Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1538204
MD5:fcea453f064a55fc3ae011ed4c822299
SHA1:bf0240e1df04f0f6d8f346aff5f13709b6f18eb9
SHA256:a732580d9bcc87ecf489b550648116143cfea9b36d165de1237ddb5968ae6c94
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SIDT)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6568 cmdline: "C:\Users\user\Desktop\file.exe" MD5: FCEA453F064A55FC3AE011ED4C822299)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: file.exeAvira: detected
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4DA58 CryptVerifySignatureA,0_2_00F4DA58
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1712071516.0000000005520000.00000004.00001000.00020000.00000000.sdmp

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EDD0610_2_00EDD061
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECB0180_2_00ECB018
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE71FC0_2_00EE71FC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE22FB0_2_00EE22FB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E2D3D40_2_00E2D3D4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE932A0_2_00EE932A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DB531D0_2_00DB531D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EDF4860_2_00EDF486
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF6420_2_00EAF642
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EDB6440_2_00EDB644
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EEA8A20_2_00EEA8A2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EBE8250_2_00EBE825
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E0894E0_2_00E0894E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC3BF30_2_00DC3BF3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F16C5F0_2_00F16C5F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE3D640_2_00EE3D64
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EEDD540_2_00EEDD54
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED7D140_2_00ED7D14
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E75E070_2_00E75E07
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00F48A4D appears 35 times
Source: file.exe, 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeStatic PE information: Section: dqhhwlkv ZLIB complexity 0.9948120839497041
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_056215D0 ChangeServiceConfigA,0_2_056215D0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeString found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 1755648 > 1048576
Source: file.exeStatic PE information: Raw size of dqhhwlkv is bigger than: 0x100000 < 0x1a6800
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1712071516.0000000005520000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.d60000.0.unpack :EW;.rsrc:W;.idata :W; :EW;dqhhwlkv:EW;ygqkenky:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x1b7dc6 should be: 0x1bbc8c
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: dqhhwlkv
Source: file.exeStatic PE information: section name: ygqkenky
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0243E push ebp; mov dword ptr [esp], edx0_2_00F02445
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0243E push esi; mov dword ptr [esp], ebx0_2_00F05F43
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F02A3C push edx; mov dword ptr [esp], 3F68AFE7h0_2_00F044BA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F02A3C push 550A2400h; mov dword ptr [esp], ebp0_2_00F062C6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F02A3C push eax; mov dword ptr [esp], esp0_2_00F062CA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD90F0 push eax; mov dword ptr [esp], ebp0_2_00FD9469
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F990F6 push ebx; mov dword ptr [esp], esp0_2_00F99143
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D780F3 push ebx; mov dword ptr [esp], 5EFD85CDh0_2_00D78246
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D780F3 push eax; mov dword ptr [esp], ebx0_2_00D78252
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D780F3 push ebx; mov dword ptr [esp], eax0_2_00D78269
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D780F3 push 3358E218h; mov dword ptr [esp], ebp0_2_00D78271
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D780F3 push esi; mov dword ptr [esp], ebx0_2_00D782C0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F020DB push edx; mov dword ptr [esp], 5ACFAA7Eh0_2_00F029C6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F020DB push edx; mov dword ptr [esp], 766CBB81h0_2_00F029D1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F090CA push edx; mov dword ptr [esp], ecx0_2_00F090D3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA109B push ecx; mov dword ptr [esp], 3A6D7146h0_2_00FA10D9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F05096 push 62CE4B32h; mov dword ptr [esp], eax0_2_00F050A5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F19097 push 350E434Dh; mov dword ptr [esp], ecx0_2_00F1914C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EDD061 push ebx; mov dword ptr [esp], eax0_2_00EDD068
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EDD061 push eax; mov dword ptr [esp], edx0_2_00EDD113
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EDD061 push 7B176125h; mov dword ptr [esp], ebp0_2_00EDD16B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EDD061 push 68ED7844h; mov dword ptr [esp], esi0_2_00EDD1D4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EDD061 push 264B22A0h; mov dword ptr [esp], eax0_2_00EDD211
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EDD061 push edi; mov dword ptr [esp], edx0_2_00EDD26D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EDD061 push 4622CA0Bh; mov dword ptr [esp], esi0_2_00EDD2A1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EDD061 push esi; mov dword ptr [esp], edx0_2_00EDD38F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EDD061 push 54FDDD3Bh; mov dword ptr [esp], edx0_2_00EDD44A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EDD061 push 3743AC06h; mov dword ptr [esp], eax0_2_00EDD45A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EDD061 push ecx; mov dword ptr [esp], 4C63062Eh0_2_00EDD4EF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EDD061 push 372631BFh; mov dword ptr [esp], edi0_2_00EDD530
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EDD061 push ecx; mov dword ptr [esp], eax0_2_00EDD5A9
Source: file.exeStatic PE information: section name: entropy: 7.803903347541593
Source: file.exeStatic PE information: section name: dqhhwlkv entropy: 7.952845025246385

