Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1561680
MD5:439e7c18eefd3d53793669e1c9575d84
SHA1:8d6cf9ea7bcecbce59a28430636f3a6920b97d85
SHA256:0926fb4154569379a0a942b34acf902d259a7e8d89b0c033ca8858a5503e3965
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
AI detected suspicious sample
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Hides threads from debuggers
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5804 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 439E7C18EEFD3D53793669E1C9575D84)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.2248080623.00000000008B2000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2113857691.0000000000890000.00000004.00001000.00020000.00000000.sdmp

System Summary

barindex
PE file contains section with special chars
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C58320_2_008C5832
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B05BCF0_2_00B05BCF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C5C060_2_008C5C06
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A36FAD0_2_00A36FAD
Source: file.exe, 00000000.00000002.2247877228.000000000075E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000002.2248099069.00000000008B6000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exeBinary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: classification engineClassification label: mal100.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_049815D0 ChangeServiceConfigA,0_2_049815D0
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
Source: C:\Users\user\Desktop\file.exeMutant created: NULL
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 2745344 > 1048576
Source: file.exeStatic PE information: Raw size of ttxpfobj is bigger than: 0x100000 < 0x298400
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: file.exe, 00000000.00000002.2248080623.00000000008B2000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2113857691.0000000000890000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.8b0000.0.unpack :EW;.rsrc:W;.idata :W;ttxpfobj:EW;xtbhwlhc:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
Source: file.exeStatic PE information: real checksum: 0x2a2346 should be: 0x2ad48c
Source: file.exeStatic PE information: section name:
Source: file.exeStatic PE information: section name: .idata
Source: file.exeStatic PE information: section name: ttxpfobj
Source: file.exeStatic PE information: section name: xtbhwlhc
Source: file.exeStatic PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3A2D6 push 57350BD1h; mov dword ptr [esp], ebx0_2_00A3A9EA
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008BE5F2 push ebp; mov dword ptr [esp], 415F03BBh0_2_008BE604
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A2D74B push 54A2315Eh; mov dword ptr [esp], ebx0_2_00A2D7DD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A2D74B push ecx; mov dword ptr [esp], 759AF661h0_2_00A2D81A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008BE87C push esi; mov dword ptr [esp], edi0_2_008BEC9D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A2D90D push esi; mov dword ptr [esp], 5DFFA062h0_2_00A2D936
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A2D90D push ecx; mov dword ptr [esp], ebx0_2_00A2D966
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3C0B3 push ebx; mov dword ptr [esp], 5574F981h0_2_00A3C0C1
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A360BC push 49314189h; mov dword ptr [esp], ebp0_2_00A361D7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3B08A push 154207AAh; mov dword ptr [esp], esi0_2_00A3B08F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A37089 push edi; mov dword ptr [esp], 77B73CCCh0_2_00A370C4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A2E091 push ebp; mov dword ptr [esp], ecx0_2_00A2E0C7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A2E0E1 push edx; mov dword ptr [esp], 7DFDD9F4h0_2_00A2E10B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A2E0E1 push ebx; mov dword ptr [esp], 1DA58C77h0_2_00A2E154
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A5D0CD push 709D3D1Ah; mov dword ptr [esp], edi0_2_00A5D0EF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A350D5 push eax; mov dword ptr [esp], 4FF71A63h0_2_00A350DC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A66000 push 57D59D2Bh; mov dword ptr [esp], ebx0_2_00A6604B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3C011 push ecx; mov dword ptr [esp], edi0_2_00A3ECDD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A37019 push ebx; mov dword ptr [esp], 7EE5C6B0h0_2_00A3742F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C207F push ecx; mov dword ptr [esp], 6BBF7CE0h0_2_008C2086
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C207F push 58C8BEDEh; mov dword ptr [esp], edx0_2_008C2096
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ADA051 push 46F9CCDEh; mov dword ptr [esp], edx0_2_00ADA0AC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ADA051 push edx; mov dword ptr [esp], esi0_2_00ADA0CE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3E1A0 push 2E7D13EEh; mov dword ptr [esp], edi0_2_00A3E1A5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3B191 push eax; mov dword ptr [esp], edx0_2_00A3B193
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ADA192 push 75DD8E45h; mov dword ptr [esp], edx0_2_00ADA19A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ADA192 push ecx; mov dword ptr [esp], ebp0_2_00ADA20C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A361FF push ebp; mov dword ptr [esp], edi0_2_00A36344
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008BD1EB push 530A219Ch; mov dword ptr [esp], ebp0_2_008BE3DE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008BD1EB push esi; mov dword ptr [esp], edi0_2_008BEC9D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3A1C4 push 1149A5B1h; mov dword ptr [esp], edx0_2_00A3A1D4
Source: file.exeStatic PE information: section name: entropy: 7.7821410872177

Boot Survival

barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonclassJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2E56A second address: A2E56E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2E56E second address: A2E589 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B0F85D27h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2E589 second address: A2E5B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jne 00007F37B07E3836h 0x0000000d push esi 0x0000000e pop esi 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F37B07E3840h 0x00000016 popad 0x00000017 jp 00007F37B07E383Eh 0x0000001d push esi 0x0000001e pop esi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2D5D7 second address: A2D5F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F37B0F85D26h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2D5F1 second address: A2D5FB instructions: 0x00000000 rdtsc 0x00000002 jne 00007F37B07E3836h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2D5FB second address: A2D61E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007F37B0F85D16h 0x0000000d jmp 00007F37B0F85D24h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2D768 second address: A2D798 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F37B07E3836h 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F37B07E3847h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pushad 0x00000017 popad 0x00000018 push edx 0x00000019 pop edx 0x0000001a pop esi 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2D798 second address: A2D79D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2DA2C second address: A2DA48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 pushad 0x00000007 jmp 00007F37B07E3843h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A30C66 second address: A30C6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A30C6B second address: A30C85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F37B07E3846h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A30D36 second address: A30DA9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F37B0F85D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F37B0F85D1Eh 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 jne 00007F37B0F85D1Ch 0x0000001b nop 0x0000001c jbe 00007F37B0F85D20h 0x00000022 jmp 00007F37B0F85D1Ah 0x00000027 push 00000000h 0x00000029 movzx ecx, si 0x0000002c call 00007F37B0F85D19h 0x00000031 je 00007F37B0F85D22h 0x00000037 js 00007F37B0F85D1Ch 0x0000003d jl 00007F37B0F85D16h 0x00000043 push eax 0x00000044 jmp 00007F37B0F85D1Dh 0x00000049 mov eax, dword ptr [esp+04h] 0x0000004d push eax 0x0000004e push edx 0x0000004f push esi 0x00000050 pushad 0x00000051 popad 0x00000052 pop esi 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A30DA9 second address: A30DAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A30DAE second address: A30E14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jne 00007F37B0F85D24h 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push ecx 0x00000014 ja 00007F37B0F85D1Ch 0x0000001a pop ecx 0x0000001b pop eax 0x0000001c mov edx, dword ptr [ebp+122D2A53h] 0x00000022 push 00000003h 0x00000024 sbb esi, 65D3ED90h 0x0000002a push 00000000h 0x0000002c jmp 00007F37B0F85D1Ch 0x00000031 push 00000003h 0x00000033 mov esi, dword ptr [ebp+122D2B9Fh] 0x00000039 call 00007F37B0F85D19h 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 jnl 00007F37B0F85D16h 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A30E14 second address: A30ECF instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F37B07E3836h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F37B07E3849h 0x0000000f popad 0x00000010 push eax 0x00000011 jmp 00007F37B07E3848h 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a je 00007F37B07E3842h 0x00000020 jnp 00007F37B07E383Ch 0x00000026 mov eax, dword ptr [eax] 0x00000028 jmp 00007F37B07E3849h 0x0000002d mov dword ptr [esp+04h], eax 0x00000031 push ecx 0x00000032 jmp 00007F37B07E3846h 0x00000037 pop ecx 0x00000038 pop eax 0x00000039 push ebx 0x0000003a adc si, DA56h 0x0000003f pop edi 0x00000040 lea ebx, dword ptr [ebp+12446BBCh] 0x00000046 jc 00007F37B07E383Ch 0x0000004c mov dword ptr [ebp+122D3A18h], eax 0x00000052 xchg eax, ebx 0x00000053 push eax 0x00000054 push edx 0x00000055 push edi 0x00000056 jmp 00007F37B07E3842h 0x0000005b pop edi 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A30ECF second address: A30ED5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A30ED5 second address: A30ED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A30FDC second address: A30FE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F37B0F85D16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A30FE6 second address: A3102E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B07E383Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b add dword ptr [esp], 1E1835F3h 0x00000012 mov dword ptr [ebp+122D3947h], esi 0x00000018 push 00000003h 0x0000001a mov edx, dword ptr [ebp+122D1CB9h] 0x00000020 push 00000000h 0x00000022 sub dword ptr [ebp+122D2493h], edx 0x00000028 push 00000003h 0x0000002a push ecx 0x0000002b mov dword ptr [ebp+122D25D0h], ebx 0x00000031 pop esi 0x00000032 push B03FF215h 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a je 00007F37B07E3836h 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3102E second address: A31032 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A31032 second address: A31083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 add dword ptr [esp], 0FC00DEBh 0x0000000e mov edx, 21C72B2Bh 0x00000013 lea ebx, dword ptr [ebp+12446BC5h] 0x00000019 push 00000000h 0x0000001b push ebx 0x0000001c call 00007F37B07E3838h 0x00000021 pop ebx 0x00000022 mov dword ptr [esp+04h], ebx 0x00000026 add dword ptr [esp+04h], 0000001Ch 0x0000002e inc ebx 0x0000002f push ebx 0x00000030 ret 0x00000031 pop ebx 0x00000032 ret 0x00000033 xchg eax, ebx 0x00000034 jmp 00007F37B07E383Dh 0x00000039 push eax 0x0000003a push edi 0x0000003b push eax 0x0000003c push edx 0x0000003d push edx 0x0000003e pop edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A285CA second address: A285D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4E5C8 second address: A4E5CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4E5CE second address: A4E5E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F37B0F85D1Fh 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4E5E8 second address: A4E5F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F37B07E3836h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4EB49 second address: A4EB4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4EB4D second address: A4EB53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4ECD1 second address: A4ECD6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4ECD6 second address: A4ECDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4F4E7 second address: A4F4F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4F4F2 second address: A4F4FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F37B07E3836h 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4F6A4 second address: A4F6D7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 jnc 00007F37B0F85D1Ah 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jmp 00007F37B0F85D26h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A19423 second address: A19427 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A19427 second address: A1942E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5003E second address: A50044 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A50044 second address: A50063 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jp 00007F37B0F85D16h 0x00000009 pop ebx 0x0000000a jno 00007F37B0F85D1Ah 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 jg 00007F37B0F85D16h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A504E6 second address: A504EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A504EA second address: A504F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A504F0 second address: A504F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A24FA7 second address: A24FAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A24FAE second address: A24FF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F37B07E3842h 0x00000009 popad 0x0000000a jmp 00007F37B07E3846h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 jmp 00007F37B07E3841h 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A58008 second address: A5801E instructions: 0x00000000 rdtsc 0x00000002 jno 00007F37B0F85D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007F37B0F85D18h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A585AD second address: A5860B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F37B07E3849h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ecx 0x0000000d jmp 00007F37B07E383Dh 0x00000012 pop ecx 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 jmp 00007F37B07E3842h 0x0000001c mov eax, dword ptr [eax] 0x0000001e jmp 00007F37B07E383Ah 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 jbe 00007F37B07E383Eh 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5752B second address: A57530 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A586C3 second address: A586CD instructions: 0x00000000 rdtsc 0x00000002 jng 00007F37B07E383Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5C4BE second address: A5C4C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5C4C4 second address: A5C4C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5C4C9 second address: A5C4CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5C4CE