hash: 8F7114B350C3049FE3086E29EC8557AFBE9EB84360F25462DF9C4C3344E6399C0186A6
    Function 00E06CA7 Relevance: 3.0, APIs: 2, Instructions: 43timeCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00E02B5A: GetCurrentThreadId.KERNEL32 ref: 00E02B69
    • GetSystemTime.KERNEL32(?,-116A5FEC), ref: 00E06CDC
    • GetFileTime.KERNEL32(?,?,?,?,-116A5FEC), ref: 00E06D1F
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID: Time$CurrentFileSystemThread
    • String ID:
    • API String ID: 2191017843-0
    • Opcode ID: f7c4e2a7746eea91e6da9657b19a3f72df5fcf020f412369e100e2bf2e2f6898
    • Instruction ID: 5a0ec30321ef9b824c5140775e0c373a89be4ef0e480e7c5220d9b79ace8de04
    • Opcode Fuzzy Hash: f7c4e2a7746eea91e6da9657b19a3f72df5fcf020f412369e100e2bf2e2f6898
    • Instruction Fuzzy Hash: 2201283220004AFBCB216FA9E80CE9E7FB5FFD4314B019526F502690A1D73284B2DB20
    Function 00E07B65 Relevance: 1.5, APIs: 1, Instructions: 24encryptionCOMMON
    Download Yara Rule
    APIs
    • CryptVerifySignatureA.ADVAPI32(?,?,?,?,?,?), ref: 00E07BAC
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID: CryptSignatureVerify
    • String ID:
    • API String ID: 1015439381-0
    • Opcode ID: 58f37622f11f607d32ac286f6ac07b2c0b8b83b578cd7546d98a795326b5fa66
    • Instruction ID: 7d46dc472fad00bbf7edfa67fb97fd95b96cb9d937e17c39bb52106c3e5cec3b
    • Opcode Fuzzy Hash: 58f37622f11f607d32ac286f6ac07b2c0b8b83b578cd7546d98a795326b5fa66
    • Instruction Fuzzy Hash: 62F0F832A0410AEFCF11CFA4C90498D7B72FF48344B10C125F916A6150D3B5DAA1EF40
    Function 00D64745 Relevance: 1.4, Strings: 1, Instructions: 194COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID:
    • String ID: zo
    • API String ID: 0-1756426122
    • Opcode ID: 7dcfef0384518728b33deb0486eca1e9b670227dc470bbeeed4e23c9c195790c
    • Instruction ID: 517142925db0a8558bc607ce18bccbace64ba0e932fc5c52091246bea6e12820
    • Opcode Fuzzy Hash: 7dcfef0384518728b33deb0486eca1e9b670227dc470bbeeed4e23c9c195790c
    • Instruction Fuzzy Hash: 64516AF3E186185BF304AD7CEC45766B7D6EBA4310F2B8539EB84D3785E93989054281
    Function 00E8094C Relevance: 1.4, Strings: 1, Instructions: 107COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID:
    • String ID: jmo
    • API String ID: 0-3044506140
    • Opcode ID: 82dab719c1f1ad693b05e1a75b1445310f6bb3e7e3118b501d399a11a0056b17
    • Instruction ID: 9e4a5eff8e349cb9b08fdd34dc6616f027b883d7608f093f5c32c106c1e097dc
    • Opcode Fuzzy Hash: 82dab719c1f1ad693b05e1a75b1445310f6bb3e7e3118b501d399a11a0056b17
    • Instruction Fuzzy Hash: 713167F350C3048FD350BE38DD897AABBE5AB40310F164A3DDBD993604EA3459588787
    Function 00DC59BA Relevance: .3, Instructions: 331COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 36de4897caf36222991cbabdf9835348851f23d603a800b21ae0dc5f8431cf2b
    • Instruction ID: 6d4702f2a5e564862ea2037403147295e7be84fb7371a37bd136e3a3956d5ee6
    • Opcode Fuzzy Hash: 36de4897caf36222991cbabdf9835348851f23d603a800b21ae0dc5f8431cf2b
    • Instruction Fuzzy Hash: BEC1E1B100DBC15FE3139B349965665BFF0AF47210F198AEED4C18B2A3D324A48AD763
    Function 00D0B501 Relevance: .3, Instructions: 299COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2c8faa2f09bf9c03f4205e749e170989607d885a87a034e90c8183f96c35bb7c
    • Instruction ID: 942a0f6513e5dcc7dafb698f847bf6fbfa89f762884fed94daa123e10ba70cae
    • Opcode Fuzzy Hash: 2c8faa2f09bf9c03f4205e749e170989607d885a87a034e90c8183f96c35bb7c
    • Instruction Fuzzy Hash: 3B9139F3E086109FF3005E29DC9436ABBD6EBD4320F2B463DDA98977C4E9794C068291
    Function 00CC5535 Relevance: .2, Instructions: 162COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f0ff6af2e4535378287506a7175d829b477c0ced837d17b83ba6661179d4cca4
    • Instruction ID: 5e4cb60087a514ea9cc88be9eb2310471f678e44293367bf1552a5a5eb5976b2
    • Opcode Fuzzy Hash: f0ff6af2e4535378287506a7175d829b477c0ced837d17b83ba6661179d4cca4
    • Instruction Fuzzy Hash: 50416FF3A182009BF7586A2DEC5476BB7DBEBD4321F2B853DD694C7384E93944018686
    Function 00CCD23C Relevance: .2, Instructions: 156COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 97f1785224c5aaa14a8463cc14ed8261dc96fd5cd36e1021a1d5e21b60ab5ab2
    • Instruction ID: 0b81688d75a03215f3f8ac1022b764f70507d01d489b1320757525b2062a8b97
    • Opcode Fuzzy Hash: 97f1785224c5aaa14a8463cc14ed8261dc96fd5cd36e1021a1d5e21b60ab5ab2