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF5515 second address: EF5519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF57E4 second address: EF57F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F38E8C7DE5Ch 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF7D5F second address: EF7D63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF7EDF second address: EF7EEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F38E8C7DE5Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF7F95 second address: EF7FA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F38E8DD200Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF7FA3 second address: EF8004 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 48162B11h 0x0000000f jmp 00007F38E8C7DE67h 0x00000014 lea ebx, dword ptr [ebp+1245DC48h] 0x0000001a push 00000000h 0x0000001c push ecx 0x0000001d call 00007F38E8C7DE58h 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], ecx 0x00000027 add dword ptr [esp+04h], 0000001Ah 0x0000002f inc ecx 0x00000030 push ecx 0x00000031 ret 0x00000032 pop ecx 0x00000033 ret 0x00000034 jnl 00007F38E8C7DE58h 0x0000003a xchg eax, ebx 0x0000003b jc 00007F38E8C7DE7Ah 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF8004 second address: EF8008 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF80C6 second address: EF80D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF80D2 second address: EF810A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 nop 0x00000007 pushad 0x00000008 movzx edi, cx 0x0000000b jmp 00007F38E8DD200Bh 0x00000010 popad 0x00000011 xor dword ptr [ebp+122D1A71h], edi 0x00000017 push 00000000h 0x00000019 mov dword ptr [ebp+122D1FFAh], esi 0x0000001f add dx, ADE1h 0x00000024 call 00007F38E8DD2009h 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c push ecx 0x0000002d pop ecx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF810A second address: EF8114 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF8114 second address: EF8118 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF8118 second address: EF8128 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F38E8C7DE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF8128 second address: EF8142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F38E8DD2013h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF8142 second address: EF815F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007F38E8C7DE5Bh 0x00000010 mov eax, dword ptr [eax] 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF815F second address: EF8163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF8163 second address: EF8171 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F38E8C7DE56h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF8171 second address: EF8175 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF8175 second address: EF8184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push edi 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF8184 second address: EF81DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edi 0x00000006 pop eax 0x00000007 push 00000000h 0x00000009 push ebx 0x0000000a call 00007F38E8DD2008h 0x0000000f pop ebx 0x00000010 mov dword ptr [esp+04h], ebx 0x00000014 add dword ptr [esp+04h], 0000001Bh 0x0000001c inc ebx 0x0000001d push ebx 0x0000001e ret 0x0000001f pop ebx 0x00000020 ret 0x00000021 and dx, A2B9h 0x00000026 push 00000003h 0x00000028 mov dword ptr [ebp+122D1BCCh], esi 0x0000002e push 00000000h 0x00000030 xor dword ptr [ebp+122D34CBh], ecx 0x00000036 push 00000003h 0x00000038 pushad 0x00000039 mov bx, 733Fh 0x0000003d mov cx, si 0x00000040 popad 0x00000041 push 9E2D067Eh 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a jl 00007F38E8DD2006h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EF81DD second address: EF81E7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F38E8C7DE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0B37B second address: F0B381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F18DF1 second address: F18E00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 jne 00007F38E8C7DE56h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDCB6D second address: EDCB71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F16DA3 second address: F16DB8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F38E8C7DE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b js 00007F38E8C7DE56h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F16DB8 second address: F16DDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F38E8DD2019h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F16F34 second address: F16F7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38E8C7DE5Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F38E8C7DE5Ah 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F38E8C7DE61h 0x00000016 jmp 00007F38E8C7DE67h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F16F7C second address: F16F99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38E8DD2017h 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F16F99 second address: F16F9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F17640 second address: F17660 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38E8DD200Fh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007F38E8DD2008h 0x00000011 push esi 0x00000012 pop esi 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F17660 second address: F17688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F38E8C7DE64h 0x00000009 pop ecx 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007F38E8C7DE5Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F17688 second address: F1768E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1768E second address: F17694 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F17694 second address: F1769D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F17B23 second address: F17B27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F0CACB second address: F0CAD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EEA43D second address: EEA442 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1802C second address: F1805B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F38E8DD200Ch 0x0000000c jnc 00007F38E8DD2006h 0x00000012 popad 0x00000013 jne 00007F38E8DD2023h 0x00000019 jmp 00007F38E8DD2011h 0x0000001e pushad 0x0000001f push edx 0x00000020 pop edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F185C6 second address: F185DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F38E8C7DE63h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1871A second address: F18720 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1F5EF second address: F1F603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F38E8C7DE5Fh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1F603 second address: F1F621 instructions: 0x00000000 rdtsc 0x00000002 je 00007F38E8DD2013h 0x00000008 jmp 00007F38E8DD200Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pushad 0x00000014 popad 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1FCB0 second address: F1FCC9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38E8C7DE5Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F1FCC9 second address: F1FD0F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F38E8DD2019h 0x0000000b popad 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push esi 0x00000011 jmp 00007F38E8DD2015h 0x00000016 pop esi 0x00000017 mov eax, dword ptr [eax] 0x00000019 je 00007F38E8DD200Eh 0x0000001f push ecx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F23374 second address: F2337A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2337A second address: F23382 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F238D1 second address: F238EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38E8C7DE64h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F238EB second address: F23903 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F38E8DD2013h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F23903 second address: F23909 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F23909 second address: F2392A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F38E8DD2018h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F277C0 second address: F277C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F277C7 second address: F277E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F38E8DD2015h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F278A5 second address: F278B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pushad 0x00000009 popad 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F278B0 second address: F278B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F27FDC second address: F27FE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F27FE0 second address: F27FE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F27FE6 second address: F27FEB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F28F86 second address: F28F8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F28F8A second address: F28F90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2A1EA second address: F2A210 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38E8DD2013h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007F38E8DD200Ch 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2A210 second address: F2A215 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2AD5B second address: F2ADED instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 ja 00007F38E8DD2018h 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007F38E8DD2008h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 00000014h 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a push 00000000h 0x0000002c jmp 00007F38E8DD2017h 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push edi 0x00000036 call 00007F38E8DD2008h 0x0000003b pop edi 0x0000003c mov dword ptr [esp+04h], edi 0x00000040 add dword ptr [esp+04h], 00000018h 0x00000048 inc edi 0x00000049 push edi 0x0000004a ret 0x0000004b pop edi 0x0000004c ret 0x0000004d xchg eax, ebx 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 jmp 00007F38E8DD200Eh 0x00000056 jbe 00007F38E8DD2006h 0x0000005c popad 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2ADED second address: F2ADF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2ADF3 second address: F2ADF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2ADF7 second address: F2AE18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38E8C7DE60h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 ja 00007F38E8C7DE56h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2AE18 second address: F2AE22 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F38E8DD2006h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2B785 second address: F2B78B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2B78B second address: F2B79D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F38E8DD200Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2B79D second address: F2B7A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2C21B second address: F2C27E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F38E8DD2006h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007F38E8DD2008h 0x00000010 popad 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007F38E8DD2008h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 00000019h 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e movsx edi, cx 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push ebx 0x00000036 call 00007F38E8DD2008h 0x0000003b pop ebx 0x0000003c mov dword ptr [esp+04h], ebx 0x00000040 add dword ptr [esp+04h], 00000014h 0x00000048 inc ebx 0x00000049 push ebx 0x0000004a ret 0x0000004b pop ebx 0x0000004c ret 0x0000004d mov esi, dword ptr [ebp+122D36D5h] 0x00000053 push eax 0x00000054 pushad 0x00000055 pushad 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2C27E second address: F2C284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2CE4F second address: F2CE55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F31F01 second address: F31F07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F32E19 second address: F32E1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F33CCA second address: F33CCF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F35DD1 second address: F35DDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F35DDE second address: F35DE4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F35077 second address: F3507E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F36D4F second address: F36D55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F36D55 second address: F36D5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F38E8DD2006h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F36D5F second address: F36D63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F36D63 second address: F36D7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c jmp 00007F38E8DD200Ch 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F36F6F second address: F36F73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F38E47 second address: F38E4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3AF98 second address: F3AF9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F38F74 second address: F38F7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3A013 second address: F3A019 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F37F6D second address: F37F71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3B0B6 second address: F3B0D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38E8C7DE5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007F38E8C7DE56h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F38F7A second address: F38F91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F38E8DD200Eh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3BE39 second address: F3BE3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3B186 second address: F3B18C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3CE44 second address: F3CE48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3C013 second address: F3C018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3D0B2 second address: F3D0E2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F38E8C7DE5Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jl 00007F38E8C7DE74h 0x00000011 pushad 0x00000012 jmp 00007F38E8C7DE66h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F3EFCF second address: F3EFD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F45FD3 second address: F45FD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F45FD7 second address: F45FEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F38E8DD200Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F45FEB second address: F45FF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F46279 second address: F4627D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F4627D second address: F46283 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F46283 second address: F462A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F38E8DD200Fh 0x00000009 jmp 00007F38E8DD200Dh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F462A3 second address: F462C1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F38E8C7DE60h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F462C1 second address: F462DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38E8DD200Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007F38E8DD2008h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F55C3A second address: F55C3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F55D5A second address: F55D88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edi 0x0000000b popad 0x0000000c push eax 0x0000000d jmp 00007F38E8DD2013h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 jbe 00007F38E8DD2018h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F55D88 second address: F55D8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F55EBC second address: F55EC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F55EC0 second address: F55EC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F55EC6 second address: F55ECC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F55ECC second address: F55ED0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE022B second address: EE0240 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jnc 00007F38E8DD2006h 0x0000000b popad 0x0000000c push esi 0x0000000d jl 00007F38E8DD2006h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5A87C second address: F5A894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push esi 0x00000007 pushad 0x00000008 jmp 00007F38E8C7DE5Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5A894 second address: F5A89D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5A89D second address: F5A8A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5B0DD second address: F5B0F3 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F38E8DD200Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5B0F3 second address: F5B0F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5B0F7 second address: F5B10E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F38E8DD2006h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F38E8DD200Bh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5B10E second address: F5B113 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5B113 second address: F5B119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5B555 second address: F5B561 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F38E8C7DE56h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5B845 second address: F5B857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F38E8DD200Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5B9AF second address: F5B9DA instructions: 0x00000000 rdtsc 0x00000002 jns 00007F38E8C7DE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d jmp 00007F38E8C7DE61h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 js 00007F38E8C7DE56h 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5B9DA second address: F5B9DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5B9DE second address: F5BA0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F38E8C7DE66h 0x0000000d popad 0x0000000e jnp 00007F38E8C7DE76h 0x00000014 ja 00007F38E8C7DE70h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5BB63 second address: F5BB9B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F38E8DD2019h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F38E8DD2012h 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5BB9B second address: F5BBBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F38E8C7DE68h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5FDCD second address: F5FDD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F5FF2A second address: F5FF2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6008E second address: F60098 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F60098 second address: F6009C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6009C second address: F600B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38E8DD2015h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F600B5 second address: F600D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F38E8C7DE66h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F600D3 second address: F600D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F603CB second address: F603CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F603CF second address: F603F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F38E8DD2015h 0x0000000d popad 0x0000000e jl 00007F38E8DD2025h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F603F6 second address: F603FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6057D second address: F60581 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6096A second address: F60970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F60970 second address: F60984 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007F38E8DD200Dh 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F60DBE second address: F60DC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F60DC4 second address: F60DCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDE695 second address: EDE6A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F38E8C7DE56h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDE6A1 second address: EDE6CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push esi 0x00000007 push ebx 0x00000008 jmp 00007F38E8DD200Dh 0x0000000d pop ebx 0x0000000e pushad 0x0000000f jmp 00007F38E8DD200Eh 0x00000014 jg 00007F38E8DD2006h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F68274 second address: F6827E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6827E second address: F68289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDB15C second address: EDB162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EDB162 second address: EDB171 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007F38E8DD2006h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6D002 second address: F6D009 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6D183 second address: F6D187 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6D187 second address: F6D193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F38E8C7DE56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6D32D second address: F6D333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6D333 second address: F6D352 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38E8C7DE61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007F38E8C7DE56h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6D352 second address: F6D356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6D356 