second address: A5C4EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e ja 00007F37B07E3836h 0x00000014 pop eax 0x00000015 pushad 0x00000016 jnp 00007F37B07E3836h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5C4EC second address: A5C4F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5C773 second address: A5C777 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5CBF3 second address: A5CBF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5D7D3 second address: A5D7D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5E48B second address: A5E48F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5E4F6 second address: A5E52C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B07E3845h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b sub dword ptr [ebp+122D1DECh], ecx 0x00000011 xor dword ptr [ebp+122D1CF0h], eax 0x00000017 popad 0x00000018 push eax 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F37B07E383Ah 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5E52C second address: A5E535 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5E7C3 second address: A5E7C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5E7C9 second address: A5E7CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5E922 second address: A5E926 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5EA7B second address: A5EA80 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5EA80 second address: A5EAAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov edi, dword ptr [ebp+122D2BCBh] 0x00000010 xchg eax, ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F37B07E3848h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5EAAD second address: A5EAB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5EAB1 second address: A5EAB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A60A87 second address: A60A8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A60A8B second address: A60A94 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A60A94 second address: A60AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F37B0F85D24h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jo 00007F37B0F85D16h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pushad 0x00000018 jmp 00007F37B0F85D1Ah 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A614D4 second address: A6154F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push ecx 0x00000008 jmp 00007F37B07E3845h 0x0000000d pop ecx 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push ecx 0x00000012 call 00007F37B07E3838h 0x00000017 pop ecx 0x00000018 mov dword ptr [esp+04h], ecx 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc ecx 0x00000025 push ecx 0x00000026 ret 0x00000027 pop ecx 0x00000028 ret 0x00000029 mov si, cx 0x0000002c cmc 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push edi 0x00000032 call 00007F37B07E3838h 0x00000037 pop edi 0x00000038 mov dword ptr [esp+04h], edi 0x0000003c add dword ptr [esp+04h], 0000001Ch 0x00000044 inc edi 0x00000045 push edi 0x00000046 ret 0x00000047 pop edi 0x00000048 ret 0x00000049 movsx esi, dx 0x0000004c push 00000000h 0x0000004e mov dword ptr [ebp+12446621h], ecx 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6154F second address: A61556 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A61FD6 second address: A61FE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A61FE3 second address: A61FE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A62837 second address: A6283B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A63401 second address: A63408 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A65EA8 second address: A65EDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F37B07E383Dh 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F37B07E3847h 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A65EDC second address: A65EE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A68B62 second address: A68B68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A68B68 second address: A68B6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A68B6C second address: A68BDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a pushad 0x0000000b jmp 00007F37B07E3848h 0x00000010 jnp 00007F37B07E3836h 0x00000016 popad 0x00000017 pop ebx 0x00000018 nop 0x00000019 push 00000000h 0x0000001b push eax 0x0000001c call 00007F37B07E3838h 0x00000021 pop eax 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 add dword ptr [esp+04h], 00000015h 0x0000002e inc eax 0x0000002f push eax 0x00000030 ret 0x00000031 pop eax 0x00000032 ret 0x00000033 mov bx, 4A12h 0x00000037 push 00000000h 0x00000039 mov bx, 59D8h 0x0000003d mov edi, dword ptr [ebp+122D3A13h] 0x00000043 push 00000000h 0x00000045 jnc 00007F37B07E383Ch 0x0000004b xchg eax, esi 0x0000004c push eax 0x0000004d push edx 0x0000004e push ecx 0x0000004f jno 00007F37B07E3836h 0x00000055 pop ecx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A69B88 second address: A69B8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A68D35 second address: A68D4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jns 00007F37B07E3836h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 jnc 00007F37B07E3836h 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A69E29 second address: A69E2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6AA72 second address: A6AAE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007F37B07E3838h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 and edi, 777E2861h 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push ebx 0x0000002d call 00007F37B07E3838h 0x00000032 pop ebx 0x00000033 mov dword ptr [esp+04h], ebx 0x00000037 add dword ptr [esp+04h], 0000001Ch 0x0000003f inc ebx 0x00000040 push ebx 0x00000041 ret 0x00000042 pop ebx 0x00000043 ret 0x00000044 push 00000000h 0x00000046 mov dword ptr [ebp+124468C4h], esi 0x0000004c xchg eax, esi 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F37B07E3849h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A69E2D second address: A69E65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F37B0F85D25h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F37B0F85D21h 0x00000015 jp 00007F37B0F85D16h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6AAE7 second address: A6AAFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jne 00007F37B07E3836h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f je 00007F37B07E3838h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A69E65 second address: A69E78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F37B0F85D1Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6BAF4 second address: A6BAF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6BAF8 second address: A6BAFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6BAFE second address: A6BB04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6BB04 second address: A6BB08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6BB08 second address: A6BB0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6BC8B second address: A6BC8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6BC8F second address: A6BC95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2005D second address: A20067 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F37B0F85D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6F2FC second address: A6F30E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B07E383Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A702A8 second address: A702BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B0F85D23h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A702BF second address: A702C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6F3D3 second address: A6F3D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7125C second address: A71260 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6F3D7 second address: A6F3DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A71F95 second address: A71F99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A71260 second address: A71264 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A71F99 second address: A72037 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B07E383Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+122D24D3h], edx 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ebx 0x00000017 call 00007F37B07E3838h 0x0000001c pop ebx 0x0000001d mov dword ptr [esp+04h], ebx 0x00000021 add dword ptr [esp+04h], 00000018h 0x00000029 inc ebx 0x0000002a push ebx 0x0000002b ret 0x0000002c pop ebx 0x0000002d ret 0x0000002e pushad 0x0000002f and ebx, 472D2E59h 0x00000035 xor bh, 0000006Dh 0x00000038 popad 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push ebp 0x0000003e call 00007F37B07E3838h 0x00000043 pop ebp 0x00000044 mov dword ptr [esp+04h], ebp 0x00000048 add dword ptr [esp+04h], 0000001Ch 0x00000050 inc ebp 0x00000051 push ebp 0x00000052 ret 0x00000053 pop ebp 0x00000054 ret 0x00000055 sbb di, F0A7h 0x0000005a push eax 0x0000005b pushad 0x0000005c pushad 0x0000005d jmp 00007F37B07E3849h 0x00000062 jne 00007F37B07E3836h 0x00000068 popad 0x00000069 pushad 0x0000006a jnp 00007F37B07E3836h 0x00000070 push eax 0x00000071 push edx 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A703A8 second address: A703AD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A72FF4 second address: A72FFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A73EF8 second address: A73EFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A73EFE second address: A73F81 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F37B07E384Ch 0x00000008 jmp 00007F37B07E3846h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 jnp 00007F37B07E3843h 0x00000017 jmp 00007F37B07E383Dh 0x0000001c pop eax 0x0000001d nop 0x0000001e mov dword ptr [ebp+122D1E52h], ecx 0x00000024 push 00000000h 0x00000026 js 00007F37B07E3839h 0x0000002c mov bx, di 0x0000002f push 00000000h 0x00000031 pushad 0x00000032 cld 0x00000033 js 00007F37B07E383Ch 0x00000039 add dword ptr [ebp+122D1D50h], edx 0x0000003f popad 0x00000040 xchg eax, esi 0x00000041 pushad 0x00000042 jmp 00007F37B07E383Fh 0x00000047 jmp 00007F37B07E383Eh 0x0000004c popad 0x0000004d push eax 0x0000004e pushad 0x0000004f push eax 0x00000050 push edx 0x00000051 jp 00007F37B07E3836h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A73F81 second address: A73F85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A73F85 second address: A73F8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7317A second address: A7317E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A72181 second address: A72204 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F37B07E3836h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jg 00007F37B07E3836h 0x00000013 popad 0x00000014 popad 0x00000015 mov dword ptr [esp], eax 0x00000018 mov dword ptr [ebp+122D29C6h], ebx 0x0000001e push dword ptr fs:[00000000h] 0x00000025 mov di, bx 0x00000028 mov dword ptr fs:[00000000h], esp 0x0000002f mov bx, 1ED8h 0x00000033 mov eax, dword ptr [ebp+122D0D99h] 0x00000039 push 00000000h 0x0000003b push ebp 0x0000003c call 00007F37B07E3838h 0x00000041 pop ebp 0x00000042 mov dword ptr [esp+04h], ebp 0x00000046 add dword ptr [esp+04h], 00000014h 0x0000004e inc ebp 0x0000004f push ebp 0x00000050 ret 0x00000051 pop ebp 0x00000052 ret 0x00000053 push FFFFFFFFh 0x00000055 push 00000000h 0x00000057 push edx 0x00000058 call 00007F37B07E3838h 0x0000005d pop edx 0x0000005e mov dword ptr [esp+04h], edx 0x00000062 add dword ptr [esp+04h], 00000015h 0x0000006a inc edx 0x0000006b push edx 0x0000006c ret 0x0000006d pop edx 0x0000006e ret 0x0000006f mov di, D7C1h 0x00000073 nop 0x00000074 push eax 0x00000075 push edx 0x00000076 push eax 0x00000077 push edx 0x00000078 jns 00007F37B07E3836h 0x0000007e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7317E second address: A7318F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F37B0F85D18h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A72204 second address: A7220A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7220A second address: A72214 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F37B0F85D16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A72214 second address: A7222E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F37B07E383Dh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A75037 second address: A7503D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A75F8F second address: A75F96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A77F1F second address: A77F23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A75F96 second address: A7605B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007F37B07E3838h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 mov di, dx 0x00000027 mov ebx, eax 0x00000029 push dword ptr fs:[00000000h] 0x00000030 jmp 00007F37B07E383Fh 0x00000035 mov dword ptr fs:[00000000h], esp 0x0000003c push 00000000h 0x0000003e push ebp 0x0000003f call 00007F37B07E3838h 0x00000044 pop ebp 0x00000045 mov dword ptr [esp+04h], ebp 0x00000049 add dword ptr [esp+04h], 0000001Dh 0x00000051 inc ebp 0x00000052 push ebp 0x00000053 ret 0x00000054 pop ebp 0x00000055 ret 0x00000056 jmp 00007F37B07E383Ch 0x0000005b mov eax, dword ptr [ebp+122D1761h] 0x00000061 jmp 00007F37B07E3844h 0x00000066 push FFFFFFFFh 0x00000068 mov bh, 4Eh 0x0000006a push eax 0x0000006b push eax 0x0000006c push edx 0x0000006d pushad 0x0000006e jmp 00007F37B07E3846h 0x00000073 jmp 00007F37B07E3843h 0x00000078 popad 0x00000079 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7605B second address: A76061 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A76061 second address: A76065 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A78195 second address: A78199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A79243 second address: A7924D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F37B07E383Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A896E6 second address: A89709 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F37B0F85D29h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A89709 second address: A8970D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8C6C8 second address: A8C6D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8C6D3 second address: A8C6D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8C9C4 second address: A8C9D2 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F37B0F85D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A126A8 second address: A126AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A969FC second address: A96A00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A96A00 second address: A96A04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A96A04 second address: A96A0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A96A0A second address: A96A10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A96A10 second address: A96A14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A96A14 second address: A96A4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B07E3842h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d jp 00007F37B07E3842h 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A96A4A second address: A96A50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A96ABC second address: A96AC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9B7B1 second address: A9B7B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9AA6C second address: A9AA72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9AA72 second address: A9AAAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jno 