    • Instruction Fuzzy Hash: C041B0F3A086049FE350AE2DDCC577AF7E5EB94310F1A463CDAC4C3784E97998448696
    Function 00C92FDA Relevance: .2, Instructions: 154COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ba45b691a32faf17926f44a60cc45c6130e3eef088cabd42e4d6f8cd42b74def
    • Instruction ID: 658c7c67d31be395b52065c28e6e0529a115d172c89921cec00aae4385a75155
    • Opcode Fuzzy Hash: ba45b691a32faf17926f44a60cc45c6130e3eef088cabd42e4d6f8cd42b74def
    • Instruction Fuzzy Hash: 314127F3E1C2145BF3186A6CEC99736B7D4EB14310F16063EEE89D3784F965990086C6
    Function 00DC3011 Relevance: .1, Instructions: 114COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 6b5e148e757421975d154f3f92b34b9a2ceb909cdff636ad1869a094032b5c13
    • Instruction ID: 97ec2bf06886b67a3a85793731f3a3a90c293d9493783c586fdf46563ccbe2b4
    • Opcode Fuzzy Hash: 6b5e148e757421975d154f3f92b34b9a2ceb909cdff636ad1869a094032b5c13
    • Instruction Fuzzy Hash: 3B3148F290C300AFD316AF18D845ABEFBE9FF58720F16482DE6C592610E73555848BA7
    Function 00DC09D4 Relevance: .0, Instructions: 21COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 11cb38520b5f151e654f1764e5a4443179ebf1d1050ef5cb2bf9c55c8685e24f
    • Instruction ID: c08c62dfd9245d1868339841254580d2e7a6bcca75808013eb9464ca5cca2149
    • Opcode Fuzzy Hash: 11cb38520b5f151e654f1764e5a4443179ebf1d1050ef5cb2bf9c55c8685e24f
    • Instruction Fuzzy Hash: AFE04F36009105AACB009F54C845A9FFBF8FF19310F248449E844C7222C2358C41CB2A
    Function 00E061DD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00E02B5A: GetCurrentThreadId.KERNEL32 ref: 00E02B69
      • Part of subcall function 00E0725B: IsBadWritePtr.KERNEL32(?,00000004), ref: 00E07269
    • wsprintfA.USER32 ref: 00E06223
    • LoadImageA.USER32(?,?,?,?,?,?), ref: 00E062E7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID: CurrentImageLoadThreadWritewsprintf
    • String ID: %8x$%8x
    • API String ID: 439219941-2046107164
    • Opcode ID: a046dd84d5845312434d7bbf8276fbfa9511a3859045e5e2f7530b4ae2178259
    • Instruction ID: 7b00d86712a3ae1dbd70bf2f4561d243486efe09df3aafdd94a88dfe8169eab2
    • Opcode Fuzzy Hash: a046dd84d5845312434d7bbf8276fbfa9511a3859045e5e2f7530b4ae2178259
    • Instruction Fuzzy Hash: 9C31F771A0010ABBCF11DFA4DD49EEEBBB5FF88310F108125F612B61A1D7719AA1DB50
    Function 00E06DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesExW.KERNEL32(016C13B4,00004020,00000000,-116A5FEC), ref: 00E06E9B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: b9b1cb22420eea2306b0d79fd4df08b491d87f11e0aab3ceb7738043e9787bf0
    • Instruction ID: 5a0cb928076cbc1937ff94d61cd791baa73476cae988b25153743a78e0ca74ef
    • Opcode Fuzzy Hash: b9b1cb22420eea2306b0d79fd4df08b491d87f11e0aab3ceb7738043e9787bf0
    • Instruction Fuzzy Hash: C2319CB5504305EFDB259F54C848B9EBBB0FF04340F00A619E9567B6A0C370AAA5CF80
    Function 00E0780E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00E02B5A: GetCurrentThreadId.KERNEL32 ref: 00E02B69
    • GetFileSize.KERNEL32(?,`Q,-116A5FEC,?,?,00E05160,?,00000000), ref: 00E07875
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1807590139.0000000000DB7000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true
    • Associated: 00000000.00000002.1807537453.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807559149.0000000000C22000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807575382.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000C2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000EC1000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807590139.0000000000ED0000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807799603.0000000000ED1000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807905814.0000000001076000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1807920453.0000000001078000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_c20000_file.jbxd
    Similarity
    • API ID: CurrentFileSizeThread
    • String ID: `Q$`Q
    • API String ID: 94952809-3304316034
    • Opcode ID: 8833aeae7cf093331c5f5469e0528a2946b055fb85bb17bef447c0175f5f2115
    • Instruction ID: 69de845ee90a87c45bb42ba696648052cea482e9f15a5c66156cdb0419913f1b
    • Opcode Fuzzy Hash: 8833aeae7cf093331c5f5469e0528a2946b055fb85bb17bef447c0175f5f2115
    • Instruction Fuzzy Hash: 1A014C31604115FBEB39AF69C84CB997BF5FF80318F14A226F542AA5D0C735A8D1CA30