second address: F6D37E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38E8C7DE64h 0x00000007 jmp 00007F38E8C7DE60h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6D37E second address: F6D396 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F38E8DD200Dh 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6D396 second address: F6D39C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6D4E1 second address: F6D50C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38E8DD200Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jmp 00007F38E8DD2014h 0x0000000f pushad 0x00000010 popad 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6D50C second address: F6D555 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007F38E8C7DE61h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 ja 00007F38E8C7DE6Fh 0x00000016 push eax 0x00000017 push edx 0x00000018 jnc 00007F38E8C7DE56h 0x0000001e ja 00007F38E8C7DE56h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6D6F8 second address: F6D6FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6D864 second address: F6D86B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F6DA0F second address: F6DA15 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F73BAB second address: F73BB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F72A71 second address: F72A75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F72A75 second address: F72A8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38E8C7DE63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F25D7F second address: F25D84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F25FA2 second address: F26017 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 add dword ptr [esp], 285EE6EEh 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007F38E8C7DE58h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 pushad 0x00000027 or dword ptr [ebp+122D1886h], ecx 0x0000002d stc 0x0000002e popad 0x0000002f call 00007F38E8C7DE59h 0x00000034 push edi 0x00000035 jg 00007F38E8C7DE58h 0x0000003b pop edi 0x0000003c push eax 0x0000003d jmp 00007F38E8C7DE5Eh 0x00000042 mov eax, dword ptr [esp+04h] 0x00000046 ja 00007F38E8C7DE5Eh 0x0000004c jnp 00007F38E8C7DE58h 0x00000052 pushad 0x00000053 popad 0x00000054 mov eax, dword ptr [eax] 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 jg 00007F38E8C7DE56h 0x0000005f push eax 0x00000060 pop eax 0x00000061 popad 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F26017 second address: F26034 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F38E8DD200Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e jo 00007F38E8DD200Eh 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F26117 second address: F2611B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2611B second address: F26132 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38E8DD2013h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2629D second address: F26316 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007F38E8C7DE5Fh 0x0000000f jmp 00007F38E8C7DE5Dh 0x00000014 popad 0x00000015 jnc 00007F38E8C7DE5Ch 0x0000001b popad 0x0000001c mov eax, dword ptr [esp+04h] 0x00000020 jnc 00007F38E8C7DE5Eh 0x00000026 mov eax, dword ptr [eax] 0x00000028 pushad 0x00000029 pushad 0x0000002a jmp 00007F38E8C7DE60h 0x0000002f jmp 00007F38E8C7DE69h 0x00000034 popad 0x00000035 pushad 0x00000036 pushad 0x00000037 popad 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F26316 second address: F2632F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F38E8DD200Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2641B second address: F2641F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F26B6A second address: F26B6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F26DCB second address: F26DD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F26DD1 second address: F26DD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F26DD5 second address: F26E0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov edi, 56F78D99h 0x00000010 lea eax, dword ptr [ebp+1248B66Eh] 0x00000016 jl 00007F38E8C7DE69h 0x0000001c jmp 00007F38E8C7DE63h 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 push eax 0x00000026 pop eax 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F26E0C second address: F26E11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F73148 second address: F7315B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F38E8C7DE5Dh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7315B second address: F7317C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F38E8DD2006h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jo 00007F38E8DD2006h 0x00000016 pushad 0x00000017 popad 0x00000018 jnl 00007F38E8DD2006h 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7317C second address: F7319E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38E8C7DE68h 0x00000007 jbe 00007F38E8C7DE62h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7319E second address: F731A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F75E9B second address: F75EA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F78A4F second address: F78A83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f je 00007F38E8DD2012h 0x00000015 jne 00007F38E8DD2006h 0x0000001b ja 00007F38E8DD2006h 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F38E8DD2011h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F26840 second address: F26844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F26844 second address: F26848 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F26848 second address: F2684E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F2684E second address: F2686F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 js 00007F38E8DD2006h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F38E8DD2011h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7E4EA second address: F7E506 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38E8C7DE68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7EF74 second address: F7EF79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7EF79 second address: F7EF90 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F38E8C7DE5Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push ebx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ebx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F7EF90 second address: F7EFA4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38E8DD200Ah 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE38BE second address: EE38C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE38C3 second address: EE38D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F38E8DD2006h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F81E57 second address: F81E5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F81E5F second address: F81E63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F81E63 second address: F81E9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F38E8C7DE5Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F38E8C7DE69h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jnc 00007F38E8C7DE56h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F81E9A second address: F81EB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38E8DD200Bh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c ja 00007F38E8DD2006h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F81EB4 second address: F81EDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F38E8C7DE66h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jno 00007F38E8C7DE56h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F86CB4 second address: F86CD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F38E8DD2019h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F86104 second address: F86108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F86815 second address: F8682B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F38E8DD2011h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8682B second address: F86838 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F38E8C7DE62h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8DE65 second address: F8DE87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38E8DD2015h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jno 00007F38E8DD2006h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8DE87 second address: F8DE8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8DE8C second address: F8DEBE instructions: 0x00000000 rdtsc 0x00000002 jns 00007F38E8DD200Eh 0x00000008 pushad 0x00000009 popad 0x0000000a jne 00007F38E8DD2006h 0x00000010 push edi 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F38E8DD2010h 0x00000018 pop edi 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jc 00007F38E8DD200Eh 0x00000023 pushad 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8DEBE second address: F8DEC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8DEC2 second address: F8DEC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8DEC7 second address: F8DED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8BEB2 second address: F8BED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F38E8DD2018h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8C187 second address: F8C19B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F38E8C7DE56h 0x00000008 jc 00007F38E8C7DE56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8C19B second address: F8C1C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38E8DD200Ch 0x00000007 jmp 00007F38E8DD2017h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8C1C2 second address: F8C1E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F38E8C7DE5Dh 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007F38E8C7DE56h 0x00000011 jnc 00007F38E8C7DE56h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8C1E1 second address: F8C1E7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8C7C7 second address: F8C7CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F26021 second address: F26034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a jo 00007F38E8DD200Eh 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8CCF6 second address: F8CCFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8CFD9 second address: F8CFE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8D2CC second address: F8D30A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38E8C7DE66h 0x00000007 jbe 00007F38E8C7DE56h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F38E8C7DE63h 0x00000017 jc 00007F38E8C7DE62h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8D30A second address: F8D310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8D310 second address: F8D314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8D5F8 second address: F8D61F instructions: 0x00000000 rdtsc 0x00000002 jns 00007F38E8DD201Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8D61F second address: F8D62F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F38E8C7DE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8D62F second address: F8D650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F38E8DD2019h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8D650 second address: F8D687 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jmp 00007F38E8C7DE68h 0x0000000b pop ecx 0x0000000c pushad 0x0000000d jmp 00007F38E8C7DE5Fh 0x00000012 jc 00007F38E8C7DE56h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F8DBE9 second address: F8DBED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F91B38 second address: F91B6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007F38E8C7DE64h 0x0000000a jmp 00007F38E8C7DE64h 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F91B6B second address: F91B80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnp 00007F38E8DD2018h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F91B80 second address: F91B86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F92176 second address: F9217A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9217A second address: F92180 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F92180 second address: F9218A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9218A second address: F9219C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F38E8C7DE5Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F922E2 second address: F9233F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F38E8DD2012h 0x0000000b popad 0x0000000c je 00007F38E8DD2008h 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F38E8DD2013h 0x00000019 jnc 00007F38E8DD200Ch 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F38E8DD2012h 0x00000029 jns 00007F38E8DD2006h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9233F second address: F92347 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F92574 second address: F92593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F38E8DD2006h 0x0000000a jmp 00007F38E8DD2010h 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F92593 second address: F925AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jbe 00007F38E8C7DE58h 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jo 00007F38E8C7DE56h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EE1DAE second address: EE1DD0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007F38E8DD2018h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F6B0 second address: F9F6C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F38E8C7DE56h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F805 second address: F9F812 instructions: 0x00000000 rdtsc 0x00000002 js 00007F38E8DD2008h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F812 second address: F9F82F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F38E8C7DE5Ch 0x00000009 jnc 00007F38E8C7DE56h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F82F second address: F9F845 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jg 00007F38E8DD200Eh 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9FC91 second address: F9FC99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9FC99 second address: F9FC9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9FC9F second address: F9FCA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA0BB5 second address: FA0BBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F238 second address: F9F23F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F9F23F second address: F9F24E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jns 00007F38E8DD2006h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA5F41 second address: FA5F4B instructions: 0x00000000 rdtsc 0x00000002 jl 00007F38E8C7DE66h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA9748 second address: FA9754 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F38E8DD2006h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA9754 second address: FA9774 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38E8C7DE5Ch 0x00000007 jbe 00007F38E8C7DE56h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pushad 0x00000015 popad 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 pop esi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA9774 second address: FA9780 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jg 00007F38E8DD2006h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FA9A33 second address: FA9A3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FB6FA0 second address: FB6FA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC0B6C second address: FC0B70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC340A second address: FC342F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jng 00007F38E8DD2006h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F38E8DD2006h 0x00000014 jmp 00007F38E8DD2011h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC342F second address: FC346B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F38E8C7DE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F38E8C7DE67h 0x00000011 jmp 00007F38E8C7DE69h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC346B second address: FC346F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC49AB second address: FC49CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38E8C7DE64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007F38E8C7DE5Ch 0x0000000f jbe 00007F38E8C7DE56h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FC49CF second address: FC49DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F38E8DD2006h 0x0000000a jne 00007F38E8DD2006h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD151A second address: FD1537 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F38E8C7DE56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 jp 00007F38E8C7DE56h 0x00000016 jbe 00007F38E8C7DE56h 0x0000001c pop edi 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD6AE4 second address: FD6AE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD6AE8 second address: FD6B02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F38E8C7DE56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007F38E8C7DE5Eh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD6B02 second address: FD6B07 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD55EE second address: FD55F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD55F2 second address: FD55F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD55F8 second address: FD55FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD5E13 second address: FD5E22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD5E22 second address: FD5E41 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38E8C7DE69h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FD5E41 second address: FD5E47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDA23E second address: FDA246 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDA246 second address: FDA24C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDA24C second address: FDA258 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDA258 second address: FDA25E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FDA25E second address: FDA264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF1B8A second address: FF1B90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF1B90 second address: FF1B96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF3397 second address: FF33B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38E8DD2014h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF33B4 second address: FF33D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38E8C7DE65h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FF5B1C second address: FF5B29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007F38E8DD2006h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFC9C3 second address: FFC9C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFC9C9 second address: FFC9D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFC9D2 second address: FFC9E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F38E8C7DE60h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFC9E6 second address: FFCA07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F38E8DD200Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F38E8DD2008h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFCA07 second address: FFCA0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFBD6B second address: FFBD70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFFCCA second address: FFFCD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1004C1A second address: 1004C24 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F38E8DD200Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1007C23 second address: 1007C27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1009AD8 second address: 1009ADE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1009ADE second address: 1009AE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1009AE2 second address: 1009AF5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F38E8DD200Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1009AF5 second address: 1009AFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFF880 second address: FFF888 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFF888 second address: FFF88E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFF88E second address: FFF8B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 je 00007F38E8DD2029h 0x0000000c jmp 00007F38E8DD2017h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FFFA03 second address: FFFA07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F29B8A second address: F29BA2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F38E8DD200Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F29D64 second address: F29D6E instructions: 0x00000000 rdtsc 0x00000002 jo 00007F38E8C7DE56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D6DC03 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: F418A3 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D6DC4A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 5620000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 58F0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 78F0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4C0D0 rdtsc 0_2_00F4C0D0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0A23A sidt fword ptr [esp-02h]0_2_00F0A23A
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6928Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F5118D GetSystemInfo,VirtualAlloc,0_2_00F5118D
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4C0D0 rdtsc 0_2_00F4C0D0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0B412 LdrInitializeThunk,0_2_00F0B412
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, file.exe, 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F4CB9A GetSystemTime,GetFileTime,0_2_00F4CB9A