00007F37B0F85D2Ah 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007F37B0F85D25h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9AD49 second address: A9AD53 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F37B07E3836h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9B005 second address: A9B042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F37B0F85D23h 0x00000009 jmp 00007F37B0F85D1Ah 0x0000000e je 00007F37B0F85D16h 0x00000014 popad 0x00000015 pop ecx 0x00000016 jne 00007F37B0F85D45h 0x0000001c jng 00007F37B0F85D18h 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9B042 second address: A9B046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9B046 second address: A9B05D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B0F85D23h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9B4DB second address: A9B4E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9E4C1 second address: A9E4D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B0F85D1Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9E4D0 second address: A9E4D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA26FB second address: AA2706 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA28A6 second address: AA28AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA28AB second address: AA28C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F37B0F85D1Fh 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA2B8C second address: AA2B90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA2B90 second address: AA2B94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA2B94 second address: AA2BAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F37B07E3836h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d push edi 0x0000000e push esi 0x0000000f push edi 0x00000010 pop edi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA2BAC second address: AA2BB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA2E51 second address: AA2E55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA322C second address: AA3283 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b jbe 00007F37B0F85D27h 0x00000011 jmp 00007F37B0F85D21h 0x00000016 jl 00007F37B0F85D2Fh 0x0000001c jmp 00007F37B0F85D27h 0x00000021 push edx 0x00000022 pop edx 0x00000023 popad 0x00000024 jbe 00007F37B0F85D2Fh 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F37B0F85D1Dh 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA33D8 second address: AA33DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA33DE second address: AA33F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F37B0F85D21h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA33F3 second address: AA33F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA3B51 second address: AA3B55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA2410 second address: AA2424 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B07E383Ah 0x00000007 jns 00007F37B07E3836h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA9056 second address: AA905C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6697B second address: A441D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a stc 0x0000000b call dword ptr [ebp+122D24EEh] 0x00000011 js 00007F37B07E3850h 0x00000017 push eax 0x00000018 push edx 0x00000019 jns 00007F37B07E3836h 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6700F second address: A6701E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F37B0F85D1Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6701E second address: A67030 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F37B07E3836h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A67712 second address: A6774B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F37B0F85D29h 0x0000000c nop 0x0000000d xor cx, 159Eh 0x00000012 push 0000001Eh 0x00000014 push ebx 0x00000015 mov dword ptr [ebp+12441724h], eax 0x0000001b pop ecx 0x0000001c nop 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushad 0x00000021 popad 0x00000022 push eax 0x00000023 pop eax 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6774B second address: A67762 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F37B07E3843h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A67762 second address: A67766 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A67A5D second address: A67A61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A67A61 second address: A67A65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA86EE second address: AA86F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA8AC3 second address: AA8ACD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F37B0F85D16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA8ACD second address: AA8AE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F37B07E383Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA736 second address: AAA73A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA73A second address: AAA76C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F37B07E3841h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F37B07E3847h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA76C second address: AAA770 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAA770 second address: AAA774 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAE944 second address: AAE952 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 ja 00007F37B0F85D16h 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAE952 second address: AAE95C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F37B07E3842h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAEACB second address: AAEAD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAEAD1 second address: AAEAD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAEC20 second address: AAEC27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAF023 second address: AAF049 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B07E3848h 0x00000007 jnp 00007F37B07E3836h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB640E second address: AB6415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB6415 second address: AB6420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB6420 second address: AB6424 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB6424 second address: AB6445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F37B07E383Bh 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f js 00007F37B07E3836h 0x00000015 js 00007F37B07E3836h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB6445 second address: AB6461 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F37B0F85D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F37B0F85D1Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB8C21 second address: AB8C25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB88C9 second address: AB88CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB88CD second address: AB88D6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB88D6 second address: AB88DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB88DB second address: AB88F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F37B07E3844h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB88F5 second address: AB8912 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 je 00007F37B0F85D16h 0x0000000f pop ecx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jbe 00007F37B0F85D34h 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABD5DD second address: ABD5EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 js 00007F37B07E3836h 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABC92E second address: ABC945 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F37B0F85D16h 0x00000009 pushad 0x0000000a popad 0x0000000b je 00007F37B0F85D16h 0x00000011 popad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABD181 second address: ABD187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1C965 second address: A1C969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1C969 second address: A1C992 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007F37B07E3836h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F37B07E3845h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1C992 second address: A1C9A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F37B0F85D16h 0x0000000a jmp 00007F37B0F85D1Bh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC0760 second address: AC076F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007F37B07E3836h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC076F second address: AC0773 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC0773 second address: AC077B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC077B second address: AC0793 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F37B0F85D23h 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC0916 second address: AC091C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC091C second address: AC0932 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F37B0F85D20h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC0A7B second address: AC0A80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC0A80 second address: AC0A93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F37B0F85D1Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC503C second address: AC5068 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F37B07E3843h 0x00000010 pushad 0x00000011 je 00007F37B07E3836h 0x00000017 jnp 00007F37B07E3836h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC5068 second address: AC506F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC506F second address: AC507D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F37B07E3836h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC51B0 second address: AC51B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC51B4 second address: AC51B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC51B8 second address: AC51D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F37B0F85D23h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC51D1 second address: AC51DB instructions: 0x00000000 rdtsc 0x00000002 jg 00007F37B07E383Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC5358 second address: AC535E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC535E second address: AC5365 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC5365 second address: AC537D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F37B0F85D1Bh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC56A7 second address: AC56B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F37B07E3836h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC56B1 second address: AC56B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A67552 second address: A67558 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A67558 second address: A67562 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F37B0F85D16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A67562 second address: A67566 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A67566 second address: A675F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007F37B0F85D18h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 call 00007F37B0F85D22h 0x0000002a call 00007F37B0F85D1Ah 0x0000002f mov ecx, dword ptr [ebp+122D24B6h] 0x00000035 pop edx 0x00000036 pop ecx 0x00000037 mov dword ptr [ebp+122D38E7h], eax 0x0000003d push 00000004h 0x0000003f push 00000000h 0x00000041 push ecx 0x00000042 call 00007F37B0F85D18h 0x00000047 pop ecx 0x00000048 mov dword ptr [esp+04h], ecx 0x0000004c add dword ptr [esp+04h], 0000001Dh 0x00000054 inc ecx 0x00000055 push ecx 0x00000056 ret 0x00000057 pop ecx 0x00000058 ret 0x00000059 sub cx, 1AD4h 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 popad 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A675F3 second address: A675F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC5930 second address: AC594D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F37B0F85D24h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC594D second address: AC5998 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B07E383Eh 0x00000007 jp 00007F37B07E3836h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F37B07E3848h 0x00000014 pushad 0x00000015 jmp 00007F37B07E3846h 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC5998 second address: AC59AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F37B0F85D1Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC5B01 second address: AC5B10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F37B07E383Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACCF53 second address: ACCF59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACCF59 second address: ACCF7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F37B07E3843h 0x0000000b pushad 0x0000000c jng 00007F37B07E3836h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACCF7B second address: ACCF81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACCF81 second address: ACCF8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACD574 second address: ACD579 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACDDAA second address: ACDDAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACDDAE second address: ACDDD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B0F85D21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F37B0F85D1Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACE14A second address: ACE15C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jne 00007F37B07E3836h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACE15C second address: ACE160 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACE423 second address: ACE427 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACEA5B second address: ACEA73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F37B0F85D24h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACEA73 second address: ACEA84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F37B07E383Bh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACEA84 second address: ACEA93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD0652 second address: AD0668 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B07E3842h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD1CD4 second address: AD1CDA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD1CDA second address: AD1CF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F37B07E3842h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD1CF8 second address: AD1D19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F37B0F85D22h 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD1D19 second address: AD1D27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F37B07E383Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A26A24 second address: A26A33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F37B0F85D16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD9F77 second address: AD9F81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F37B07E3836h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADA261 second address: ADA267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADA267 second address: ADA26D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADA26D second address: ADA272 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADA272 second address: ADA278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ADA278 second address: ADA27E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2238 second address: AE2257 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F37B07E3836h 