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
Windows Service		1
Windows Service		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Service Execution		1
DLL Side-Loading		1
Process Injection		41
Disable or Modify Tools		LSASS Memory641
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		271
Virtualization/Sandbox Evasion		Security Account Manager2
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
Bypass User Account Control		1
Process Injection		NTDS271
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets24
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
Obfuscated Files or Information		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
Software Packing		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
Bypass User Account Control		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe100%AviraTR/Crypt.XPACK.Gen
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1538204
Start date and time:2024-10-20 20:12:08 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 33s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.evad.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): SIHClient.exe
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • VT rate limit hit for: file.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File
Process:C:\Users\user\Desktop\file.exe
File Type:CSV text
Category:dropped
Size (bytes):226
Entropy (8bit):5.360398796477698
Encrypted:false
SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:3A8957C6382192B71471BD14359D0B12
SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:true
Reputation:high, very likely benign file
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.933055625784213
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:1'755'648 bytes
MD5:fcea453f064a55fc3ae011ed4c822299
SHA1:bf0240e1df04f0f6d8f346aff5f13709b6f18eb9
SHA256:a732580d9bcc87ecf489b550648116143cfea9b36d165de1237ddb5968ae6c94
SHA512:06739576901b9a54f006ee891fd7ed1c5ae62a2c6e2635aa24d61671ba021b929cd08efafe79b17a10f53afaabc57a5dd9d05f8ebc66ddce3229ca3a37561c2d
SSDEEP:49152:Nhl2z7bwo1t06A9AHW85VlscG3BIsw7i7:/8vEQ5284BIsw7i7
TLSH:898533F97D5B3936E846083288FADA8EDB2A5636C9F21C0980451611A773FB5D37B3C1
File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............E.. ...`....@.. ....................... F......}....`................................

File Icon

Icon Hash:90cececece8e8eb0

Static PE Info

General

Entrypoint:0x85e000
Entrypoint Section:.taggant
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F38E84F83FAh
push gs
sbb al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007F38E84FA3F5h
add byte ptr [edi], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], cl
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 0Ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x20000x40000x12008c0cb0840120ce3ce666375a92f69531False0.9331597222222222data7.803903347541593IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0xa0000x2aa0000x20046e994beec382bf3382a79efca2030feunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
dqhhwlkv0x2b40000x1a80000x1a68009e7ad078677e221cb3b543f113a69f08False0.9948120839497041data7.952845025246385IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ygqkenky0x45c0000x20000x4009bb8013def4ece2a2847bb6873603e19False0.7568359375data6.103301834660699IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant0x45e0000x40000x22003b472a4d749104c550d582fccaef6a10False0.06732536764705882DOS executable (COM)0.7503536708234921IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x60900x30cdata0.42948717948717946
RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

Imports

DLLImport
kernel32.dlllstrcpy

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:14:13:02
Start date:20/10/2024
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\file.exe"
Imagebase:0xd60000
File size:1'755'648 bytes
MD5 hash:FCEA453F064A55FC3AE011ED4C822299
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:4.7%
    Dynamic/Decrypted Code Coverage:4.2%
    Signature Coverage:4.7%
    Total number of Nodes:360
    Total number of Limit Nodes:19
    execution_graph 7464 f4dcd4 7465 f48a4d 2 API calls 7464->7465 7466 f4dce0 7465->7466 7467 f4dd48 MapViewOfFileEx 7466->7467 7468 f4dcf9 7466->7468 7467->7468 7188 f4db76 7190 f4db82 7188->7190 7191 f4db9a 7190->7191 7193 f4dbc4 7191->7193 7194 f4dab0 7191->7194 7196 f4dabc 7194->7196 7204 f48a4d GetCurrentThreadId 7196->7204 7198 f4dacf 7199 f4db48 7198->7199 7200 f4db0d 7198->7200 7202 f4dae9 7198->7202 7201 f4db4d CreateFileMappingA 7199->7201 7200->7202 7208 f4b187 7200->7208 7201->7202 7205 f48a65 7204->7205 7206 f48a9b Sleep 7205->7206 7207 f48aac 7205->7207 7206->7205 7207->7198 7211 f4b19e 7208->7211 7209 f4b29b 7209->7202 7210 f4b207 CreateFileA 7212 f4b24c 7210->7212 7211->7209 7211->7210 7212->7209 7214 f4a866 CloseHandle 7212->7214 7215 f4a87a 7214->7215 7215->7209 7469 f4d397 7471 f4d3a0 7469->7471 7472 f48a4d 2 API calls 7471->7472 7473 f4d3ac 7472->7473 7474 f4d3fc ReadFile 7473->7474 7475 f4d3c5 7473->7475 7474->7475 7476 f52191 7478 f5219d 7476->7478 7479 f521af 7478->7479 7480 f4a0ac 18 API calls 7479->7480 7481 f521be 7480->7481 7482 f521d7 7481->7482 7483 f51d4e 2 API calls 7481->7483 7483->7482 7216 f4a5bc 7218 f4a5c8 7216->7218 7219 f4a5dc 7218->7219 7221 f4a604 7219->7221 7222 f4a61d 7219->7222 7224 f4a626 7222->7224 7225 f4a635 7224->7225 7226 f48a4d 2 API calls 7225->7226 7233 f4a63d 7225->7233 7229 f4a647 7226->7229 7227 f4a6e0 GetModuleHandleW 7230 f4a675 7227->7230 7228 f4a6ee GetModuleHandleA 7228->7230 7232 f4a662 7229->7232 7234 f4915f 7229->7234 7232->7230 7232->7233 7233->7227 7233->7228 7235 f49170 7234->7235 7236 f491ad 7234->7236 7235->7236 7238 f49000 7235->7238 7236->7232 7239 f4902d 7238->7239 7240 f49076 7239->7240 7241 f4905b PathAddExtensionA 7239->7241 7249 f49133 7239->7249 7243 f49098 7240->7243 7250 f48ca1 7240->7250 7241->7240 7244 f48ca1 lstrcmpiA 7243->7244 7246 f490e1 7243->7246 7243->7249 7244->7246 7245 f48ca1 lstrcmpiA 7247 f4910a 7245->7247 7246->7245 7246->7247 7246->7249 7248 f48ca1 lstrcmpiA 7247->7248 7247->7249 7248->7249 7249->7235 7252 f48cbf 7250->7252 7251 f48cd6 7251->7243 7252->7251 7254 f48c1e 7252->7254 7255 f48c49 7254->7255 7256 f48c7b lstrcmpiA 7255->7256 7257 f48c91 7255->7257 7256->7257 7257->7251 7484 f521dd 7486 f521e9 7484->7486 7487 f521fb 7486->7487 7492 f4a0c5 7487->7492 7489 f5220a 7490 f52223 7489->7490 7491 f51d4e GetModuleFileNameA VirtualProtect 7489->7491 7491->7490 7494 f4a0d1 7492->7494 7496 f4a0e6 7494->7496 7495 f4a104 7496->7495 7497 f4a113 18 API calls 7496->7497 7497->7495 7498 f4d01d 7500 f4d029 7498->7500 7501 f48a4d 2 API calls 7500->7501 7502 f4d035 7501->7502 7504 f4d055 7502->7504 7505 f4cf74 7502->7505 7507 f4cf80 7505->7507 7508 f4cf94 7507->7508 7509 f48a4d 2 API calls 7508->7509 7510 f4cfac 7509->7510 7518 f491b1 7510->7518 7513 f4915f 2 API calls 7514 f4cfcf 7513->7514 7515 f4cfd7 7514->7515 7516 f4d004 GetFileAttributesA 7514->7516 7517 f4cff3 GetFileAttributesW 7514->7517 7516->7515 7517->7515 7519 f49265 7518->7519 7520 f491c5 7518->7520 7519->7513 7519->7515 7520->7519 7521 f49000 2 API calls 7520->7521 7521->7520 7522 5620d48 7523 5620d93 OpenSCManagerW 7522->7523 7525 5620ddc 7523->7525 7526 5621308 7527 5621349 ImpersonateLoggedOnUser 7526->7527 7528 5621376 7527->7528 7258 f02a3c 7259 f03042 7258->7259 7260 f03093 RegOpenKeyA 7259->7260 7261 f0306c RegOpenKeyA 7259->7261 7263 f030b0 7260->7263 7261->7260 7262 f03089 7261->7262 7262->7260 7264 f030f4 GetNativeSystemInfo 7263->7264 7265 f030ff 7263->7265 7264->7265 7265->7265 7266 f0243e 7267 f029e0 LoadLibraryA 7266->7267 7269 f06766 7267->7269 7270 f4a264 7273 f4a0ac 7270->7273 7276 f4a113 7273->7276 7275 f4a0c1 7278 f4a120 7276->7278 7280 f4a136 7278->7280 7279 f4a13e 7282 f4a21e 7279->7282 7283 f4a20b 7279->7283 7280->7279 7281 f4a15b 7280->7281 7295 f52400 7280->7295 7285 f48a4d 2 API calls 7281->7285 7287 f4a23c LoadLibraryExA 7282->7287 7288 f4a228 LoadLibraryExW 7282->7288 7317 f49f4b 7283->7317 7289 f4a160 7285->7289 7294 f4a1e2 7287->7294 7288->7294 7290 f4915f 2 API calls 7289->7290 7291 f4a171 7290->7291 7291->7279 7292 f4a19f 7291->7292 7297 f49a8b 7292->7297 7321 f5240f 7295->7321 7298 f49aa7 7297->7298 7299 f49ab1 7297->7299 7298->7294 7329 f492de 7299->7329 7306 f49b01 7307 f49b2e 7306->7307 7315 f49bab 7306->7315 7339 f494bc 7306->7339 7343 f49757 7307->7343 7310 f49b39 7310->7315 7348 f496ce 7310->7348 7312 f49b66 7313 f49b8e 7312->7313 7312->7315 7352 f52055 7312->7352 7313->7315 7356 f51d4e 7313->7356 7315->7298 7361 f4a29d 7315->7361 7318 f49f56 7317->7318 7319 f49f66 7318->7319 7320 f49f77 LoadLibraryExA 7318->7320 7319->7294 7320->7319 7322 f5241f 7321->7322 7323 f48a4d 2 API calls 7322->7323 7328 f52471 7322->7328 7324 f52487 7323->7324 7325 f4915f 2 API calls 7324->7325 7326 f52499 7325->7326 7327 f4915f 2 API calls 7326->7327 7326->7328 7327->7328 7330 f49353 7329->7330 7331 f492fa 7329->7331 7330->7298 7333 f49384 VirtualAlloc 7330->7333 7331->7330 7332 f4932a VirtualAlloc 7331->7332 7332->7330 7334 f493c9 7333->7334 7334->7315 7335 f49401 7334->7335 7337 f49429 7335->7337 7336 f494a0 7336->7306 7337->7336 7338 f49442 VirtualAlloc 7337->7338 7338->7336 7338->7337 7340 f494d7 7339->7340 7342 f494dc 7339->7342 7340->7307 7341 f4950f lstrcmpiA 7341->7340 7341->7342 7342->7340 7342->7341 7344 f49863 7343->7344 7346 f49784 7343->7346 7344->7310 7346->7344 7363 f49269 7346->7363 7371 f4a37a 7346->7371 7350 f496f7 7348->7350 7349 f49738 7349->7312 7350->7349 7351 f4970f VirtualProtect 7350->7351 7351->7349 7351->7350 7353 f52122 7352->7353 7354 f52071 7352->7354 7353->7313 7354->7353 7397 f51bb9 7354->7397 7358 f51de2 7356->7358 7360 f51d5f 7356->7360 7358->7315 7359 f51bb9 VirtualProtect 7359->7360 7360->7358 7360->7359 7401 f519f8 7360->7401 7410 f4a2a9 7361->7410 7364 f4a0ac 18 API calls 7363->7364 7365 f4927c 7364->7365 7366 f492ce 7365->7366 7368 f492a5 7365->7368 7370 f492c2 7365->7370 7367 f4a29d 3 API calls 7366->7367 7367->7370 7369 f4a29d 3 API calls 7368->7369 7368->7370 7369->7370 7370->7346 7373 f4a383 7371->7373 7374 f4a392 7373->7374 7375 f4a39a 7374->7375 7377 f48a4d 2 API calls 7374->7377 7376 f4a3c7 GetProcAddress 7375->7376 7382 f4a3bd 7376->7382 7378 f4a3a4 7377->7378 7379 f4a3b4 7378->7379 7380 f4a3c2 7378->7380 7383 f49ddb 7379->7383 7380->7376 7384 f49ec7 7383->7384 7385 f49dfa 7383->7385 7384->7382 7385->7384 7386 f49e37 lstrcmpiA 7385->7386 7387 f49e61 7385->7387 7386->7385 7386->7387 7387->7384 7389 f49d24 7387->7389 7390 f49d35 7389->7390 7391 f49d65 lstrcpyn 7390->7391 7392 f49dc0 7390->7392 7391->7392 7394 f49d81 7391->7394 7392->7384 7393 f49269 17 API calls 7395 f49daf 7393->7395 7394->7392 7394->7393 7395->7392 7396 f4a37a 17 API calls 7395->7396 7396->7392 7400 f51bcd 7397->7400 7398 f51be5 7398->7354 7399 f51d08 VirtualProtect 7399->7400 7400->7398 7400->7399 7404 f519ff 7401->7404 7403 f51a49 7403->7360 7404->7403 7405 f51bb9 VirtualProtect 7404->7405 7406 f51906 7404->7406 7405->7404 7408 f5191b 7406->7408 7407 f519a5 GetModuleFileNameA 7407->7408 7408->7407 7409 f519db 7408->7409 7409->7404 7411 f4a2b8 7410->7411 7413 f48a4d 2 API calls 7411->7413 7416 f4a2c0 7411->7416 7412 f4a30e FreeLibrary 7418 f4a2f5 7412->7418 7414 f4a2ca 7413->7414 7415 f4a2da 7414->7415 7414->7416 7419 f49c8b 7415->7419 7416->7412 7420 f49cee 7419->7420 7421 f49cae 7419->7421 7420->7418 7421->7420 7423 f48847 7421->7423 7426 f48850 7423->7426 7424 f48868 7424->7420 7426->7424 7427 f4882e 7426->7427 7428 f4a29d 3 API calls 7427->7428 7429 f4883b 7428->7429 7429->7426 7529 f4d284 7531 f4d290 7529->7531 7532 f48a4d 2 API calls 7531->7532 7533 f4d29c 7532->7533 7535 f4d2bc 7533->7535 7536 f4d190 7533->7536 7538 f4d19c 7536->7538 7539 f4d1b0 7538->7539 7540 f48a4d 2 API calls 7539->7540 7541 f4d1c8 7540->7541 7542 f4d1dd 7541->7542 7562 f4d0a9 7541->7562 7546 f4d1e5 7542->7546 7554 f4d14e IsBadWritePtr 7542->7554 7548 f4d236 CreateFileW 7546->7548 7549 f4d259 CreateFileA 7546->7549 7547 f4915f 2 API calls 7550 f4d218 7547->7550 7553 f4d226 7548->7553 7549->7553 7550->7546 7551 f4d220 7550->7551 7556 f4a9a3 7551->7556 7555 f4d170 7554->7555 7555->7546 7555->7547 7559 f4a9b0 7556->7559 7557 f4aaab 7557->7553 7558 f4a9e9 CreateFileA 7560 f4aa35 7558->7560 7559->7557 7559->7558 7560->7557 7561 f4a866 CloseHandle 7560->7561 7561->7557 7564 f4d0b8 GetWindowsDirectoryA 7562->7564 7565 f4d0e2 7564->7565 7430 56210f0 7431 5621131 7430->7431 7434 f4b7a1 7431->7434 7432 5621151 7435 f48a4d 2 API calls 7434->7435 7436 f4b7ad 7435->7436 7437 f4b7d6 7436->7437 7438 f4b7c6 7436->7438 7440 f4b7db CloseHandle 7437->7440 7442 f4a88d 7438->7442 7441 f4b7cc 7440->7441 7441->7432 7445 f488f8 7442->7445 7446 f4890e 7445->7446 7447 f48928 7446->7447 7449 f488dc 7446->7449 7447->7441 7450 f4a866 CloseHandle 7449->7450 7451 f488ec 7450->7451 7451->7447 7452 f52127 7454 f52133 7452->7454 7455 f52145 7454->7455 7456 f51d4e 2 API calls 7455->7456 7457 f52157 7456->7457 7566 5621510 7567 5621558 ControlService 7566->7567 7568 562158f 7567->7568 7569 56215d0 7570 562164e ChangeServiceConfigA 7569->7570 7572 56218da 7570->7572 7573 f5118d GetSystemInfo 7574 f511ad 7573->7574 7575 f511eb VirtualAlloc 7573->7575 7574->7575 7588 f514d9 7575->7588 7577 f51232 7578 f514d9 VirtualAlloc GetModuleFileNameA VirtualProtect 7577->7578 7587 f51307 7577->7587 7580 f5125c 7578->7580 7579 f51323 GetModuleFileNameA VirtualProtect 7581 f512cb 7579->7581 7582 f514d9 VirtualAlloc GetModuleFileNameA VirtualProtect 7580->7582 7580->7587 7583 f51286 7582->7583 7584 f514d9 VirtualAlloc GetModuleFileNameA VirtualProtect 7583->7584 7583->7587 7585 f512b0 7584->7585 7585->7581 7586 f514d9 VirtualAlloc GetModuleFileNameA VirtualProtect 7585->7586 7585->7587 7586->7587 7587->7579 7587->7581 7590 f514e1 7588->7590 7591 f514f5 7590->7591 7592 f5150d 7590->7592 7598 f513a5 7591->7598 7593 f513a5 2 API calls 7592->7593 7595 f5151e 7593->7595 7600 f51530 7595->7600 7603 f513ad 7598->7603 7601 f51541 VirtualAlloc 7600->7601 7602 f5152c 7600->7602 7601->7602 7604 f513c0 7603->7604 7605 f519f8 2 API calls 7604->7605 7606 f51403 7604->7606 7605->7606 7607 f4a70f 7608 f48a4d 2 API calls 7607->7608 7609 f4a71b 7608->7609 7610 f4a739 7609->7610 7611 f4915f 2 API calls 7609->7611 7612 f4a76a GetModuleHandleExA 7610->7612 7613 f4a741 7610->7613 7611->7610 7612->7613 7458 f52229 7460 f52235 7458->7460 7461 f52252 7460->7461 7462 f4a37a 18 API calls 7461->7462 7463 f52285 7462->7463 7614 f4cb08 7615 f48a4d 2 API calls 7614->7615 7616 f4cb14 GetCurrentProcess 7615->7616 7617 f4cb60 7616->7617 7619 f4cb24 7616->7619 7618 f4cb65 DuplicateHandle 7617->7618 7620 f4cb5b 7618->7620 7619->7617 7621 f4cb4f 7619->7621 7623 f4a8a5 7621->7623 7626 f4a8cf 7623->7626 7624 f4a962 7624->7620 7625 f4a88d CloseHandle 7625->7624 7626->7624 7626->7625

    Executed Functions

    Function 00F5118D Relevance: 3.1, APIs: 2, Instructions: 107memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 160 f5118d-f511a7 GetSystemInfo 161 f511ad-f511e5 160->161 162 f511eb-f51234 VirtualAlloc call f514d9 160->162 161->162 166 f5131a call f51323 162->166 167 f5123a-f5125e call f514d9 162->167 172 f5131f 166->172 167->166 173 f51264-f51288 call f514d9 167->173 174 f51321-f51322 172->174 173->166 177 f5128e-f512b2 call f514d9 173->177 177->166 180 f512b8-f512c5 177->180 181 f512eb-f51302 call f514d9 180->181 182 f512cb-f512e6 180->182 185 f51307-f51309 181->185 186 f51315 182->186 185->166 187 f5130f 185->187 186->174 187->186
    APIs
    • GetSystemInfo.KERNELBASE(?,-11565FEC), ref: 00F51199
    • VirtualAlloc.KERNELBASE(00000000,00004000,00001000,00000004), ref: 00F511FA
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: AllocInfoSystemVirtual
    • String ID:
    • API String ID: 3440192736-0
    • Opcode ID: d2698cf2cf3b57ead85935e7dfb672ebf127e2e6a3a6bf604404519cc8cf6a83
    • Instruction ID: 7ea796395cb86b427b4372a6f0553101e4d11314df3340c2d23ab1072e7d30fd
    • Opcode Fuzzy Hash: d2698cf2cf3b57ead85935e7dfb672ebf127e2e6a3a6bf604404519cc8cf6a83
    • Instruction Fuzzy Hash: D74113B1D40206AFE725DF65CC45FA6B7ACFB49711F004066A703DAC82E770A5D8CBA4
    Function 056215D0 Relevance: 1.8, APIs: 1, Instructions: 299COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 335 56215d0-562165a 337 5621693-56216b5 335->337 338 562165c-5621666 335->338 345 56216f1-5621712 337->345 346 56216b7-56216c4 337->346 338->337 339 5621668-562166a 338->339 340 562166c-5621676 339->340 341 562168d-5621690 339->341 343 562167a-5621689 340->343 344 5621678 340->344 341->337 343->343 347 562168b 343->347 344->343 352 5621714-562171e 345->352 353 562174b-562176d 345->353 346->345 348 56216c6-56216c8 346->348 347->341 350 56216ca-56216d4 348->350 351 56216eb-56216ee 348->351 354 56216d6 350->354 355 56216d8-56216e7 350->355 351->345 352->353 356 5621720-5621722 352->356 363 56217a9-56217ca 353->363 364 562176f-562177c 353->364 354->355 355->355 357 56216e9 355->357 358 5621724-562172e 356->358 359 5621745-5621748 356->359 357->351 361 5621732-5621741 358->361 362 5621730 358->362 359->353 361->361 365 5621743 361->365 362->361 370 5621803-5621825 363->370 371 56217cc-56217d6 363->371 364->363 366 562177e-5621780 364->366 365->359 368 5621782-562178c 366->368 369 56217a3-56217a6 366->369 372 5621790-562179f 368->372 373 562178e 368->373 369->363 379 5621861-56218d8 ChangeServiceConfigA 370->379 380 5621827-5621834 370->380 371->370 375 56217d8-56217da 371->375 372->372 374 56217a1 372->374 373->372 374->369 376 56217dc-56217e6 375->376 377 56217fd-5621800 375->377 381 56217ea-56217f9 376->381 382 56217e8 376->382 377->370 390 56218e1-5621920 379->390 391 56218da-56218e0 379->391 380->379 383 5621836-5621838 380->383 381->381 384 56217fb 381->384 382->381 385 562183a-5621844 383->385 386 562185b-562185e 383->386 384->377 388 5621846 385->388 389 5621848-5621857 385->389 386->379 388->389 389->389 392 5621859 389->392 395 5621922-5621926 390->395 396 5621930-5621934 390->396 391->390 392->386 395->396 397 5621928-562192b call 562013c 395->397 398 5621936-562193a 396->398 399 5621944-5621948 396->399 397->396 398->399 401 562193c-562193f call 562013c 398->401 402 562194a-562194e 399->402 403 5621958-562195c 399->403 401->399 402->403 405 5621950-5621953 call 562013c 402->405 406 562195e-5621962 403->406 407 562196c-5621970 403->407 405->403 406->407 409 5621964-5621967 call 562013c 406->409 410 5621972-5621976 407->410 411 5621980-5621984 407->411 409->407 410->411 412 5621978-562197b call 562013c 410->412 413 5621986-562198a 411->413 414 5621994 411->414 412->411 413->414 417 562198c-562198f call 562013c 413->417 419 5621995 414->419 417->414 419->419
    APIs
    • ChangeServiceConfigA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 056218C8
    Memory Dump Source
    • Source File: 00000000.00000002.1848131833.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5620000_file.jbxd
    Similarity
    • API ID: ChangeConfigService
    • String ID:
    • API String ID: 3849694230-0
    • Opcode ID: 3d6c02396ccba909c9b4c88b1999330795117d664f71d10644cd68629a85826a
    • Instruction ID: 2bfe1820e5ef1d88d0c0e0b5f236fe1a9a1d016efe0ee9d83de16a46cf632b64
    • Opcode Fuzzy Hash: 3d6c02396ccba909c9b4c88b1999330795117d664f71d10644cd68629a85826a
    • Instruction Fuzzy Hash: 61C13A71D04A699FDB10CFA9C8857AEBBB2FB4A310F148129EC55A7780D7749891CF82
    Function 00F4A120 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • LoadLibraryExW.KERNEL32(?,?,?), ref: 00F4A231
    • LoadLibraryExA.KERNELBASE(00000000,?,?), ref: 00F4A245
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID: .dll$.exe$1002
    • API String ID: 1029625771-847511843
    • Opcode ID: 89d25229a59b6a557c59d093878236600df86cf4d49c5d7561cccd6fb8ad56d6
    • Instruction ID: 69693f069f4ea9871d27e21f8e84a183d9d82ee474e66746f898f48dcb2bd928
    • Opcode Fuzzy Hash: 89d25229a59b6a557c59d093878236600df86cf4d49c5d7561cccd6fb8ad56d6
    • Instruction Fuzzy Hash: 24319432944149FFDB21AF20CC00AAD3F35FF58360F008126FD0286161DBB59AA0FB92
    Function 00F4A626 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 40 f4a626-f4a637 call f49f8a 43 f4a642-f4a64b call f48a4d 40->43 44 f4a63d 40->44 51 f4a651-f4a65d call f4915f 43->51 52 f4a67f-f4a686 43->52 45 f4a6d6-f4a6da 44->45 47 f4a6e0-f4a6e9 GetModuleHandleW 45->47 48 f4a6ee-f4a6f1 GetModuleHandleA 45->48 50 f4a6f7 47->50 48->50 56 f4a701-f4a703 50->56 59 f4a662-f4a664 51->59 53 f4a6d1 call f48af8 52->53 54 f4a68c-f4a693 52->54 53->45 54->53 57 f4a699-f4a6a0 54->57 57->53 60 f4a6a6-f4a6ad 57->60 59->53 61 f4a66a-f4a66f 59->61 60->53 62 f4a6b3-f4a6c7 60->62 61->53 63 f4a675-f4a6fc call f48af8 61->63 62->53 63->56
    APIs
    • GetModuleHandleW.KERNEL32(?,?,?,?,00F4A5B8,?,00000000,00000000), ref: 00F4A6E3
    • GetModuleHandleA.KERNEL32(00000000,?,?,?,00F4A5B8,?,00000000,00000000), ref: 00F4A6F1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: HandleModule
    • String ID: .dll
    • API String ID: 4139908857-2738580789
    • Opcode ID: f7db79c8db00c14cc5ea3efd3e69171e570d181834ae2c5d2aca2ae460491967
    • Instruction ID: 786da16d3bd6471c3591f4743d0e467b368410b9ccad3abf6b7093908ebb0f59
    • Opcode Fuzzy Hash: f7db79c8db00c14cc5ea3efd3e69171e570d181834ae2c5d2aca2ae460491967
    • Instruction Fuzzy Hash: 8E117C3168250AFBDB309F24C8087A97EB0BF40391F094125BC12454A1DBF999E4FE83
    Function 00F4CF80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 67 f4cf80-f4cf8e 68 f4cf94-f4cf9b 67->68 69 f4cfa0 67->69 70 f4cfa7-f4cfbd call f48a4d call f491b1 68->70 69->70 75 f4cfc3-f4cfd1 call f4915f 70->75 76 f4cfdc 70->76 82 f4cfd7 75->82 83 f4cfe8-f4cfed 75->83 78 f4cfe0-f4cfe3 76->78 79 f4d013-f4d01a call f48af8 78->79 82->78 84 f4d004-f4d007 GetFileAttributesA 83->84 85 f4cff3-f4cfff GetFileAttributesW 83->85 87 f4d00d-f4d00e 84->87 85->87 87->79
    APIs
    • GetFileAttributesW.KERNELBASE(01651214,-11565FEC), ref: 00F4CFF9
    • GetFileAttributesA.KERNEL32(00000000,-11565FEC), ref: 00F4D007
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: 6d59d7abf2d5a367ecf51a55d2ba4a17280d4041a733a1eedcdbc3e1efb0f735
    • Instruction ID: 48b2af5edb792d6dd1ed7d5155200a00ddd5c0f1d39437d4d92c8a7300a9c8cc
    • Opcode Fuzzy Hash: 6d59d7abf2d5a367ecf51a55d2ba4a17280d4041a733a1eedcdbc3e1efb0f735
    • Instruction Fuzzy Hash: 12018131604205FADF229F18DC0DB9DBE71AF40364F204125FD0266495CBB94A96F7A0
    Function 00F02A3C Relevance: 4.6, APIs: 3, Instructions: 93registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 88 f02a3c-f0306a 91 f03093-f030ae RegOpenKeyA 88->91 92 f0306c-f03087 RegOpenKeyA 88->92 94 f030b0-f030ba 91->94 95 f030c6-f030f2 91->95 92->91 93 f03089 92->93 93->91 94->95 98 f030f4-f030fd GetNativeSystemInfo 95->98 99 f030ff-f03109 95->99 98->99 100 f03115-f03123 99->100 101 f0310b 99->101 103 f03125 100->103 104 f0312f-f03136 100->104 101->100 103->104 105 f03149-f044c1 104->105 106 f0313c-f03143 104->106 109 f063ca-f063e2 105->109 106->105 107 f0522b-f05232 106->107 110 f05238-f05a96 107->110 111 f062bb-f062cd 107->111 113 f063e5 109->113 110->111 111->109 113->113
    APIs
    • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00F0307F
    • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00F030A6
    • GetNativeSystemInfo.KERNELBASE(?), ref: 00F030FD
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: Open$InfoNativeSystem
    • String ID:
    • API String ID: 1247124224-0
    • Opcode ID: 7149cbae7cf8e978065e67822d50e169af8e2da32ec136bfdef78f87dca4edc4
    • Instruction ID: fed02b62e41ba28fa9b786b7143a5531fda249e2960c28c66abd9d8c96f9538e
    • Opcode Fuzzy Hash: 7149cbae7cf8e978065e67822d50e169af8e2da32ec136bfdef78f87dca4edc4
    • Instruction Fuzzy Hash: 5A410AB280810E9FEB15DF64C948BEE7BE4EF04310F50052AED8182980E7765DA4EF4A
    Function 00F49000 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 114 f49000-f49030 116 f49036-f4904b 114->116 117 f4915b-f4915c 114->117 116->117 119 f49051-f49055 116->119 120 f49077-f4907e 119->120 121 f4905b-f4906d PathAddExtensionA 119->121 122 f49084-f49093 call f48ca1 120->122 123 f490a0-f490a7 120->123 126 f49076 121->126 132 f49098-f4909a 122->132 124 f490ad-f490b4 123->124 125 f490e9-f490f0 123->125 128 f490cd-f490dc call f48ca1 124->128 129 f490ba-f490c3 124->129 130 f490f6-f4910c call f48ca1 125->130 131 f49112-f49119 125->131 126->120 138 f490e1-f490e3 128->138 129->128 133 f490c9 129->133 130->117 130->131 136 f4911f-f49135 call f48ca1 131->136 137 f4913b-f49142 131->137 132->117 132->123 133->128 136->117 136->137 137->117 141 f49148-f49155 call f48cda 137->141 138->117 138->125 141->117
    APIs
    • PathAddExtensionA.KERNELBASE(?,00000000), ref: 00F49062
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: ExtensionPath
    • String ID: \\?\
    • API String ID: 158807944-4282027825
    • Opcode ID: 91a900db5d88a4d70a96ac321733c96fdef2a97a9df0508b8d98bf09174007c8
    • Instruction ID: 6029ff526fc6bd04b402261ec3c49cd0a94bd04c3eb9a9da6d023cc01b14f6da
    • Opcode Fuzzy Hash: 91a900db5d88a4d70a96ac321733c96fdef2a97a9df0508b8d98bf09174007c8
    • Instruction Fuzzy Hash: 6B311A31A0060AFFEF219F94CC09F9FBBB5BF58364F000055FA02A6160D7B29961EB50
    Function 00F4A70F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 145 f4a70f-f4a722 call f48a4d 148 f4a765-f4a779 call f48af8 GetModuleHandleExA 145->148 149 f4a728-f4a734 call f4915f 145->149 155 f4a783-f4a785 148->155 152 f4a739-f4a73b 149->152 152->148 154 f4a741-f4a748 152->154 156 f4a751-f4a77e call f48af8 154->156 157 f4a74e 154->157 156->155 157->156