0x0000000a jmp 00007F37B07E3845h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE23CF second address: AE23D4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE27E8 second address: AE27F2 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F37B07E3836h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE27F2 second address: AE280A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F37B0F85D22h 0x0000000c jng 00007F37B0F85D16h 0x00000012 jg 00007F37B0F85D16h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE280A second address: AE2811 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2811 second address: AE2817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2948 second address: AE2952 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F37B07E3836h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2952 second address: AE295B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE295B second address: AE2961 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2961 second address: AE2968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2968 second address: AE296D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE296D second address: AE2973 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2A9B second address: AE2A9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2A9F second address: AE2AB1 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F37B0F85D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007F37B0F85D1Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2F0F second address: AE2F1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2F1A second address: AE2F20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE2F20 second address: AE2F26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE90E0 second address: AE90E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9233 second address: AE9244 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B07E383Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE93A7 second address: AE93AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE93AC second address: AE93B6 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F37B07E383Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF7F4D second address: AF7F5F instructions: 0x00000000 rdtsc 0x00000002 je 00007F37B0F85D18h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F37B0F85D16h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AF7C8E second address: AF7CB7 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F37B07E3842h 0x00000008 pushad 0x00000009 jmp 00007F37B07E3842h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFA98B second address: AFA9A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F37B0F85D16h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFA9A2 second address: AFA9A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AFA9A6 second address: AFA9AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B008FD second address: B00905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B00905 second address: B0090A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B043C7 second address: B043E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F37B07E3849h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B043E4 second address: B043E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B043E8 second address: B043EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B043EE second address: B0441D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F37B0F85D24h 0x00000008 jmp 00007F37B0F85D1Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F37B0F85D27h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B04234 second address: B04238 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0E2E6 second address: B0E2EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0E2EA second address: B0E2F0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0E155 second address: B0E160 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0E160 second address: B0E164 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B0E164 second address: B0E16E instructions: 0x00000000 rdtsc 0x00000002 jne 00007F37B0F85D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B11075 second address: B11079 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B15290 second address: B152AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F37B0F85D28h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B152AC second address: B152B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B152B1 second address: B152B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B152B9 second address: B152D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jno 00007F37B07E3842h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B152D8 second address: B152DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B152DE second address: B15335 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F37B07E3836h 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007F37B07E3849h 0x00000011 jmp 00007F37B07E3846h 0x00000016 pop ecx 0x00000017 pushad 0x00000018 jg 00007F37B07E3836h 0x0000001e jmp 00007F37B07E3842h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B15335 second address: B1533F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B155F5 second address: B155F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1587A second address: B15880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B15880 second address: B15885 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B15885 second address: B15899 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 jc 00007F37B0F85D16h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ecx 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1A494 second address: B1A499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1A499 second address: B1A4A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 je 00007F37B0F85D16h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B1A4A5 second address: B1A4B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B07E383Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B23D1E second address: B23D34 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F37B0F85D16h 0x00000008 jp 00007F37B0F85D16h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B23D34 second address: B23D38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B23D38 second address: B23D3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B23D3E second address: B23D65 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F37B07E3841h 0x00000008 pop ebx 0x00000009 pushad 0x0000000a jl 00007F37B07E3836h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 push esi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B23D65 second address: B23D92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop esi 0x00000007 jmp 00007F37B0F85D27h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F37B0F85D1Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B23D92 second address: B23D98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B25327 second address: B2532B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B2532B second address: B25333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3B3DF second address: B3B415 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B0F85D20h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c pushad 0x0000000d jne 00007F37B0F85D25h 0x00000013 push edi 0x00000014 jp 00007F37B0F85D16h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3B415 second address: B3B424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F37B07E3836h 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3B5B2 second address: B3B5CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B0F85D1Fh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3B5CD second address: B3B5D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3B8B8 second address: B3B8BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3BB65 second address: B3BB74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 js 00007F37B07E3836h 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3BB74 second address: B3BBA5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F37B0F85D27h 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F37B0F85D1Eh 0x00000010 jl 00007F37B0F85D16h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3BD12 second address: B3BD27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F37B07E383Ah 0x00000008 jbe 00007F37B07E3836h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3BE40 second address: B3BE4E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F37B0F85D16h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3BE4E second address: B3BE52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3BE52 second address: B3BE6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F37B0F85D26h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3BE6E second address: B3BEAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F37B07E3842h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b jnl 00007F37B07E3836h 0x00000011 pop edi 0x00000012 pushad 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 jmp 00007F37B07E3844h 0x0000001a push edx 0x0000001b pop edx 0x0000001c popad 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3BEAA second address: B3BECB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F37B0F85D1Dh 0x00000009 jc 00007F37B0F85D16h 0x0000000f popad 0x00000010 push ebx 0x00000011 jp 00007F37B0F85D16h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B45BA7 second address: B45BBF instructions: 0x00000000 rdtsc 0x00000002 jng 00007F37B07E3836h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007F37B07E3838h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B45BBF second address: B45BC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B45BC3 second address: B45BE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edi 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jl 00007F37B07E3836h 0x00000011 js 00007F37B07E3836h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jc 00007F37B07E3836h 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4787C second address: B47882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B47882 second address: B47886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B47886 second address: B4788C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4788C second address: B478A4 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F37B07E3842h 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3F283 second address: B3F2A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F37B0F85D16h 0x0000000a popad 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push esi 0x00000010 pop esi 0x00000011 jmp 00007F37B0F85D23h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3F2A9 second address: B3F2BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F37B07E383Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3F2BD second address: B3F2C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B3F2C1 second address: B3F2D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F37B07E383Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B403FF second address: B40417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007F37B0F85D18h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jbe 00007F37B0F85D16h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B40417 second address: B4041B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B4041B second address: B4041F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 8BDC72 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: A58515 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: AEE460 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exeMemory allocated: 48E0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 4B90000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: 48E0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A2D74B rdtsc 0_2_00A2D74B
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6128Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.2248266477.0000000000A35000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2248266477.0000000000A35000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
Source: C:\Users\user\Desktop\file.exeFile opened: SICE
Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A2D74B rdtsc 0_2_00A2D74B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008BB80A LdrInitializeThunk,0_2_008BB80A
Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
Source: file.exe, 00000000.00000002.2248468052.0000000000A89000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\Desktop\file.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableIOAVProtection 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time ProtectionRegistry value created: DisableRealtimeMonitoring 1Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\NotificationsRegistry value created: DisableNotifications 1Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\Desktop\file.exeRegistry value created: TamperProtection 0Jump to behavior
Modifies windows update settings
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptionsJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdatesJump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocationsJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Service Execution		1
Windows Service		1
Windows Service		1
Masquerading		OS Credential Dumping641
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
Process Injection		41
Disable or Modify Tools		LSASS Memory2
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		261
Virtualization/Sandbox Evasion		Security Account Manager261
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
Bypass User Account Control		1
Process Injection		NTDS22
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
Software Packing		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
Bypass User Account Control		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1561680
Start date and time:2024-11-24 04:19:09 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 28s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:file.exe
Detection:MAL
Classification:mal100.evad.winEXE@1/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:Failed
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
  • Excluded domains from analysis (whitelisted): otelrules.azureedge.net
  • Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File
Process:C:\Users\user\Desktop\file.exe
File Type:CSV text
Category:dropped
Size (bytes):226
Entropy (8bit):5.360398796477698
Encrypted:false
SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:3A8957C6382192B71471BD14359D0B12
SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:true
Reputation:high, very likely benign file
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.516148407330977
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:file.exe
File size:2'745'344 bytes
MD5:439e7c18eefd3d53793669e1c9575d84
SHA1:8d6cf9ea7bcecbce59a28430636f3a6920b97d85
SHA256:0926fb4154569379a0a942b34acf902d259a7e8d89b0c033ca8858a5503e3965
SHA512:5f75a4b985dc1d05772a03a3cac8283be54c1cea5a4a6a093796b260b44f8f0ce0549ad979b31c06ae1ea16dd29a5c742ced0fc7f849940c07009df48cd59df9
SSDEEP:49152:HRrWGPrti7cy2F9N9UeWlqknHXicQtm5dk0xvHkVHDxmR+:xrWGPrtiwyYN9UB7XIk59tkVHDxm
TLSH:22D54B92F50872DFD48E1F78942BCD8659DD13B94B2548D3B82CA47A7D63CC21AF6C28
File Content Preview:MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$...........`*.. ...`....@.. ........................*.....F#*...`................................