    APIs
      • Part of subcall function 00F48A4D: GetCurrentThreadId.KERNEL32 ref: 00F48A5C
      • Part of subcall function 00F48A4D: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00F48A9F
    • GetModuleHandleExA.KERNELBASE(?,?,?), ref: 00F4A773
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: CurrentHandleModuleSleepThread
    • String ID: .dll
    • API String ID: 683542999-2738580789
    • Opcode ID: ae01a7b8abcf6708afb92f516a6bfdbf6f1315b6f7719fb61e43c7f84861d3da
    • Instruction ID: 4f1f6edbcd2ab357cf74418fa3b42b0e25c78c5526ee9c83b0c67b691473eb95
    • Opcode Fuzzy Hash: ae01a7b8abcf6708afb92f516a6bfdbf6f1315b6f7719fb61e43c7f84861d3da
    • Instruction Fuzzy Hash: A3F06D72684205BFDF20AF68C949B9D3FB5BF14360F508011FE154A152DBB4C591BA22
    Function 00F4D19C Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 188 f4d19c-f4d1aa 189 f4d1b0-f4d1b7 188->189 190 f4d1bc 188->190 191 f4d1c3-f4d1cf call f48a4d 189->191 190->191 194 f4d1d5-f4d1df call f4d0a9 191->194 195 f4d1ea-f4d1fa call f4d14e 191->195 194->195 200 f4d1e5 194->200 201 f4d200-f4d207 195->201 202 f4d20c-f4d21a call f4915f 195->202 203 f4d22b-f4d230 200->203 201->203 202->203 209 f4d220-f4d221 call f4a9a3 202->209 205 f4d236-f4d254 CreateFileW 203->205 206 f4d259-f4d26e CreateFileA 203->206 208 f4d274-f4d275 205->208 206->208 210 f4d27a-f4d281 call f48af8 208->210 213 f4d226 209->213 213->210
    APIs
    • CreateFileW.KERNELBASE(01651214,?,?,-11565FEC,?,?,?,-11565FEC,?), ref: 00F4D24E
      • Part of subcall function 00F4D14E: IsBadWritePtr.KERNEL32(?,00000004), ref: 00F4D15C
    • CreateFileA.KERNEL32(?,?,?,-11565FEC,?,?,?,-11565FEC,?), ref: 00F4D26E
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: CreateFile$Write
    • String ID:
    • API String ID: 1125675974-0
    • Opcode ID: 3199c68b3906f3b93208de616a5d62b5dc7df02b86ce542076469f17619236b9
    • Instruction ID: a6b7fec138769521005532e939530edf36f42af193737aa6e29f480b03d18a56
    • Opcode Fuzzy Hash: 3199c68b3906f3b93208de616a5d62b5dc7df02b86ce542076469f17619236b9
    • Instruction Fuzzy Hash: 6511077250414AFBEF229F94CD09BAD3F22BF49394F104115FD15540A5CBB9CAA1FB51
    Function 00F4CB08 Relevance: 3.0, APIs: 2, Instructions: 41COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 215 f4cb08-f4cb1e call f48a4d GetCurrentProcess 218 f4cb24-f4cb27 215->218 219 f4cb60-f4cb82 call f48af8 DuplicateHandle 215->219 218->219 220 f4cb2d-f4cb30 218->220 225 f4cb8c-f4cb8e 219->225 220->219 222 f4cb36-f4cb49 call f488a7 220->222 222->219 227 f4cb4f-f4cb87 call f4a8a5 call f48af8 222->227 227->225
    APIs
      • Part of subcall function 00F48A4D: GetCurrentThreadId.KERNEL32 ref: 00F48A5C
      • Part of subcall function 00F48A4D: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00F48A9F
    • GetCurrentProcess.KERNEL32(-11565FEC), ref: 00F4CB15
    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F4CB7B
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: Current$DuplicateHandleProcessSleepThread
    • String ID:
    • API String ID: 2846201637-0
    • Opcode ID: 0a2d90d9ab446f9b9f584c4e73114574a35cbb3daafbdf3e4fa8217732bca6af
    • Instruction ID: 43954511550a788f1ff3765a3c5d691843eede9d0447314bfdb5295f9f55323f
    • Opcode Fuzzy Hash: 0a2d90d9ab446f9b9f584c4e73114574a35cbb3daafbdf3e4fa8217732bca6af
    • Instruction Fuzzy Hash: E2014B3260054AFBCF12AFA5DC05C9E3F75FF987A07004111FE5191010CB79D0A2BB66
    Function 00F48A4D Relevance: 3.0, APIs: 2, Instructions: 33sleepthreadCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 232 f48a4d-f48a63 GetCurrentThreadId 233 f48a65-f48a71 232->233 234 f48a77-f48a79 233->234 235 f48aac-f48ab9 call f4f8cc 233->235 234->235 236 f48a7f-f48a86 234->236 238 f48a8c-f48a93 236->238 239 f48a9b-f48aa7 Sleep 236->239 238->239 241 f48a99 238->241 239->233 241->239
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00F48A5C
    • Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00F48A9F
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: CurrentSleepThread
    • String ID:
    • API String ID: 1164918020-0
    • Opcode ID: df238f6c204e3715903d6afd4d4992a2777932cb65822e65c3c3110cf8fc6d21
    • Instruction ID: 168d32555ab95205c91ffdfaafcb6b64c1cb4aa847ec566cea86de153945bc89
    • Opcode Fuzzy Hash: df238f6c204e3715903d6afd4d4992a2777932cb65822e65c3c3110cf8fc6d21
    • Instruction Fuzzy Hash: B1F0BE71600146FFDB218F60C94876FBBB4FF41369F20003AEA0286650CBF8198BEA81
    Function 056215C4 Relevance: 1.8, APIs: 1, Instructions: 302COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 250 56215c4-562165a 252 5621693-56216b5 250->252 253 562165c-5621666 250->253 260 56216f1-5621712 252->260 261 56216b7-56216c4 252->261 253->252 254 5621668-562166a 253->254 255 562166c-5621676 254->255 256 562168d-5621690 254->256 258 562167a-5621689 255->258 259 5621678 255->259 256->252 258->258 262 562168b 258->262 259->258 267 5621714-562171e 260->267 268 562174b-562176d 260->268 261->260 263 56216c6-56216c8 261->263 262->256 265 56216ca-56216d4 263->265 266 56216eb-56216ee 263->266 269 56216d6 265->269 270 56216d8-56216e7 265->270 266->260 267->268 271 5621720-5621722 267->271 278 56217a9-56217ca 268->278 279 562176f-562177c 268->279 269->270 270->270 272 56216e9 270->272 273 5621724-562172e 271->273 274 5621745-5621748 271->274 272->266 276 5621732-5621741 273->276 277 5621730 273->277 274->268 276->276 280 5621743 276->280 277->276 285 5621803-5621825 278->285 286 56217cc-56217d6 278->286 279->278 281 562177e-5621780 279->281 280->274 283 5621782-562178c 281->283 284 56217a3-56217a6 281->284 287 5621790-562179f 283->287 288 562178e 283->288 284->278 294 5621861-5621867 285->294 295 5621827-5621834 285->295 286->285 290 56217d8-56217da 286->290 287->287 289 56217a1 287->289 288->287 289->284 291 56217dc-56217e6 290->291 292 56217fd-5621800 290->292 296 56217ea-56217f9 291->296 297 56217e8 291->297 292->285 302 5621871-56218d8 ChangeServiceConfigA 294->302 295->294 298 5621836-5621838 295->298 296->296 299 56217fb 296->299 297->296 300 562183a-5621844 298->300 301 562185b-562185e 298->301 299->292 303 5621846 300->303 304 5621848-5621857 300->304 301->294 305 56218e1-5621920 302->305 306 56218da-56218e0 302->306 303->304 304->304 307 5621859 304->307 310 5621922-5621926 305->310 311 5621930-5621934 305->311 306->305 307->301 310->311 312 5621928-562192b call 562013c 310->312 313 5621936-562193a 311->313 314 5621944-5621948 311->314 312->311 313->314 316 562193c-562193f call 562013c 313->316 317 562194a-562194e 314->317 318 5621958-562195c 314->318 316->314 317->318 320 5621950-5621953 call 562013c 317->320 321 562195e-5621962 318->321 322 562196c-5621970 318->322 320->318 321->322 324 5621964-5621967 call 562013c 321->324 325 5621972-5621976 322->325 326 5621980-5621984 322->326 324->322 325->326 327 5621978-562197b call 562013c 325->327 328 5621986-562198a 326->328 329 5621994 326->329 327->326 328->329 332 562198c-562198f call 562013c 328->332 334 5621995 329->334 332->329 334->334
    APIs
    • ChangeServiceConfigA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 056218C8
    Memory Dump Source
    • Source File: 00000000.00000002.1848131833.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5620000_file.jbxd
    Similarity
    • API ID: ChangeConfigService
    • String ID:
    • API String ID: 3849694230-0
    • Opcode ID: f872f68190217312d9c7a164003f01a926320638cdcac2178c803d6b15a07a42
    • Instruction ID: 073e3da7c40d93f475eab33cd2a785921297a76b45802451a2f68eebbd03af44
    • Opcode Fuzzy Hash: f872f68190217312d9c7a164003f01a926320638cdcac2178c803d6b15a07a42
    • Instruction Fuzzy Hash: 8CC12A71D04A699FDB10CFA8C8857AEBBB1FB4A310F148129EC55E7780D7749991CF82
    Function 00F51BB9 Relevance: 1.6, APIs: 1, Instructions: 112COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 420 f51bb9-f51bc7 421 f51bcd-f51bdf 420->421 422 f51bea-f51bf4 call f51a4e 420->422 421->422 426 f51be5 421->426 427 f51bff-f51c08 422->427 428 f51bfa 422->428 429 f51d49-f51d4b 426->429 430 f51c20-f51c27 427->430 431 f51c0e-f51c15 427->431 428->429 433 f51c32-f51c42 430->433 434 f51c2d 430->434 431->430 432 f51c1b 431->432 432->429 433->429 435 f51c48-f51c54 call f51b23 433->435 434->429 438 f51c57-f51c5b 435->438 438->429 439 f51c61-f51c6b 438->439 440 f51c71-f51c84 439->440 441 f51c92-f51c95 439->441 440->441 446 f51c8a-f51c8c 440->446 442 f51c98-f51c9b 441->442 444 f51d41-f51d44 442->444 445 f51ca1-f51ca8 442->445 444->438 447 f51cd6-f51cef 445->447 448 f51cae-f51cb4 445->448 446->441 446->444 454 f51cf5-f51d03 447->454 455 f51d08-f51d10 VirtualProtect 447->455 449 f51cd1 448->449 450 f51cba-f51cbf 448->450 453 f51d39-f51d3c 449->453 450->449 452 f51cc5-f51ccb 450->452 452->447 452->449 453->442 456 f51d16-f51d19 454->456 455->456 456->453 458 f51d1f-f51d38 456->458 458->453
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 56f193652036f428cba57cb6fb8a8978a78214ba309d17be6e1faef41f3b1fe3
    • Instruction ID: e43f1bd8f3debcb3f2c8d150c5e7c09298de9c72f63631d6a57472c767e35e6f
    • Opcode Fuzzy Hash: 56f193652036f428cba57cb6fb8a8978a78214ba309d17be6e1faef41f3b1fe3
    • Instruction Fuzzy Hash: C841B272D00209EFDB25CF55D948BAAB7B5FF44322F108055EE12AA541D3B1BCE8EB51
    Function 00F4B187 Relevance: 1.6, APIs: 1, Instructions: 103fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 460 f4b187-f4b198 461 f4b1c7-f4b1d0 call f48b2b 460->461 462 f4b19e-f4b1b2 call f48b2b 460->462 466 f4b1d6-f4b1e7 call f4a969 461->466 467 f4b2ad-f4b2b0 call f48b50 461->467 473 f4b2b5 462->473 474 f4b1b8-f4b1c6 462->474 475 f4b207-f4b246 CreateFileA 466->475 476 f4b1ed-f4b1f1 466->476 467->473 477 f4b2bc-f4b2c0 473->477 474->461 481 f4b24c-f4b269 475->481 482 f4b26a-f4b26d 475->482 479 f4b204 476->479 480 f4b1f7-f4b203 call f4f9f1 476->480 479->475 480->479 481->482 483 f4b2a0-f4b2a8 call f4a7f8 482->483 484 f4b273-f4b28a call f4886d 482->484 483->473 484->477 492 f4b290-f4b29b call f4a866 484->492 492->473
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000,00000010), ref: 00F4B23C
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: bb1c8ce5ffdad90db2260c48dc6c5b8084bcd31bd8a4482f72408af37eb10aef
    • Instruction ID: 4051be62f934b90fdfc211759e322e626315ddbc759d9eaf0dd26a0dcab417aa
    • Opcode Fuzzy Hash: bb1c8ce5ffdad90db2260c48dc6c5b8084bcd31bd8a4482f72408af37eb10aef
    • Instruction Fuzzy Hash: B131B271900205FFDB219F64CC45F9EBFB8FF44324F208169F915AA192CBB59A52EB10
    Function 00F4A9A3 Relevance: 1.6, APIs: 1, Instructions: 92fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000000), ref: 00F4AA25
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: cd33108ea941284499ee8d7ef11c2cbd6d3e257251e89df5cc9dc7d3e1784095