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x6a6000
Entrypoint Section:.taggant
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE
Time Stamp:0x652C2850 [Sun Oct 15 17:58:40 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F37B0DAAEAAh
cmpps xmm5, dqword ptr [ecx], 00h
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007F37B0DACEA5h
add byte ptr [edi], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], eax
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx+ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
and dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], cl
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x80550x69.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x81f80x8.idata
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x20000x40000x1200f80687fa1b5bcacce0859fff238780a2False0.9327256944444444data7.7821410872177IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x60000x59c0x600aae15e30898a02f09cc86ed48aa06b09False0.4140625data4.036947054771808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata 0x80000x20000x200ec9cb51e8cb4ea49a56ee3cf434fb69eFalse0.1484375data0.9342685949460681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ttxpfobj0xa0000x29a0000x298400e7dc87b45e815d41fe54dea5fcdb6dccunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
xtbhwlhc0x2a40000x20000x400c93f038f484f0797e0f93a8927bb36f0False0.744140625data5.8692734370417865IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant0x2a60000x40000x2200797c334ae5c1e346acda244a822406f5False0.0661764705882353DOS executable (COM)0.8374157351655528IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x60900x30cdata0.42948717948717946
RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

Imports

DLLImport
kernel32.dlllstrcpy

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:22:20:09
Start date:23/11/2024
Path:C:\Users\user\Desktop\file.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\file.exe"
Imagebase:0x8b0000
File size:2'745'344 bytes
MD5 hash:439E7C18EEFD3D53793669E1C9575D84
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:3.5%
    Dynamic/Decrypted Code Coverage:48%
    Signature Coverage:24%
    Total number of Nodes:25
    Total number of Limit Nodes:1
    execution_graph 5534 4980d48 5536 4980d4c OpenSCManagerW 5534->5536 5537 4980ddc 5536->5537 5538 4981308 5539 4981349 ImpersonateLoggedOnUser 5538->5539 5540 4981376 5539->5540 5515 8bb80a 5516 8bb80f 5515->5516 5517 8bb97a LdrInitializeThunk 5516->5517 5518 a3ea05 5523 a3ddb8 5518->5523 5519 a3f399 5520 a3f2d1 RegOpenKeyA 5520->5523 5521 a3f2aa RegOpenKeyA 5521->5520 5521->5523 5522 a3f332 GetNativeSystemInfo 5522->5523 5523->5519 5523->5520 5523->5521 5523->5522 5524 4981510 5525 4981514 ControlService 5524->5525 5527 498158f 5525->5527 5528 49815d0 5529 49815d4 ChangeServiceConfigA 5528->5529 5531 49818da 5529->5531 5545 8be5f2 VirtualAlloc 5546 8bf4d4 5545->5546 5532 a2d90d LoadLibraryA 5533 a2d91a 5532->5533

    Executed Functions

    Function 049815D0 Relevance: 1.8, APIs: 1, Instructions: 299COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 121 49815d0-498165a 124 498165c-4981666 121->124 125 4981693-49816b5 121->125 124->125 126 4981668-498166a 124->126 132 49816f1-4981712 125->132 133 49816b7-49816c4 125->133 127 498166c-4981676 126->127 128 498168d-4981690 126->128 130 4981678 127->130 131 498167a-4981689 127->131 128->125 130->131 131->131 134 498168b 131->134 139 498174b-498176d 132->139 140 4981714-498171e 132->140 133->132 135 49816c6-49816c8 133->135 134->128 137 49816ca-49816d4 135->137 138 49816eb-49816ee 135->138 141 49816d8-49816e7 137->141 142 49816d6 137->142 138->132 150 49817a9-49817ca 139->150 151 498176f-498177c 139->151 140->139 143 4981720-4981722 140->143 141->141 144 49816e9 141->144 142->141 145 4981724-498172e 143->145 146 4981745-4981748 143->146 144->138 148 4981730 145->148 149 4981732-4981741 145->149 146->139 148->149 149->149 152 4981743 149->152 159 49817cc-49817d6 150->159 160 4981803-4981825 150->160 151->150 153 498177e-4981780 151->153 152->146 155 4981782-498178c 153->155 156 49817a3-49817a6 153->156 157 498178e 155->157 158 4981790-498179f 155->158 156->150 157->158 158->158 161 49817a1 158->161 159->160 162 49817d8-49817da 159->162 166 4981861-49818d8 ChangeServiceConfigA 160->166 167 4981827-4981834 160->167 161->156 164 49817dc-49817e6 162->164 165 49817fd-4981800 162->165 168 49817e8 164->168 169 49817ea-49817f9 164->169 165->160 177 49818da-49818e0 166->177 178 49818e1-4981920 166->178 167->166 170 4981836-4981838 167->170 168->169 169->169 171 49817fb 169->171 172 498183a-4981844 170->172 173 498185b-498185e 170->173 171->165 175 4981848-4981857 172->175 176 4981846 172->176 173->166 175->175 179 4981859 175->179 176->175 177->178 181 4981930-4981934 178->181 182 4981922-4981926 178->182 179->173 185 4981944-4981948 181->185 186 4981936-498193a 181->186 182->181 184 4981928-498192b call 498013c 182->184 184->181 189 4981958-498195c 185->189 190 498194a-498194e 185->190 186->185 188 498193c-498193f call 498013c 186->188 188->185 193 498196c-4981970 189->193 194 498195e-4981962 189->194 190->189 192 4981950-4981953 call 498013c 190->192 192->189 195 4981980-4981984 193->195 196 4981972-4981976 193->196 194->193 198 4981964-4981967 call 498013c 194->198 200 4981994 195->200 201 4981986-498198a 195->201 196->195 199 4981978-498197b call 498013c 196->199 198->193 199->195 206 4981995 200->206 201->200 204 498198c-498198f call 498013c 201->204 204->200 206->206
    APIs
    • ChangeServiceConfigA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 049818C8
    Memory Dump Source
    • Source File: 00000000.00000002.2250366296.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4980000_file.jbxd
    Similarity
    • API ID: ChangeConfigService
    • String ID:
    • API String ID: 3849694230-0
    • Opcode ID: 851226e8dfe57bbceb7c958bb0c3b1203f5cddf7145098357f9d368c394a2f05
    • Instruction ID: 5c1512124dfe228bcc87eaf2664813ca4b1df0fb83099769631f1b963bd45d70
    • Opcode Fuzzy Hash: 851226e8dfe57bbceb7c958bb0c3b1203f5cddf7145098357f9d368c394a2f05
    • Instruction Fuzzy Hash: 54C15A71D002199FDB10EFA8C9467AEBBF5FB48314F14863DE855E7294D774A882CB81
    Function 008BB80A Relevance: 1.3, Strings: 1, Instructions: 18COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 299 8bb80a-8bb96e call 8bb8ee * 2 305 8bb974-8bb978 299->305 305->305 306 8bb97a-8bb99f LdrInitializeThunk 305->306
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2248114014.00000000008BA000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.2248064725.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248080623.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248099069.00000000008B6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248131682.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248229804.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248247284.0000000000A13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248266477.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248266477.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248297613.0000000000A40000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248310980.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248327686.0000000000A4A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248343162.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248361779.0000000000A65000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248376112.0000000000A66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248390054.0000000000A68000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248404470.0000000000A6D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248419923.0000000000A6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248435803.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248453724.0000000000A87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248468052.0000000000A89000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248481757.0000000000A8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248495568.0000000000A8D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248512624.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248528889.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248543676.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248557586.0000000000AA5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248580010.0000000000AAC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248602585.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248627864.0000000000AC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248642930.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248659190.0000000000AC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248674425.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248690239.0000000000AD9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248706900.0000000000ADB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248722678.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248739930.0000000000AE5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248763592.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248780330.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248796939.0000000000B00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248813543.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248842860.0000000000B3D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248842860.0000000000B44000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248877959.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248896017.0000000000B56000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
    Similarity
    • API ID:
    • String ID: !!iH
    • API String ID: 0-3430752988
    • Opcode ID: d10064f5ee6940ec29d777100da305ba6e5c5d01c71c12b5bcfa0999938884a3
    • Instruction ID: a29fda6fed9a14524e4bd445bd2b22618c85b2ce552c8112e9a95935d8021bbe
    • Opcode Fuzzy Hash: d10064f5ee6940ec29d777100da305ba6e5c5d01c71c12b5bcfa0999938884a3
    • Instruction Fuzzy Hash: 24E0C2311085C9CACF56DF6888027E93E0EFB41B01F100125FB01DAF5ADBAD0D119792
    Function 00A2D74B Relevance: .1, Instructions: 134COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2248266477.0000000000A2A000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.2248064725.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248080623.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248099069.00000000008B6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248114014.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248131682.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248229804.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248247284.0000000000A13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248266477.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248297613.0000000000A40000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248310980.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248327686.0000000000A4A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248343162.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248361779.0000000000A65000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248376112.0000000000A66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248390054.0000000000A68000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248404470.0000000000A6D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248419923.0000000000A6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248435803.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248453724.0000000000A87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248468052.0000000000A89000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248481757.0000000000A8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248495568.0000000000A8D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248512624.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248528889.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248543676.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248557586.0000000000AA5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248580010.0000000000AAC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248602585.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248627864.0000000000AC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248642930.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248659190.0000000000AC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248674425.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248690239.0000000000AD9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248706900.0000000000ADB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248722678.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248739930.0000000000AE5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248763592.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248780330.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248796939.0000000000B00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248813543.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248842860.0000000000B3D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248842860.0000000000B44000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248877959.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248896017.0000000000B56000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e499f8f417326a3a4c30ef2f85cc86f315da31a85b05ddf3c23fc9a1dd86ab24
    • Instruction ID: 2c8f3efe0b1fde386aeca36d9052cb77fc4023cc1d2a8af6a30ff45b0faeb495
    • Opcode Fuzzy Hash: e499f8f417326a3a4c30ef2f85cc86f315da31a85b05ddf3c23fc9a1dd86ab24
    • Instruction Fuzzy Hash: 7E4160F650C310EFE301AF29D985ABEFBF9FB94720F26892DE1D482651D37448448B66
    Function 00A3B4C1 Relevance: 4.6, APIs: 3, Instructions: 100registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 a3b4c1-a3b4e1 1 a3f255-a3f2a8 0->1 3 a3f2d1-a3f2ec RegOpenKeyA 1->3 4 a3f2aa-a3f2c5 RegOpenKeyA 1->4 6 a3f304-a3f330 3->6 7 a3f2ee-a3f2f8 3->7 4->3 5 a3f2c7 4->5 5->3 10 a3f332-a3f33b GetNativeSystemInfo 6->10 11 a3f33d-a3f347 6->11 7->6 10->11 12 a3f353-a3f361 11->12 13 a3f349 11->13 15 a3f363 12->15 16 a3f36d-a3f374 12->16 13->12 15->16 17 a3f387 16->17 18 a3f37a-a3f381 16->18 19 a3f38c-a3f393 17->19 18->17 18->19 20 a3f399-a3f3af 19->20 21 a3ddb8-a3e7f3 19->21 21->1
    APIs
    • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00A3F2BD
    • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 00A3F2E4
    • GetNativeSystemInfo.KERNELBASE(?), ref: 00A3F33B
    Memory Dump Source
    • Source File: 00000000.00000002.2248266477.0000000000A35000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.2248064725.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248080623.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248099069.00000000008B6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248114014.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248131682.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248229804.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248247284.0000000000A13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248266477.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248297613.0000000000A40000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248310980.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248327686.0000000000A4A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248343162.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248361779.0000000000A65000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248376112.0000000000A66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248390054.0000000000A68000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248404470.0000000000A6D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248419923.0000000000A6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248435803.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248453724.0000000000A87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248468052.0000000000A89000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248481757.0000000000A8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248495568.0000000000A8D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248512624.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248528889.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248543676.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248557586.0000000000AA5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248580010.0000000000AAC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248602585.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248627864.0000000000AC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248642930.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248659190.0000000000AC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248674425.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248690239.0000000000AD9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248706900.0000000000ADB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248722678.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248739930.0000000000AE5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248763592.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248780330.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248796939.0000000000B00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248813543.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248842860.0000000000B3D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248842860.0000000000B44000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248877959.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248896017.0000000000B56000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
    Similarity
    • API ID: Open$InfoNativeSystem
    • String ID:
    • API String ID: 1247124224-0
    • Opcode ID: 9164c4de8b81b2af2be18811d1061fc8f9a245197b7c39659bcbcfefd0ee9827
    • Instruction ID: 992a2fcbe85e4a95c6ffc11d08c4b6508addcc04a7e128c8a39acae341fc9317
    • Opcode Fuzzy Hash: 9164c4de8b81b2af2be18811d1061fc8f9a245197b7c39659bcbcfefd0ee9827
    • Instruction Fuzzy Hash: 284155B141820ECFEF21DF60C989BEE77E4FB14310F41052AE99186941E77A4CA89B5A
    Function 049815C4 Relevance: 1.8, APIs: 1, Instructions: 305COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 32 49815c4-49815c6 33 49815c8 32->33 34 49815cc-49815ce 32->34 33->34 35 49815d0-49815d3 34->35 36 49815d4-498165a 34->36 35->36 38 498165c-4981666 36->38 39 4981693-49816b5 36->39 38->39 40 4981668-498166a 38->40 46 49816f1-4981712 39->46 47 49816b7-49816c4 39->47 41 498166c-4981676 40->41 42 498168d-4981690 40->42 44 4981678 41->44 45 498167a-4981689 41->45 42->39 44->45 45->45 48 498168b 45->48 53 498174b-498176d 46->53 54 4981714-498171e 46->54 47->46 49 49816c6-49816c8 47->49 48->42 51 49816ca-49816d4 49->51 52 49816eb-49816ee 49->52 55 49816d8-49816e7 51->55 56 49816d6 51->56 52->46 64 49817a9-49817ca 53->64 65 498176f-498177c 53->65 54->53 57 4981720-4981722 54->57 55->55 58 49816e9 55->58 56->55 59 4981724-498172e 57->59 60 4981745-4981748 57->60 58->52 62 4981730 59->62 63 4981732-4981741 59->63 60->53 62->63 63->63 66 4981743 63->66 73 49817cc-49817d6 64->73 74 4981803-4981825 64->74 65->64 67 498177e-4981780 65->67 66->60 69 4981782-498178c 67->69 70 49817a3-49817a6 67->70 71 498178e 69->71 72 4981790-498179f 69->72 70->64 71->72 72->72 75 49817a1 72->75 73->74 76 49817d8-49817da 73->76 80 4981861-4981867 74->80 81 4981827-4981834 74->81 75->70 78 49817dc-49817e6 76->78 79 49817fd-4981800 76->79 82 49817e8 78->82 83 49817ea-49817f9 78->83 79->74 88 4981871-49818d8 ChangeServiceConfigA 80->88 81->80 84 4981836-4981838 81->84 82->83 83->83 85 49817fb 83->85 86 498183a-4981844 84->86 87 498185b-498185e 84->87 85->79 89 4981848-4981857 86->89 90 4981846 86->90 87->80 91 49818da-49818e0 88->91 92 49818e1-4981920 88->92 89->89 93 4981859 89->93 90->89 91->92 95 4981930-4981934 92->95 96 4981922-4981926 92->96 93->87 99 4981944-4981948 95->99 100 4981936-498193a 95->100 96->95 98 4981928-498192b call 498013c 96->98 98->95 103 4981958-498195c 99->103 104 498194a-498194e 99->104 100->99 102 498193c-498193f call 498013c 100->102 102->99 107 498196c-4981970 103->107 108 498195e-4981962 103->108 104->103 106 4981950-4981953 call 498013c 104->106 106->103 109 4981980-4981984 107->109 110 4981972-4981976 107->110 108->107 112 4981964-4981967 call 498013c 108->112 114 4981994 109->114 115 4981986-498198a 109->115 110->109 113 4981978-498197b call 498013c 110->113 112->107 113->109 120 4981995 114->120 115->114 118 498198c-498198f call 498013c 115->118 118->114 120->120
    APIs
    • ChangeServiceConfigA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?), ref: 049818C8
    Memory Dump Source
    • Source File: 00000000.00000002.2250366296.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4980000_file.jbxd
    Similarity
    • API ID: ChangeConfigService
    • String ID:
    • API String ID: 3849694230-0
    • Opcode ID: 6f0ded4650e13fdcd953b6b927511b54fec6245be1eff32bf4453edf934736be
    • Instruction ID: 037a1b2c44fd6e2074e54bf136007a90955fbf2b663896662c86a956e32d3564
    • Opcode Fuzzy Hash: 6f0ded4650e13fdcd953b6b927511b54fec6245be1eff32bf4453edf934736be
    • Instruction Fuzzy Hash: 6CC16A71D002199FDB10EFA8C9467AEBBF5FB49314F04863DE855E7294DB74A882CB81
    Function 00A2D90D Relevance: 1.6, APIs: 1, Instructions: 88libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 207 a2d90d-a2d90f LoadLibraryA 208 a2d91a-a2d979 207->208 209 a2d97b-a2d9b7 208->209 210 a2d9bc-a2da03 208->210 209->210
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2248266477.0000000000A2A000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.2248064725.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248080623.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248099069.00000000008B6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248114014.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248131682.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248229804.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248247284.0000000000A13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248266477.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248297613.0000000000A40000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248310980.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248327686.0000000000A4A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248343162.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248361779.0000000000A65000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248376112.0000000000A66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248390054.0000000000A68000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248404470.0000000000A6D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248419923.0000000000A6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248435803.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248453724.0000000000A87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248468052.0000000000A89000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248481757.0000000000A8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248495568.0000000000A8D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248512624.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248528889.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248543676.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248557586.0000000000AA5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248580010.0000000000AAC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248602585.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248627864.0000000000AC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248642930.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248659190.0000000000AC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248674425.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248690239.0000000000AD9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248706900.0000000000ADB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248722678.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248739930.0000000000AE5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248763592.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248780330.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248796939.0000000000B00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248813543.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248842860.0000000000B3D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248842860.0000000000B44000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248877959.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248896017.0000000000B56000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 6a8e356e9f41414738e87d784f7e8b1e09a9219545dcac4cef13d6519ac7550c
    • Instruction ID: 03a6512fdb069e32dde10862f082dfe846bb5e12b1c1ccf880e29c51852085b9
    • Opcode Fuzzy Hash: 6a8e356e9f41414738e87d784f7e8b1e09a9219545dcac4cef13d6519ac7550c
    • Instruction Fuzzy Hash: AC314FF250D600AFD712AF19DC816AAFBF5EF99311F15482DE6C483211E7319854CB97
    Function 04980D41 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 211 4980d41-4980d46 212 4980d48-4980d4b 211->212 213 4980d4c-4980d97 211->213 212->213 215 4980d99-4980d9c 213->215 216 4980d9f-4980da3 213->216 215->216 217 4980dab-4980dda OpenSCManagerW 216->217 218 4980da5-4980da8 216->218 219 4980ddc-4980de2 217->219 220 4980de3-4980df7 217->220 218->217 219->220
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04980DCD
    Memory Dump Source
    • Source File: 00000000.00000002.2250366296.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4980000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: f69b9e61e1f80a52c2b674c9064aaab53076847f1953c6c4dc9f514d9ffcc1e4
    • Instruction ID: bc8d203caf897f7b13701aa09a626e43afffb9810b2bae973b798c1c25c5050a
    • Opcode Fuzzy Hash: f69b9e61e1f80a52c2b674c9064aaab53076847f1953c6c4dc9f514d9ffcc1e4
    • Instruction Fuzzy Hash: 4D2125B68003189FCB50DF9DD984ADEFBF8EB88310F15812AE908AB205D734A545CBA5
    Function 04980D48 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 222 4980d48-4980d97 225 4980d99-4980d9c 222->225 226 4980d9f-4980da3 222->226 225->226 227 4980dab-4980dda OpenSCManagerW 226->227 228 4980da5-4980da8 226->228 229 4980ddc-4980de2 227->229 230 4980de3-4980df7 227->230 228->227 229->230
    APIs
    • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 04980DCD
    Memory Dump Source
    • Source File: 00000000.00000002.2250366296.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4980000_file.jbxd
    Similarity
    • API ID: ManagerOpen
    • String ID:
    • API String ID: 1889721586-0
    • Opcode ID: 242683b2e59c04becc1fa731d625af836c992ff87df7cdbdf1eed3febdc44dd0
    • Instruction ID: 7b5cfde923ce1653c5b9902a814a91db2896d78bb2fe61b7d858e6ab9ff9cf9d
    • Opcode Fuzzy Hash: 242683b2e59c04becc1fa731d625af836c992ff87df7cdbdf1eed3febdc44dd0
    • Instruction Fuzzy Hash: B12115B6C002199FCB50DF99D984ADEFBF4EB88310F15812AD908AB205D734A544CBA5
    Function 04981509 Relevance: 1.6, APIs: 1, Instructions: 56serviceCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 232 4981509-498150e 233 4981510-4981513 232->233 234 4981514-4981550 232->234 233->234 235 4981558-498158d ControlService 234->235 236 498158f-4981595 235->236 237 4981596-49815b7 235->237 236->237
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 04981580
    Memory Dump Source
    • Source File: 00000000.00000002.2250366296.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4980000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: fb3603116d2fe0032b0c166357cfa6e794ad9deaf62b0f84ef8b35b7b3c7746b
    • Instruction ID: 8096ca3db14126a6e03d75e017972155e806e478e446a044f6d3443cabf3c8f4
    • Opcode Fuzzy Hash: fb3603116d2fe0032b0c166357cfa6e794ad9deaf62b0f84ef8b35b7b3c7746b
    • Instruction Fuzzy Hash: 0B2147B1800209DFDB20CF9AC984BDEFBF8EB48320F14802AE518A3201C734A644CFA5
    Function 04981510 Relevance: 1.6, APIs: 1, Instructions: 54serviceCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 239 4981510-498158d ControlService 242 498158f-4981595 239->242 243 4981596-49815b7 239->243 242->243
    APIs
    • ControlService.ADVAPI32(?,?,?), ref: 04981580
    Memory Dump Source