    • Instruction ID: 77e368998e382217a9ff8d4e7000c13aacf87a036952e207155d00a2e5ef6929
    • Opcode Fuzzy Hash: cd33108ea941284499ee8d7ef11c2cbd6d3e257251e89df5cc9dc7d3e1784095
    • Instruction Fuzzy Hash: 96318171A40204FFEB209F64DC45F99BBB8FB04724F208269FA11AA1D1DBB5A542DB51
    Function 00F51906 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNELBASE(?,?,0000028A,?,?), ref: 00F519B3
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: FileModuleName
    • String ID:
    • API String ID: 514040917-0
    • Opcode ID: 18a863d4f1c50c9526a0447a1cf2112c99b1caa480a00224845f00f07a055f77
    • Instruction ID: 487f09afcb2aa083b01e0c0b7c41a1bf531c3e9dcd8237e077bf95f77ed35449
    • Opcode Fuzzy Hash: 18a863d4f1c50c9526a0447a1cf2112c99b1caa480a00224845f00f07a055f77
    • Instruction Fuzzy Hash: 5711B972E01229AFEB304654CCA9BEBF77CFF54722F2041A5EE4592041D774AD88DAA1
    Function 05620D42 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 05620DCD
    Memory Dump Source
    • Source File: 00000000.00000002.1848131833.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5620000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 818f9f307e80bc3f90c62a1dadfa0f964ff8e3504c7e1626bf89f194ebec06c9
    • Instruction ID: 8bcf0602dfcacd906514df02b6eb63cef7e0673f9339241e23202c98a447585b
    • Opcode Fuzzy Hash: 818f9f307e80bc3f90c62a1dadfa0f964ff8e3504c7e1626bf89f194ebec06c9
    • Instruction Fuzzy Hash: B32104B68016199FCB50CF99D885BDEFBF4FB88320F14852AE909AB345D774A540CFA4
    Function 05620D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 05620DCD
    Memory Dump Source
    • Source File: 00000000.00000002.1848131833.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5620000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 173b8a5e04462bb5131cfef4fa2b23ea773df45596079ef73b1b15addee26543
    • Instruction ID: 3a478538f4ca939e9d825bc81dfbfad6f8ce0e88f1a283afe55a096a1cd5ebce
    • Opcode Fuzzy Hash: 173b8a5e04462bb5131cfef4fa2b23ea773df45596079ef73b1b15addee26543
    • Instruction Fuzzy Hash: E72104B68016189FCB50CF99D884BDEFBB4FB88320F14851AD909AB245D734A540CFA4
    Function 05621509 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 05621580
    Memory Dump Source
    • Source File: 00000000.00000002.1848131833.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5620000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 9d72cfd81fe25d0167eadcbcb67924f70ac24ebbb6846dc3f0474fc3424ded8e
    • Instruction ID: 6574fca02094baeb3f455148660b448a20aa9b1b0e898bd833579c0ac7d50166
    • Opcode Fuzzy Hash: 9d72cfd81fe25d0167eadcbcb67924f70ac24ebbb6846dc3f0474fc3424ded8e
    • Instruction Fuzzy Hash: BA2114B6D00249CFCB10CF9AC584BDEFBF4AB48320F14842AE559B7250D378A684CFA5
    Function 05621510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
    Download Yara Rule
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 05621580
    Memory Dump Source
    • Source File: 00000000.00000002.1848131833.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5620000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: 70e1217a265d3b6b1665f82efae3dd6ac7b823b8464acf1ab48a458ca4ae1ae2
    • Instruction ID: ad0453a5008b24715df57949e3a83f4ebf75a2d93e82bf1cb9cf802221d0e821
    • Opcode Fuzzy Hash: 70e1217a265d3b6b1665f82efae3dd6ac7b823b8464acf1ab48a458ca4ae1ae2
    • Instruction Fuzzy Hash: 2E1114B1900249CFCB10CF9AC484BDEFBF4EB48320F108029E559A3250D378AA44CFA5
    Function 00F4DCD4 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00F48A4D: GetCurrentThreadId.KERNEL32 ref: 00F48A5C
      • Part of subcall function 00F48A4D: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00F48A9F
    • MapViewOfFileEx.KERNELBASE(?,?,?,?,?,?,-11565FEC), ref: 00F4DD5B
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: CurrentFileSleepThreadView
    • String ID:
    • API String ID: 2270672837-0
    • Opcode ID: 8d68edc1ce40ca80d79eb915888848ae8dcd88b55772408d1b9a5d0072d62bf7
    • Instruction ID: 3050714f15c46f47345164d8d8d350b88dc20e8bf101b3e16d0024151779a76e
    • Opcode Fuzzy Hash: 8d68edc1ce40ca80d79eb915888848ae8dcd88b55772408d1b9a5d0072d62bf7
    • Instruction Fuzzy Hash: 1011A27290054AFBCF12AFA4CC09E9E3E76BF59351B004451FE1156025DB7AC5B2FB61
    Function 00F4DABC Relevance: 1.6, APIs: 1, Instructions: 50COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: CurrentSleepThread
    • String ID:
    • API String ID: 1164918020-0
    • Opcode ID: 997cd666b9bfceef6bdb54ea5545bb4d440785b508c1eb62c9a995bbbdc3ef28
    • Instruction ID: 4b4bef2df2755cbe0bd1dd7183cfc77cfcbb0b4e2549ff109e7dfae6aca9e5e6
    • Opcode Fuzzy Hash: 997cd666b9bfceef6bdb54ea5545bb4d440785b508c1eb62c9a995bbbdc3ef28
    • Instruction Fuzzy Hash: 3F11093290010AFBCF12AFA4CC09E9E7FA6EF84394F114055FD1156162DBB9C562FB61
    Function 05621301 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 05621367
    Memory Dump Source
    • Source File: 00000000.00000002.1848131833.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5620000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 9bf818e4e2817c64eb563e87ad1eedeaeb8a9ab6031c860b7843a670e1789482
    • Instruction ID: 3760504141dcc4dd6f8570c88fd376ab9b2f8ab669ac93c601593e967c96b3ab
    • Opcode Fuzzy Hash: 9bf818e4e2817c64eb563e87ad1eedeaeb8a9ab6031c860b7843a670e1789482
    • Instruction Fuzzy Hash: 731155B1800349CFCB10CFAAC484BDEFBF4EB48320F24846AD558A7650C738A540CFA5
    Function 05621308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 05621367
    Memory Dump Source
    • Source File: 00000000.00000002.1848131833.0000000005620000.00000040.00000800.00020000.00000000.sdmp, Offset: 05620000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_5620000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 474fcbb0117491bca4df5547d14908f30396ca1eb5d1fd73fd0ecbaa89ce8422
    • Instruction ID: 327f3293701c26b45c56df0695a3fc6efe17719464e2e6198832da28f0128298
    • Opcode Fuzzy Hash: 474fcbb0117491bca4df5547d14908f30396ca1eb5d1fd73fd0ecbaa89ce8422
    • Instruction Fuzzy Hash: F51145B1800259CFDB10CFAAC445BDEFBF8EB48324F24842AD558A3650C778A984CFA5
    Function 00F0243E Relevance: 1.5, APIs: 1, Instructions: 39libraryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 60f40bbef136e96c8cf2c2dc0684bda0e85a5decb7bba83c31e560c8529dfe44
    • Instruction ID: 75d39336c25925d22b660b43bc7ae16531582e8ceb7cb344c99e7fecca3bc1ba
    • Opcode Fuzzy Hash: 60f40bbef136e96c8cf2c2dc0684bda0e85a5decb7bba83c31e560c8529dfe44
    • Instruction Fuzzy Hash: DD0182B691E310EFE3056F11CA4163EBBE4EF84B20F11882EEAC683640C6304C50BB87
    Function 00F4D3A0 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00F48A4D: GetCurrentThreadId.KERNEL32 ref: 00F48A5C
      • Part of subcall function 00F48A4D: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00F48A9F
    • ReadFile.KERNELBASE(?,00000000,?,00000400,?,-11565FEC,?,?,00F4B0CF,?,?,00000400,?,00000000,?,00000000), ref: 00F4D40C
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: CurrentFileReadSleepThread
    • String ID:
    • API String ID: 1253362762-0
    • Opcode ID: efdaba581ea70a5622276acbef5e39b87653d380e3bda8da496cb33c4cc85352
    • Instruction ID: f0410abf978094bff53ef467d27676d27e4beeaeccfff44479d578d920d7a2c6
    • Opcode Fuzzy Hash: efdaba581ea70a5622276acbef5e39b87653d380e3bda8da496cb33c4cc85352
    • Instruction Fuzzy Hash: 35F0C97250414AFBCF12AF98DC09D9E3F66EF94390F404021FE1149061DB7AD4A2FB61
    Function 00F4A383 Relevance: 1.5, APIs: 1, Instructions: 27libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetProcAddress.KERNEL32(00F49B39,00F49B39), ref: 00F4A3CE
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: AddressProc
    • String ID:
    • API String ID: 190572456-0
    • Opcode ID: 8ff3cbd964b39a221fbd3820d03f5495aa6cf504e9261328939355525376486a
    • Instruction ID: 36a968075e455f851b7fc714da45124328a2b84787ebdd30a11efbab884008b1
    • Opcode Fuzzy Hash: 8ff3cbd964b39a221fbd3820d03f5495aa6cf504e9261328939355525376486a
    • Instruction Fuzzy Hash: 64E01233684105FA9F527FB4CD0996E3E256E80390B409122BD1555061FFFAC952F763
    Function 00F48C1E Relevance: 1.3, APIs: 1, Instructions: 39stringCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: lstrcmpi
    • String ID:
    • API String ID: 1586166983-0
    • Opcode ID: 3f750db4bbae5872a373e4cb13c00751262e0c02e658710547cbf428c9d7ad7f
    • Instruction ID: 373256855707a1c273832c5f0d38faccc7d34334a6896ca26378603e48de164f
    • Opcode Fuzzy Hash: 3f750db4bbae5872a373e4cb13c00751262e0c02e658710547cbf428c9d7ad7f
    • Instruction Fuzzy Hash: 7F01E836A00549FFDF119FA4CC08D9EBF76EF45380F0041A1EA05A4461EB328A62EB64
    Function 00F51530 Relevance: 1.3, APIs: 1, Instructions: 37memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000,00001000,00001000,00000004,?,?,00F5152C,?,?,00F51232,?,?,00F51232,?,?,00F51232), ref: 00F51550
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: b984c55a6e374b08ad8bd977bfac1b3e53eb10a0293ce4717282e9e0c158f595
    • Instruction ID: 3218131e21a7e78e4975fbbaad872ef29c63d790118c39837d1a6821effd1392
    • Opcode Fuzzy Hash: b984c55a6e374b08ad8bd977bfac1b3e53eb10a0293ce4717282e9e0c158f595
    • Instruction Fuzzy Hash: 74F081B1D44305EFDB248F04C904B59BFA4FF89763F158069F94A9B551E3B1A8C1DB90
    Function 00F4B7A1 Relevance: 1.3, APIs: 1, Instructions: 25COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00F48A4D: GetCurrentThreadId.KERNEL32 ref: 00F48A5C
      • Part of subcall function 00F48A4D: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00F48A9F
    • CloseHandle.KERNELBASE(00F4B164,-11565FEC,?,?,00F4B164,?), ref: 00F4B7DF
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: CloseCurrentHandleSleepThread
    • String ID:
    • API String ID: 4003616898-0
    • Opcode ID: b0156b8542e98d8fc2ff293d300f62de4962a580d74221736f574946f514462b
    • Instruction ID: 587654d39b1f5c7e25f8054d291b6ad70bd5b7f22a18ae1860786842f2301ffe
    • Opcode Fuzzy Hash: b0156b8542e98d8fc2ff293d300f62de4962a580d74221736f574946f514462b
    • Instruction Fuzzy Hash: 68E04F62600045B6CE20BFB9CC49D8E3E69AFD03C0B404122FD1285452EFBCC093B271
    Function 00F4A866 Relevance: 1.3, APIs: 1, Instructions: 8COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNELBASE(?,?,00F488EC,?,?), ref: 00F4A86C
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: c206690769b9fe1b77ffbec89ca956e80dc9def922c43642b3f5841b5ca9f2ba
    • Instruction ID: 4407b8f60e507e74e6f83cacce72cf565be2753f46f300e937f65ecaf9fcb794
    • Opcode Fuzzy Hash: c206690769b9fe1b77ffbec89ca956e80dc9def922c43642b3f5841b5ca9f2ba
    • Instruction Fuzzy Hash: BDB09231200508BBCB51BF61DC0684DBFB9BF21398B40C120F956440219BBAEAA2AB91

    Non-executed Functions

    Function 00EE71FC Relevance: 11.7, Strings: 8, Instructions: 1678COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID:
    • String ID: &Jww$?<(+$O*$T>7z$WD/p$\F.$]@T$q)6S
    • API String ID: 0-3743717838
    • Opcode ID: 5401b315be32130cb86161b3bd0c53c0ca97fdd0823b7a279b3866d171a76947
    • Instruction ID: 7afef3938497d4174c78db99b41656bb3f455fdc88995ce599dc45207a572e85
    • Opcode Fuzzy Hash: 5401b315be32130cb86161b3bd0c53c0ca97fdd0823b7a279b3866d171a76947
    • Instruction Fuzzy Hash: 79B218F3A0C2109FE3046E2DEC8567ABBE9EF94720F1A493DEAC4C7744E63558058696
    Function 00EDF486 Relevance: 10.9, Strings: 8, Instructions: 941COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID:
    • String ID: @;W$!}$%o~$6ABr$;2o;$})~?$m5-$wv
    • API String ID: 0-4173041152
    • Opcode ID: 9b0ba44fbd539d75618af52505998c2e86ba77873d9bbe961c01cafa4d298d5c
    • Instruction ID: f0adf995988cc81c14761326be571f6f0ac757e1d555261ce33da241f90bf3d1
    • Opcode Fuzzy Hash: 9b0ba44fbd539d75618af52505998c2e86ba77873d9bbe961c01cafa4d298d5c
    • Instruction Fuzzy Hash: 1D52E5F36086009FE304AE2DDC8567AF7EAEFD4720F1A853DE6C4C7744EA3558058696
    Function 00EE22FB Relevance: 10.4, Strings: 7, Instructions: 1642COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID:
    • String ID: 1x{$3w{$A:{$Au;7$WB}w$Z~m{$fm~
    • API String ID: 0-163905370
    • Opcode ID: 095d14d840c39a3bbe1ac5c685f4a17011d7fd2e2750273bac8c1b849c9d76de
    • Instruction ID: ccec41c60c628221a20dc2e6f9b8644cf8ebeebdd1d75cc5a15a2074c40496ba
    • Opcode Fuzzy Hash: 095d14d840c39a3bbe1ac5c685f4a17011d7fd2e2750273bac8c1b849c9d76de
    • Instruction Fuzzy Hash: D8B208F36082049FE704AE2DEC8567AF7E9EFD4720F1A893DEAC4C7744E63558058692
    Function 00EEDD54 Relevance: 10.4, Strings: 7, Instructions: 1612COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID:
    • String ID: &@ke$CA{?$WKu$cVn$n~?6$oJ~$qco
    • API String ID: 0-2874111487
    • Opcode ID: 87e180090779d73335f7681fbe60fe024a84f2b6dc3be0785b4d77a2b119c313
    • Instruction ID: 72fa02fb84149f416c776b46ab549c846cb2ee63f391adb0fd7046209f179353
    • Opcode Fuzzy Hash: 87e180090779d73335f7681fbe60fe024a84f2b6dc3be0785b4d77a2b119c313
    • Instruction Fuzzy Hash: 04B24CF360C2009FE308AE2DEC9567ABBE6EFD4320F16493DE6C5C7744EA3598418656
    Function 00EDD061 Relevance: 9.1, Strings: 6, Instructions: 1637COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID:
    • String ID: +>O$0[3{$<L;$\=[_$tG1w$|4y}
    • API String ID: 0-2179601017
    • Opcode ID: 55c1c339b553aae8913f0ef0665ed7c818f60d44219279513bc55bb0c768af28
    • Instruction ID: e877c4977efae94170a05af1748b8821fe1d39e72e0aec604259fb657817d98d
    • Opcode Fuzzy Hash: 55c1c339b553aae8913f0ef0665ed7c818f60d44219279513bc55bb0c768af28
    • Instruction Fuzzy Hash: D9B2F7F360C6009FE304AE2DEC8567AFBE9EF94720F1A893DE6C4C7744E63558058696
    Function 00EDB644 Relevance: 9.1, Strings: 6, Instructions: 1562COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID:
    • String ID: 1j_t$:M+G$:M+G$=k}$MUS7$_EA_
    • API String ID: 0-2233019265
    • Opcode ID: e46bbe94fa9282a4ece90351559e8205c2a8f6fcc8fa02f5bc38d8edf1a9b865
    • Instruction ID: 1c0c8ee0d9540d7a36e986e702148ed3376feea29b405975648aafc6abf18abb
    • Opcode Fuzzy Hash: e46bbe94fa9282a4ece90351559e8205c2a8f6fcc8fa02f5bc38d8edf1a9b865
    • Instruction Fuzzy Hash: C8B2F5F350C200AFE304AE2DEC8567ABBE5EF94720F164A3DEAC4C7744EA3558458697
    Function 00F4C0D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00F48A4D: GetCurrentThreadId.KERNEL32 ref: 00F48A5C
      • Part of subcall function 00F48A4D: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00F48A9F
      • Part of subcall function 00F4D14E: IsBadWritePtr.KERNEL32(?,00000004), ref: 00F4D15C
    • wsprintfA.USER32 ref: 00F4C116
    • LoadImageA.USER32(?,?,?,?,?,?), ref: 00F4C1DA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: CurrentImageLoadSleepThreadWritewsprintf
    • String ID: %8x$%8x
    • API String ID: 2375920415-2046107164
    • Opcode ID: a6da89decfa005d7645c6f455af280ec94c132c85ddacc93dfb9efb685fda641
    • Instruction ID: 5c79e7ce13bf2cb7496f5963cbd90b2078238d28c272c6aabeb131a635957b25
    • Opcode Fuzzy Hash: a6da89decfa005d7645c6f455af280ec94c132c85ddacc93dfb9efb685fda641
    • Instruction Fuzzy Hash: B631E332A0010AFBCB11DF94DD49EEEBF79FF88710F108125FA11A6161D7759A61EBA0
    Function 00EEA8A2 Relevance: 6.6, Strings: 4, Instructions: 1611COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID:
    • String ID: zy($,3[$R'}$}0Xk
    • API String ID: 0-439720767
    • Opcode ID: f2ecbc36d716a0bd54cc53ac832ec283ba8df5ce3f783d2bb3bffa85ac8e010c
    • Instruction ID: f4ace64fc89f3075d169c446ace11e6f912e5b904e90a60d848ba519667696c3
    • Opcode Fuzzy Hash: f2ecbc36d716a0bd54cc53ac832ec283ba8df5ce3f783d2bb3bffa85ac8e010c
    • Instruction Fuzzy Hash: CAB229F360C6009FE304AE2DDC8567ABBEAEFD4720F1A893DE6C4C7744E93558058696
    Function 00EE932A Relevance: 6.2, Strings: 4, Instructions: 1160COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID:
    • String ID: ?%ym$@sTk$Txo$V[
    • API String ID: 0-2557145317
    • Opcode ID: 989a0aa7cedc1a454b569d4900955fc23d68cd47f2cc43b3b0b9f90b39b1e0ec
    • Instruction ID: 575b6ea9c95a1cf2a3a986c45b5b903381c70b16f078a208c4533de1c535faaa
    • Opcode Fuzzy Hash: 989a0aa7cedc1a454b569d4900955fc23d68cd47f2cc43b3b0b9f90b39b1e0ec
    • Instruction Fuzzy Hash: ED82F6F36082009FE304AE2DEC8563AB7E6EFD4720F1A893DE5C5C7744EA3598458657
    Function 00EE3D64 Relevance: 4.0, Strings: 2, Instructions: 1536COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID:
    • String ID: Z=G$obvo
    • API String ID: 0-1828876327
    • Opcode ID: b52aa4f941d6eb548c67935117131777aa11baad5c51048abf7accd663d4a748
    • Instruction ID: c76534535a46d9785111a6945dfa4787dcb161a60075b4a6aa23e25398cdfcbd
    • Opcode Fuzzy Hash: b52aa4f941d6eb548c67935117131777aa11baad5c51048abf7accd663d4a748
    • Instruction Fuzzy Hash: FEA2E5F360C204AFE304AE29EC8166AFBE9EF94720F16893DE6C4C7744E63558458797
    Function 00F4CB9A Relevance: 3.0, APIs: 2, Instructions: 43timeCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00F48A4D: GetCurrentThreadId.KERNEL32 ref: 00F48A5C
      • Part of subcall function 00F48A4D: Sleep.KERNELBASE(00000005,00050000,00000000), ref: 00F48A9F
    • GetSystemTime.KERNEL32(?,-11565FEC), ref: 00F4CBCF
    • GetFileTime.KERNEL32(?,?,?,?,-11565FEC), ref: 00F4CC12
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: Time$CurrentFileSleepSystemThread
    • String ID:
    • API String ID: 3818558864-0
    • Opcode ID: 862dd3f5a3151331af7b0e0c62b593237e76198d68e396d63318d5322e8ec9eb
    • Instruction ID: 2ccad738c9bfe3cd92bd6820587e032020bc8097b25d54609bafa2af9ad8f76a
    • Opcode Fuzzy Hash: 862dd3f5a3151331af7b0e0c62b593237e76198d68e396d63318d5322e8ec9eb
    • Instruction Fuzzy Hash: BD01D632601086FBCF21AF6ADC0CD8E7F75EF85791B004126FA1589060CB7584A2FBA1
    Function 00E2D3D4 Relevance: 2.7, Strings: 2, Instructions: 211COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID:
    • String ID: @f$h(&
    • API String ID: 0-575990806
    • Opcode ID: 80fe66b6ba8efd4ca3027c9e41dc24af675587e04a5fc8a34a0a53857f0287a0
    • Instruction ID: 79f39f0d1c6ccd08b667efcc22d4824ad2529b8e664bb83f680391351e9001bf
    • Opcode Fuzzy Hash: 80fe66b6ba8efd4ca3027c9e41dc24af675587e04a5fc8a34a0a53857f0287a0
    • Instruction Fuzzy Hash: 1B514BF3E082109BE3406A6DECC47A7BAD9EB94330F2B4639DAD8D3780E9755C0582D5
    Function 00F4DA58 Relevance: 1.5, APIs: 1, Instructions: 24encryptionCOMMON
    Download Yara Rule
    APIs
    • CryptVerifySignatureA.ADVAPI32(?,?,?,?,?,?), ref: 00F4DA9F
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: CryptSignatureVerify
    • String ID:
    • API String ID: 1015439381-0
    • Opcode ID: e05cc52b13d0e9ccc2508fbf1f33667859fae5644068a9ed68acf495fef164d6
    • Instruction ID: 182263e816841804782a340476dd2a1c886a383b24de43c641114e67bb0d8fd6
    • Opcode Fuzzy Hash: e05cc52b13d0e9ccc2508fbf1f33667859fae5644068a9ed68acf495fef164d6
    • Instruction Fuzzy Hash: 28F0F232A0420AFFCF01CFA4C904A8C7FB2FF19305B10816AFD1596611C37A9AA1EF80
    Function 00E0894E Relevance: 1.4, Strings: 1, Instructions: 166COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID:
    • String ID: Vok
    • API String ID: 0-1896081008
    • Opcode ID: e6f6cacd59fbea4b0257b5af5b82832eb5d9f030ed217770c3fde33008216bc3
    • Instruction ID: 096a1b1f5b1cdf62ff3f03bd2a7bc76abeae357793ae71b5a07f09148ef4fbe6
    • Opcode Fuzzy Hash: e6f6cacd59fbea4b0257b5af5b82832eb5d9f030ed217770c3fde33008216bc3
    • Instruction Fuzzy Hash: AF5143F3A082049FE7447E2DEC9977AB7E9EB90320F2A453DD7C4C3744EA3959048A46
    Function 00DC3BF3 Relevance: 1.4, Strings: 1, Instructions: 151COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID:
    • String ID: zbw
    • API String ID: 0-664631040
    • Opcode ID: 9806ff32de790edc8df6ad40e7ed4715376f979af1ee75020ebe78f43df93d0d
    • Instruction ID: 2d05ee919525224226eaab9b032d3f83ab7cecf31e991c6594b5e9a78651a966
    • Opcode Fuzzy Hash: 9806ff32de790edc8df6ad40e7ed4715376f979af1ee75020ebe78f43df93d0d
    • Instruction Fuzzy Hash: B84127F35086009FE7146E29EC8577AB7E5DFA4720F1B453DE6C1D7740E53998018687
    Function 00ED7D14 Relevance: 1.4, Strings: 1, Instructions: 124COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID:
    • String ID: >oC
    • API String ID: 0-1765948138
    • Opcode ID: b1a8acb89ce1eba0583c7c926aa25729f796677c35075d56884ef52cff5f0dbd
    • Instruction ID: 6a65110b2100b5a805933e28813485edc42a812843c523aab2ab56bc1e56da37
    • Opcode Fuzzy Hash: b1a8acb89ce1eba0583c7c926aa25729f796677c35075d56884ef52cff5f0dbd
    • Instruction Fuzzy Hash: 0E4105F2A087189BE350AF29DC8433AF7D5EB94710F16863CDAC893784EA3959058686
    Function 00ECB018 Relevance: .2, Instructions: 226COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 23deeabc2a6e57dc16ca5173c381ed465d275f3cf0362d45f143068615f84773
    • Instruction ID: 01d43ec99415a1974391f4305f313586487db5e112c33bf602ec1b810d2d87cf
    • Opcode Fuzzy Hash: 23deeabc2a6e57dc16ca5173c381ed465d275f3cf0362d45f143068615f84773
    • Instruction Fuzzy Hash: 1C6108B7F146104FF3409D69DD8476AB696EBD4320F2B863DEEC8A7784D939980642C1
    Function 00EBE825 Relevance: .2, Instructions: 205COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 293b0c0094f2a7b2c05e3f01373ffa3d469b5f741f8db598a7cf5f74afd5b8df
    • Instruction ID: 9540772f5542ce4b7c3ae419d3119bb4758cc89bb2433ee7f7a0415626191605
    • Opcode Fuzzy Hash: 293b0c0094f2a7b2c05e3f01373ffa3d469b5f741f8db598a7cf5f74afd5b8df
    • Instruction Fuzzy Hash: CF514AB3A082109BE3046A2DDC4576FF7E5EFD0730F16863DEAD493B88D93998058682
    Function 00EAF642 Relevance: .2, Instructions: 165COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 2723e3c265242709b0cf67cc7e8e8bca072afae78680211426642834412b26c9
    • Instruction ID: 9437cda8228b82b0014b467b9e924903c6d385f04c2e5a5100bc835c7210b68c
    • Opcode Fuzzy Hash: 2723e3c265242709b0cf67cc7e8e8bca072afae78680211426642834412b26c9
    • Instruction Fuzzy Hash: D04158F3E083085FE3046E79DC8577AB7D9EB64710F1A413DDB8583780F97A6905428A
    Function 00E75E07 Relevance: .1, Instructions: 149COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: fd372a97c8576e10f28018bccce20f6163a03daf0276447871b226b17a98fb82
    • Instruction ID: 1e5568cf31694040dfea5538100d82f486b8f5b316b523f55c6ebaab4a50e6f5
    • Opcode Fuzzy Hash: fd372a97c8576e10f28018bccce20f6163a03daf0276447871b226b17a98fb82
    • Instruction Fuzzy Hash: 6F4106F7A085009FE3005E2EDD8177ABBD6EBE4720F2B853DD684C3744E93498468296
    Function 00DB531D Relevance: .1, Instructions: 122COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 733c158db382d50ae7eca5741244aa01cca904afcd76e26b4d12524933be4024
    • Instruction ID: e336d249e923f762850feca08c865c006c46e7d366af5d74c170ffa39f757129
    • Opcode Fuzzy Hash: 733c158db382d50ae7eca5741244aa01cca904afcd76e26b4d12524933be4024
    • Instruction Fuzzy Hash: 7841E4B3E142144BF348AD39CD0936AB792EB94320F2B863C8E99A37C4ED3D58164685
    Function 00F16C5F Relevance: .1, Instructions: 98COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e099a3efe441830a78cb5bf73b258c884a77316c15935db7fca298b442375d02
    • Instruction ID: ee7402debe161dad26bd59eb9bb3cbb94d490bba6067ea84bd97af8dabfe5da3
    • Opcode Fuzzy Hash: e099a3efe441830a78cb5bf73b258c884a77316c15935db7fca298b442375d02
    • Instruction Fuzzy Hash: 3B3170F251C3049FD309BE29DC46BBABBE5EB98310F16492DE3D583740E63594018A9B
    Function 00F0B412 Relevance: .0, Instructions: 25COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 610bc74254fc981fb82f2efd6ab4a31910a8bb49ea6e1d272dd2326c5b52ad39
    • Instruction ID: a8645e01682dbd62dc657a96b4745352050a4a6fa0bb296981e25c0bb0a6a509
    • Opcode Fuzzy Hash: 610bc74254fc981fb82f2efd6ab4a31910a8bb49ea6e1d272dd2326c5b52ad39
    • Instruction Fuzzy Hash: 20E0C27F8CC990A7DA23DF901941778BB2C6F23B30F748465E546155C3A39A0B06B225
    Function 00F0A23A Relevance: .0, Instructions: 21COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d76f0988f3dd063dc42c6f4fa37e65a4810f662b57d8097b6fe6f055a8a61604
    • Instruction ID: 965a5e92fd5a897d2cf182f6f3805e4425e129495ee19709ec2b6ec914367490
    • Opcode Fuzzy Hash: d76f0988f3dd063dc42c6f4fa37e65a4810f662b57d8097b6fe6f055a8a61604
    • Instruction Fuzzy Hash: 5AE04F761082019EC700DF54C84599FFBF4FF19350F618445E484CB222C3354941DB2A
    Function 00F4CCA1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesExW.KERNEL32(01651214,00004020,00000000,-11565FEC), ref: 00F4CD8E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1845827902.0000000000EFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
    • Associated: 00000000.00000002.1845729153.0000000000D60000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845766239.0000000000D62000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845800347.0000000000D66000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000000D6A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001004000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1845827902.0000000001014000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846142093.0000000001015000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846310814.00000000011BC000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1846442986.00000000011BE000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_d60000_file.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID: @
    • API String ID: 3188754299-2726393805
    • Opcode ID: 74fb23b7a652a3bd719922525841038dba7446cd068cde18f8651e2b1f8f9fd2
    • Instruction ID: c75d059cd69da06a98ad864350e6cef239460926158ba90033556bec373e0460
    • Opcode Fuzzy Hash: 74fb23b7a652a3bd719922525841038dba7446cd068cde18f8651e2b1f8f9fd2
    • Instruction Fuzzy Hash: E231BD75A04305EFDB258F54CC44B9EBFB0FF04310F108529E96667650C3B9A6A0EB90