    • Source File: 00000000.00000002.2250366296.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4980000_file.jbxd
    Similarity
    • API ID: ControlService
    • String ID:
    • API String ID: 253159669-0
    • Opcode ID: a6ea8a5278f96bcb578ee2a0779f4704db3c6486cdb08667afbd8d35a4b5438b
    • Instruction ID: e674f1540298192a07b280dbaac2f0c405d2b642c616d36a5bf2a6ee1d5fe64a
    • Opcode Fuzzy Hash: a6ea8a5278f96bcb578ee2a0779f4704db3c6486cdb08667afbd8d35a4b5438b
    • Instruction Fuzzy Hash: A31117B1900249CFDB10CF9AD984BDEFBF4EB48320F14802AE518A3240D774A644CFA5
    Function 04981301 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 245 4981301-4981341 246 4981349-4981374 ImpersonateLoggedOnUser 245->246 247 498137d-498139e 246->247 248 4981376-498137c 246->248 248->247
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 04981367
    Memory Dump Source
    • Source File: 00000000.00000002.2250366296.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4980000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: ebbc0bfeb0d9d7dc622679d91bb9bab0fd77f01d5ccdcd8e60c111da41686e47
    • Instruction ID: e28eecd2510e3ad40aacad3ed09ec2e98dbf1d854dff8162f20cdcad3de25c68
    • Opcode Fuzzy Hash: ebbc0bfeb0d9d7dc622679d91bb9bab0fd77f01d5ccdcd8e60c111da41686e47
    • Instruction Fuzzy Hash: 851146B2804249CFDB10DF9AD545BDEFBF8EB48320F24842AD958A3240C734A984CFA1
    Function 04981308 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 250 4981308-4981374 ImpersonateLoggedOnUser 252 498137d-498139e 250->252 253 4981376-498137c 250->253 253->252
    APIs
    • ImpersonateLoggedOnUser.KERNELBASE ref: 04981367
    Memory Dump Source
    • Source File: 00000000.00000002.2250366296.0000000004980000.00000040.00000800.00020000.00000000.sdmp, Offset: 04980000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_4980000_file.jbxd
    Similarity
    • API ID: ImpersonateLoggedUser
    • String ID:
    • API String ID: 2216092060-0
    • Opcode ID: 5889888d1116d928f9bdc11f312ed7d493cc35f2bc395deaced679077ebfc4b9
    • Instruction ID: e637e98aad349928afc44f519946017c2001494f26c45c212adb739176cea202
    • Opcode Fuzzy Hash: 5889888d1116d928f9bdc11f312ed7d493cc35f2bc395deaced679077ebfc4b9
    • Instruction Fuzzy Hash: 131136B1800249CFDB10CF9AC945BDEFBF8EB48320F14842AD558A3240D778A944CFA5
    Function 00A3A2D6 Relevance: 1.5, APIs: 1, Instructions: 22libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 255 a3a2d6-a3a2e1 LoadLibraryA 256 a3a9da-a3b420 255->256
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2248266477.0000000000A35000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.2248064725.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248080623.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248099069.00000000008B6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248114014.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248131682.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248229804.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248247284.0000000000A13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248266477.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248297613.0000000000A40000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248310980.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248327686.0000000000A4A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248343162.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248361779.0000000000A65000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248376112.0000000000A66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248390054.0000000000A68000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248404470.0000000000A6D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248419923.0000000000A6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248435803.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248453724.0000000000A87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248468052.0000000000A89000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248481757.0000000000A8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248495568.0000000000A8D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248512624.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248528889.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248543676.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248557586.0000000000AA5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248580010.0000000000AAC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248602585.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248627864.0000000000AC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248642930.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248659190.0000000000AC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248674425.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248690239.0000000000AD9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248706900.0000000000ADB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248722678.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248739930.0000000000AE5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248763592.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248780330.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248796939.0000000000B00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248813543.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248842860.0000000000B3D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248842860.0000000000B44000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248877959.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248896017.0000000000B56000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: 7f9fee812654be911fe93677928b079cc7299ba664cedd48e626d95ff7fe35ab
    • Instruction ID: 12ab10036a786428ec0fe341274a58f480b460c2326db85de5693509df97cdc1
    • Opcode Fuzzy Hash: 7f9fee812654be911fe93677928b079cc7299ba664cedd48e626d95ff7fe35ab
    • Instruction Fuzzy Hash: 66E0ECB1618704AFD3002F5E98C5D3EBBF5FA88754F11483DEACA96A02E6B05C915726
    Function 008BE5F2 Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 307 8be5f2-8be618 VirtualAlloc 308 8bf4d4-8bf4dd 307->308
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 008BE5F7
    Memory Dump Source
    • Source File: 00000000.00000002.2248114014.00000000008BA000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.2248064725.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248080623.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248099069.00000000008B6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248131682.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248229804.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248247284.0000000000A13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248266477.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248266477.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248297613.0000000000A40000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248310980.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248327686.0000000000A4A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248343162.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248361779.0000000000A65000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248376112.0000000000A66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248390054.0000000000A68000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248404470.0000000000A6D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248419923.0000000000A6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248435803.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248453724.0000000000A87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248468052.0000000000A89000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248481757.0000000000A8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248495568.0000000000A8D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248512624.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248528889.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248543676.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248557586.0000000000AA5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248580010.0000000000AAC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248602585.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248627864.0000000000AC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248642930.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248659190.0000000000AC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248674425.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248690239.0000000000AD9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248706900.0000000000ADB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248722678.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248739930.0000000000AE5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248763592.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248780330.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248796939.0000000000B00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248813543.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248842860.0000000000B3D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248842860.0000000000B44000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248877959.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248896017.0000000000B56000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 54a41ee82ef7a807d04b78f1446c1c6783ca72abade6c3a39f966cb888a2a275
    • Instruction ID: 928a5233bca1b55d00668300d8c492a60a0d4b268af19f2f2851fe2a9496d759
    • Opcode Fuzzy Hash: 54a41ee82ef7a807d04b78f1446c1c6783ca72abade6c3a39f966cb888a2a275
    • Instruction Fuzzy Hash: BCE099B0008609DFD7506F289880ABDBBF1FF18704F12082CEAC59A650D23618A1DB17
    Function 008BE87C Relevance: 1.3, APIs: 1, Instructions: 14memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualAlloc.KERNELBASE(00000000), ref: 008BE88B
    Memory Dump Source
    • Source File: 00000000.00000002.2248114014.00000000008BA000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.2248064725.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248080623.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248099069.00000000008B6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248131682.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248229804.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248247284.0000000000A13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248266477.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248266477.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248297613.0000000000A40000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248310980.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248327686.0000000000A4A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248343162.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248361779.0000000000A65000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248376112.0000000000A66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248390054.0000000000A68000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248404470.0000000000A6D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248419923.0000000000A6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248435803.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248453724.0000000000A87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248468052.0000000000A89000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248481757.0000000000A8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248495568.0000000000A8D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248512624.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248528889.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248543676.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248557586.0000000000AA5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248580010.0000000000AAC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248602585.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248627864.0000000000AC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248642930.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248659190.0000000000AC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248674425.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248690239.0000000000AD9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248706900.0000000000ADB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248722678.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248739930.0000000000AE5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248763592.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248780330.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248796939.0000000000B00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248813543.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248842860.0000000000B3D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248842860.0000000000B44000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248877959.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248896017.0000000000B56000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 3ffe565287579e52a414c2714f52c2ca72e904c8f27fbceb8ea2adfc0aacfcd9
    • Instruction ID: 97ea251825eb6ed7e42bbb553a895b9be839c05643ebb6954e84697788f2bd75
    • Opcode Fuzzy Hash: 3ffe565287579e52a414c2714f52c2ca72e904c8f27fbceb8ea2adfc0aacfcd9
    • Instruction Fuzzy Hash: 67D0E27141C609DFCB442F78A0085EE7AB4FF04312F200A1DF896C2AC0DB318C509B0A

    Non-executed Functions

    Function 008C5832 Relevance: .3, Instructions: 339COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2248114014.00000000008BA000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.2248064725.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248080623.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248099069.00000000008B6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248131682.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248229804.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248247284.0000000000A13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248266477.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248266477.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248297613.0000000000A40000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248310980.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248327686.0000000000A4A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248343162.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248361779.0000000000A65000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248376112.0000000000A66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248390054.0000000000A68000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248404470.0000000000A6D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248419923.0000000000A6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248435803.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248453724.0000000000A87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248468052.0000000000A89000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248481757.0000000000A8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248495568.0000000000A8D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248512624.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248528889.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248543676.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248557586.0000000000AA5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248580010.0000000000AAC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248602585.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248627864.0000000000AC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248642930.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248659190.0000000000AC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248674425.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248690239.0000000000AD9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248706900.0000000000ADB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248722678.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248739930.0000000000AE5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248763592.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248780330.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248796939.0000000000B00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248813543.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248842860.0000000000B3D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248842860.0000000000B44000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248877959.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248896017.0000000000B56000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 4d0c36b42a915f8a50185c6080811cc4b55412930ab9ee50716d5f85543b1f67
    • Instruction ID: 0037c656898b2e8dbce0ec2b020bd36337d472278ae369c4057ef90c9c8cc869
    • Opcode Fuzzy Hash: 4d0c36b42a915f8a50185c6080811cc4b55412930ab9ee50716d5f85543b1f67
    • Instruction Fuzzy Hash: B7B18BB3F116254BF7544839DD583A226839BD5320F2F82788BADAB7C5DC7E9C4A4384
    Function 00B05BCF Relevance: .2, Instructions: 175COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2248813543.0000000000B01000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.2248064725.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248080623.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248099069.00000000008B6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248114014.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248131682.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248229804.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248247284.0000000000A13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248266477.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248266477.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248297613.0000000000A40000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248310980.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248327686.0000000000A4A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248343162.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248361779.0000000000A65000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248376112.0000000000A66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248390054.0000000000A68000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248404470.0000000000A6D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248419923.0000000000A6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248435803.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248453724.0000000000A87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248468052.0000000000A89000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248481757.0000000000A8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248495568.0000000000A8D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248512624.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248528889.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248543676.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248557586.0000000000AA5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248580010.0000000000AAC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248602585.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248627864.0000000000AC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248642930.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248659190.0000000000AC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248674425.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248690239.0000000000AD9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248706900.0000000000ADB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248722678.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248739930.0000000000AE5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248763592.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248780330.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248796939.0000000000B00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248842860.0000000000B3D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248842860.0000000000B44000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248877959.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248896017.0000000000B56000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 1036dcda77aff0b393a8c69595dc815f6661a96cded7eaaea57b1a44a3056783
    • Instruction ID: 9049cf8d9dd0ce5de6a8242dc8d9907ffd627593bf11154e773c6a7831728aa3
    • Opcode Fuzzy Hash: 1036dcda77aff0b393a8c69595dc815f6661a96cded7eaaea57b1a44a3056783
    • Instruction Fuzzy Hash: A5515DB380CA189BD320692CDDC8A37BEE8DB54360F37466EE997D7BC0F52159015982
    Function 008C5C06 Relevance: .1, Instructions: 103COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2248114014.00000000008BA000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.2248064725.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248080623.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248099069.00000000008B6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248131682.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248229804.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248247284.0000000000A13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248266477.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248266477.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248297613.0000000000A40000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248310980.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248327686.0000000000A4A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248343162.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248361779.0000000000A65000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248376112.0000000000A66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248390054.0000000000A68000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248404470.0000000000A6D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248419923.0000000000A6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248435803.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248453724.0000000000A87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248468052.0000000000A89000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248481757.0000000000A8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248495568.0000000000A8D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248512624.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248528889.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248543676.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248557586.0000000000AA5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248580010.0000000000AAC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248602585.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248627864.0000000000AC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248642930.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248659190.0000000000AC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248674425.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248690239.0000000000AD9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248706900.0000000000ADB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248722678.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248739930.0000000000AE5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248763592.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248780330.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248796939.0000000000B00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248813543.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248842860.0000000000B3D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248842860.0000000000B44000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248877959.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248896017.0000000000B56000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a3dacf28ddc1af46fa861c79e6ab1b11fd3f9f5523c159147d59dd8de64c96e0
    • Instruction ID: 390ac3a7f58cab5382d16e17e9b7c27f0dfa94c6dac2fdd99708402e064237aa
    • Opcode Fuzzy Hash: a3dacf28ddc1af46fa861c79e6ab1b11fd3f9f5523c159147d59dd8de64c96e0
    • Instruction Fuzzy Hash: 71318FB3F516214BF34448B9DC983A2258387D9321F2F82798E6CAB7C5DCBE0C4A0384
    Function 00A36FAD Relevance: .1, Instructions: 75COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2248266477.0000000000A35000.00000040.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.2248064725.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248080623.00000000008B2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248099069.00000000008B6000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248114014.00000000008BA000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248131682.00000000008C6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248229804.0000000000A11000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248247284.0000000000A13000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248266477.0000000000A2A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248297613.0000000000A40000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248310980.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248327686.0000000000A4A000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248343162.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248361779.0000000000A65000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248376112.0000000000A66000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248390054.0000000000A68000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248404470.0000000000A6D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248419923.0000000000A6F000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248435803.0000000000A7A000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248453724.0000000000A87000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248468052.0000000000A89000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248481757.0000000000A8B000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248495568.0000000000A8D000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248512624.0000000000A9D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248528889.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248543676.0000000000AA0000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248557586.0000000000AA5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248580010.0000000000AAC000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248602585.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248627864.0000000000AC6000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248642930.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248659190.0000000000AC9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248674425.0000000000AD2000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248690239.0000000000AD9000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248706900.0000000000ADB000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248722678.0000000000AE3000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248739930.0000000000AE5000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248763592.0000000000AFD000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248780330.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248796939.0000000000B00000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248813543.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248842860.0000000000B3D000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248842860.0000000000B44000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248877959.0000000000B54000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2248896017.0000000000B56000.00000080.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_file.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 242dcc3b208de93b00693cc5b572d15ef3e96f91d8cf55b5687bca31b2b7440a
    • Instruction ID: cd64e0507c6b55b41631c8d21adf4d613b8b4a33f8e02071816024718762e21b
    • Opcode Fuzzy Hash: 242dcc3b208de93b00693cc5b572d15ef3e96f91d8cf55b5687bca31b2b7440a
    • Instruction Fuzzy Hash: BB11B7B390D1209BE32C9E2A984147FB7A5EFC4774F27862DE9C69B350CA31180196D6